Emotet Office (OLE) malware analysis — malicious · 3c866e75a06786b1

MALICIOUS

Office (OLE)

323.5 KB Created: 2019-10-15 18:46:00 Authoring application: Microsoft Office Word First seen: 2020-05-25

MD5: 6c5ba9fd49cbdc56f987d60f15e79022 SHA-1: 1d551a1cb20ab6f57f03e039b4dce091960cf84e SHA-256: 3c866e75a06786b1d89e1c36edb4cf09f01efcb0f21b7f7ffb1f8ce1f1417dd8

290 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The sample contains heavily obfuscated VBA macros, including an auto-executing loader that uses CreateObject and execution sink functions. This is strongly indicative of a downloader, and the ClamAV detection explicitly identifies it as Emotet. The embedded URLs are likely used to fetch the next stage of the infection.

Heuristics 9

ClamAV: Doc.Downloader.Emotet-10019714-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-10019714-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://gabrielle.net/generic-metal-bike/back-end/cambridgeshire In document text (OLE body)
- https://luigi.name/xmlIn document text (OLE body)
- http://jack.net/avon/deposit�In document text (OLE body)
- http://francesco.biz/ftp/assistantIn document text (OLE body)
- http://kimberly.net/health/invoice/millIn document text (OLE body)
- https://magali.org/e-commerceIn document text (OLE body)
- https://carroll.org/garden-movies--sports/white/schemasIn document text (OLE body)
- http://roselyn.org/incredible/uae-dirham/cambridgeshireIn document text (OLE body)
- https://narciso.biz/hillIn document text (OLE body)
- http://diana.name/corporate/depositIn document text (OLE body)
- https://eugene.biz/override/future/user-friendlyIn document text (OLE body)
- https://sim.com/summit/alarm/optimizingIn document text (OLE body)
- https://jazmyn.info/monitor/violet/solutionsIn document text (OLE body)
- http://sven.name/auto-loan-account/feed/focusedIn document text (OLE body)
- https://fanny.biz/ergonomic/games-grocery--clothing/tertiaryIn document text (OLE body)
- http://zaria.info/overridingIn document text (OLE body)
- http://royal.info/assimilatedIn document text (OLE body)
- http://hadley.org/hackIn document text (OLE body)
- http://eleazar.name/compressing/hybrid/buckinghamshireIn document text (OLE body)
- http://myron.org/payment/nevadaIn document text (OLE body)
- http://rylan.org/orange/new-yorkIn document text (OLE body)
- https://sabina.org/investment-account/e-servicesIn document text (OLE body)
- https://fay.net/tokelauIn document text (OLE body)
- https://dorris.info/profound/ill�In document text (OLE body)
- http://macey.biz/standardization/backing-up/organizedIn document text (OLE body)
- https://beatrice.com/districtIn document text (OLE body)
- http://juanita.org/dynamic/tunisian-dinar/investment-accountIn document text (OLE body)
- https://jasmin.info/dong/interfaceIn document text (OLE body)
- https://georgianna.com/handmadeIn document text (OLE body)
- https://eduardo.org/money-market-accountIn document text (OLE body)
- http://keyon.biz/calculate/orchidIn document text (OLE body)
- http://merlin.org/unbranded/virtualIn document text (OLE body)
- https://hailee.com/forward/bleeding-edgeIn document text (OLE body)
- http://everardo.info/instruction-set/rubberIn document text (OLE body)
- http://elda.biz/missouri/bypass/deposit�In document text (OLE body)
- http://dolly.info/intelligent/paradigm/executiveIn document text (OLE body)
- http://florian.name/operationsAIn document text (OLE body)
- https://alysa.net/out-of-the-box/plains/deliverablesIn document text (OLE body)
- https://angela.biz/data/tanzanian-shillingfIn document text (OLE body)
- http://yoshiko.biz/transparentIn document text (OLE body)
- http://guy.info/e-enable/manager/backing-upIn document text (OLE body)
- https://sim.name/navigate/quantifying/bedfordshireIn document text (OLE body)
- http://imani.com/niches/nevada/cambridgeshireIn document text (OLE body)
- https://emilio.biz/action-items/pitcairn-islands/operativeIn document text (OLE body)
- https://alan.com/mountains/e-enable/incredible-concrete-hatIn document text (OLE body)
- http://guy.net/park/holisticIn document text (OLE body)
- https://brendon.info/payment/engage/technologiesIn document text (OLE body)
- http://maiya.name/greenland/invoice/refinedIn document text (OLE body)
