Emotet — Office (OLE) / .DOCX malware analysis

Static analysis result for SHA-256 06920cbb3c08c1a6…

MALICIOUS

Office (OLE) / .DOCX

278.5 KB Created: 2019-10-15 08:53:00 Authoring application: Microsoft Office Word
MD5: 4a72fe7059dcf46256faaa2d653ef9a3 SHA-1: 91ceb1659f66b756d7557e1421e27f505feec4f7 SHA-256: 06920cbb3c08c1a61c729482342bb3b773592caa2b92db83771437e19be359c9
270 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The sample contains heavily obfuscated VBA macros with an AutoOpen function, indicative of Emotet. The script attempts to download content from multiple URLs, including http://lenny.biz/invoice/ergonomic-fresh-gloves/bedfordshire, which is consistent with Emotet's behavior of downloading secondary payloads. The presence of invoice-related language in the document body further supports this attack pattern.

Heuristics 8

  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • ClamAV: Doc.Downloader.Emotet-10019714-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-10019714-0
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lenny.biz/invoice/ergonomic-fresh-gloves/bedfordshire
    • http://dayne.net/card/savings-account/bypassing
    • https://rasheed.net/representative
    • http://alek.info/1080p/investment-account/bedfordshire
    • http://neil.info/dynamic/avon
    • https://mariah.com/multi-byte/orchid/reverse-engineered
    • http://reanna.name/client-server/withdrawal
    • http://angelica.net/light/credit-card-account/baby--games
    • https://aleen.biz/health
    • http://tavares.org/awesome-fresh-cheese/digital/synthesizing
    • http://carroll.com/nuevo-sol9
    • http://martina.name/awesome/vanuatu
    • http://euna.net/plastic/handmade-metal-shoes/primary
    • http://gladys.net/haptic/unbranded-granite-bike/lime
    • https://melba.biz/e-markets
    • http://rose.com/expressway
    • https://lawrence.biz/system/maroon
    • http://russel.info/island/new-hampshire/maximize
    • https://aurelio.org/legacy/wisconsin/attitude
    • https://ward.info/global
    • http://sim.name/small-steel-bacon/violet1
    • https://kyleigh.net/fantastic-plastic-soap
    • https://nicolette.com/response�
    • https://bennett.com/adp
    • https://maverick.name/generating/handmade/knoll�
    • http://camylle.net/credit-card-account/architect
    • https://cyril.com/e-tailers
    • https://waldo.org/withdrawal
    • http://llewellyn.com/armenian-dram/smtp/networked
    • https://ernestine.info/back-up/investment-account
    • https://alf.com/baby-health--clothing/bahamian-dollar/home-loan-account=
    • https://noah.net/synthesizing/usb
    • http://alanis.org/multi-byte/nebraska
    • https://verna.info/yellow/fundamental/salmon
    • https://miracle.com/fresh/dynamic
    • https://gennaro.name/european-unit-of-account-9e.u.a.-9/trafficway
    • https://fletcher.net/analyzer
    • https://brian.info/utah/springs/eritrea��
    • https://lauren.net/mountain/functionality
    • https://ross.net/springs/application/kansas
    • https://anissa.org/operative
    • https://woodrow.biz/alliance
    • https://meredith.biz/health--jewelery/bridge/action-items
    • https://jarrett.info/chief
    • https://johann.org/progressive
    • https://rex.name/money-market-account/auto-loan-account/planner
    • https://kacey.info/input/route
    • http://zella.info/malaysia/service-desk
    • https://lacey.biz/new-israeli-sheqel/generate/hybrid
    • http://verda.net/maximize
    +1189 more URL(s)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f21831a0c30e7e292da69b1770f8256b88ff20147cfde403d8359d2c4395fae2		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 59255 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.