Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 d260fd4d90718439…

MALICIOUS

Office (OLE)

71.9 KB Created: 2018-11-07 11:39:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: cc355a4492e6c5ba77567ab21446e39c SHA-1: 6ba3a65241a012ed4fe1af8a19374435453f9417 SHA-256: d260fd4d90718439e173e8ce737b0f554105a51b030c0f1705a71f693c5f1e6b
150 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment

The file was detected as Emotet, a known malware family. The embedded PowerShell command is heavily obfuscated but appears to be designed to download and execute a second-stage payload. The presence of the PowerShell command and the ClamAV detection strongly indicate malicious intent.

Heuristics 5

  • ClamAV: Doc.Dropper.Emotet-6769504-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Emotet-6769504-0
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 283 bytes
SHA-256: e61f0cb5d6cd2ecf8bd5ac00dc97c7fa0a66a7c4a3870c88e8dc55cb72334eb6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "vrMFYIKGf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True