- https://abbey.name/invoiceIn document text (OLE body)
- https://dexter.com/xss/incentivize/greyIn document text (OLE body)
+2021 more URL(s)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 170667 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	170667 bytes
SHA-256: `d5634129019b8054ff2e55076da2f1152e47ff4b0ed5b6906ab2f481f8b9a88e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "I_okU_ACAA4X" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "AB1QAUAk_, 0, 0, MSForms, TextBox" Attribute VB_Control = "QkBAcAQQBAA, 1, 1, MSForms, TextBox" Attribute VB_Control = "WX4GXoxCA, 2, 2, MSForms, TextBox" Attribute VB_Control = "GGAA4QkwGkA, 3, 3, MSForms, TextBox" Attribute VB_Control = "YAADAU_AQ, 4, 4, MSForms, TextBox" Attribute VB_Control = "YDUQAXUkC_ZUB, 5, 5, MSForms, TextBox" Attribute VB_Name = "KCG4QUQ_ABw1C" Function BA4AAG1C_AB() On Error Resume Next Rem https://dorris.info/profound/illinois https://gabrielle.net/generic-metal-bike/back-end/cambridgeshire Rem https://luigi.name/xml http://jack.net/avon/deposit Rem http://francesco.biz/ftp/assistant http://kimberly.net/health/invoice/mill Rem https://magali.org/e-commerce https://carroll.org/garden-movies--sports/white/schemas Rem http://roselyn.org/incredible/uae-dirham/cambridgeshire https://narciso.biz/hill Rem http://diana.name/corporate/deposit https://eugene.biz/override/future/user-friendly Rem https://sim.com/summit/alarm/optimizing https://jazmyn.info/monitor/violet/solutions Rem http://sven.name/auto-loan-account/feed/focused https://fanny.biz/ergonomic/games-grocery--clothing/tertiary Rem http://zaria.info/overriding http://royal.info/assimilated Rem http://hadley.org/hack http://eleazar.name/compressing/hybrid/buckinghamshire Rem http://myron.org/payment/nevada http://rylan.org/orange/new-york Rem https://sabina.org/investment-account/e-services https://fay.net/tokelau Rem https://sim.info/florida http://macey.biz/standardization/backing-up/organized Rem https://beatrice.com/district http://juanita.org/dynamic/tunisian-dinar/investment-account Rem https://jasmin.info/dong/interface https://georgianna.com/handmade Rem https://eduardo.org/money-market-account http://keyon.biz/calculate/orchid Rem http://merlin.org/unbranded/virtual https://hailee.com/forward/bleeding-edge Rem http://everardo.info/instruction-set/rubber http://elda.biz/missouri/bypass/deposit Rem http://dolly.info/intelligent/paradigm/executive http://florian.name/operations Rem https://alysa.net/out-of-the-box/plains/deliverables https://angela.biz/data/tanzanian-shilling Rem http://yoshiko.biz/transparent http://guy.info/e-enable/manager/backing-up Rem https://sim.name/navigate/quantifying/bedfordshire http://imani.com/niches/nevada/cambridgeshire Rem https://emilio.biz/action-items/pitcairn-islands/operative https://alan.com/mountains/e-enable/incredible-concrete-hat Rem http://guy.net/park/holistic https://brendon.info/payment/engage/technologies Rem http://maiya.name/greenland/invoice/refined https://abbey.name/invoice Rem https://dexter.com/xss/incentivize/grey http://aubrey.com/licensed-granite-tuna Rem http://issac.org/buckinghamshire/smtp https://jordy.name/global/standardization/iceland-krona Rem https://anne.net/hack/panel/interface https://dawn.name/refined-soft-towels Rem http://vernie.biz/health/product/latvia https://austen.name/program Rem http://yasmin.info/interactions/evolve http://evangeline.info/firewall/shoes-games--health/sdd Rem https://vance.info/ssl/payment/manors http://neva.info/override Rem http://amy.biz/quantify http://nicklaus.com/home--electronics/refined-fresh-cheese Rem https://jocelyn.name/handcrafted/won http://natalie.biz/monetize/leading-edge/indonesia Rem http://dax.info/cotton/money-market-account/teal http://emmett.name/awesome-metal-chair/metal/payment Rem https://buster.info/technologies/handcrafted-concrete-fish/zloty https://josephine.com/credit-card-account/png Rem http://pink.net/handmade/trinidad-and-tobago-dollar/savings-account https://cordia.com/ability/magnetic Rem http://ted.com/planner/south-carolina https://sonny.com/content Rem http://wilfred.biz/stand-alone/credit-card-account/us-dollar https://makenzie.name/future/index ... (truncated)

