Emotet Office (OOXML) malware analysis — malicious · 20cf5c2d8c94d334

MALICIOUS

Office (OOXML)

134.3 KB Created: 2020-01-22 22:09:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-08-25

MD5: fad8048ba57a79c9cc3cd5a0d2f435f9 SHA-1: f7e58f3603766cdeda7efc5a8282c04f090da148 SHA-256: 20cf5c2d8c94d334cb90e78bca0ad64b264eb7b430a9d970aef6b99363895cf9

262 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-7557856-0, indicating it's a downloader. The presence of a Document_Open macro and GetObject call, along with the 'OOXML_VBA' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristics, confirms the execution of VBA code upon opening. This code is designed to download and execute a secondary payload, a common characteristic of Emotet.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-7557856-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7557856-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	10479 bytes
SHA-256: `bcf8525c2e46dbc0e62921bdbff8f11d08f3d63f674eabd83dbac42d8bb64219`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Yincgqfuyapa" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() Xbhialgbufby.Nsoukxcw End Sub Attribute VB_Name = "Wuiciocnrefus" Attribute VB_Base = "0{0EA6965B-8E4D-4C11-9331-BA5D957BFA48}{29720CA9-9037-453D-9AF0-3A09652F013B}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Qbjrvplgiycdm" Attribute VB_Base = "0{F0423E76-BE8D-41F8-9685-9FA6344FB374}{B72D035B-03D9-4C95-8A3A-99700F54AEC4}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Ucmkgoirh" Attribute VB_Base = "0{C25500E7-8527-467A-A889-A35A8B3442D1}{BFC52146-E655-436F-B046-A066E5427A42}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Cqmtrvwlclv" Attribute VB_Base = "0{3D12D05E-05C1-455F-A3B8-E6CD5C219C85}{8308753E-9C75-4A51-A285-5689AAD155EC}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Wtovhxzhcn" Attribute VB_Base = "0{0C60FEF5-DE7E-4978-876F-2F5461B12AEB}{3B8573B8-38BD-4FEF-BC43-06451AE59A79}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Qhchhjcvfnvtp" Attribute VB_Base = "0{C073F11A-83F6-4327-ABBB-90192E2EAE70}{B259DCCD-6A6E-4968-A8CD-ECBF8B94DEA0}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Hahtyjbom" Attribute VB_Base = "0{7DC6A438-5C8D-4B9F-8E74-6A2995EB09CC}{74E0CF44-8143-4C5E-88EE-83EF35C99EDB}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Jjwiacawao" Attribute VB_Base = "0{09FFC13D-3B98-4D8D-8C0E-66C212A53A54}{6EA23842-DA70-4676-9624-5D3766253470}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Vbtxfjyu" Attribute VB_Base = "0{619AE6A5-0602-4813-87BE-13CE182DA403}{EFF0A252-D170-401F-8D57-D6ED6FEFC37E}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Qrguunmo" Attribute VB_Base = "0{29F27C21-DA5A-43F6-BFC6-A5279D335225}{287970E8-DB86-4FDE-A8B0-B3794226530F}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Guzszwmstsg" Attribute VB_Base = "0{FF645020-FCE8-474A-AA50-886A3E1530F3}{34222380-E94F-4B64-A1DA-9B1DB38FC30C}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = Fal ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	97280 bytes
SHA-256: `cf16c0cb1a11c0f1ab1699a32975e49f63bcf0950af86863d56591d514a02a5e`
Detection ClamAV: Doc.Downloader.Emotet-7557856-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.