SHA-256: d5634129019b8054ff2e55076da2f1152e47ff4b0ed5b6906ab2f481f8b9a88e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "I_okU_ACAA4X"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "AB1QAUAk_, 0, 0, MSForms, TextBox"
Attribute VB_Control = "QkBAcAQQBAA, 1, 1, MSForms, TextBox"
Attribute VB_Control = "WX4GXoxCA, 2, 2, MSForms, TextBox"
Attribute VB_Control = "GGAA4QkwGkA, 3, 3, MSForms, TextBox"
Attribute VB_Control = "YAADAU_AQ, 4, 4, MSForms, TextBox"
Attribute VB_Control = "YDUQAXUkC_ZUB, 5, 5, MSForms, TextBox"

Attribute VB_Name = "KCG4QUQ_ABw1C"
Function BA4AAG1C_AB()
On Error Resume Next
   Rem https://dorris.info/profound/illinois https://gabrielle.net/generic-metal-bike/back-end/cambridgeshire
Rem https://luigi.name/xml http://jack.net/avon/deposit
Rem http://francesco.biz/ftp/assistant http://kimberly.net/health/invoice/mill
Rem https://magali.org/e-commerce https://carroll.org/garden-movies--sports/white/schemas
Rem http://roselyn.org/incredible/uae-dirham/cambridgeshire https://narciso.biz/hill
Rem http://diana.name/corporate/deposit https://eugene.biz/override/future/user-friendly
Rem https://sim.com/summit/alarm/optimizing https://jazmyn.info/monitor/violet/solutions
Rem http://sven.name/auto-loan-account/feed/focused https://fanny.biz/ergonomic/games-grocery--clothing/tertiary
Rem http://zaria.info/overriding http://royal.info/assimilated
Rem http://hadley.org/hack http://eleazar.name/compressing/hybrid/buckinghamshire
Rem http://myron.org/payment/nevada http://rylan.org/orange/new-york
Rem https://sabina.org/investment-account/e-services https://fay.net/tokelau
Rem https://sim.info/florida http://macey.biz/standardization/backing-up/organized
Rem https://beatrice.com/district http://juanita.org/dynamic/tunisian-dinar/investment-account
Rem https://jasmin.info/dong/interface https://georgianna.com/handmade
Rem https://eduardo.org/money-market-account http://keyon.biz/calculate/orchid
Rem http://merlin.org/unbranded/virtual https://hailee.com/forward/bleeding-edge
Rem http://everardo.info/instruction-set/rubber http://elda.biz/missouri/bypass/deposit
Rem http://dolly.info/intelligent/paradigm/executive http://florian.name/operations
Rem https://alysa.net/out-of-the-box/plains/deliverables https://angela.biz/data/tanzanian-shilling
Rem http://yoshiko.biz/transparent http://guy.info/e-enable/manager/backing-up
Rem https://sim.name/navigate/quantifying/bedfordshire http://imani.com/niches/nevada/cambridgeshire
Rem https://emilio.biz/action-items/pitcairn-islands/operative https://alan.com/mountains/e-enable/incredible-concrete-hat
Rem http://guy.net/park/holistic https://brendon.info/payment/engage/technologies
Rem http://maiya.name/greenland/invoice/refined https://abbey.name/invoice
   Rem https://dexter.com/xss/incentivize/grey http://aubrey.com/licensed-granite-tuna
Rem http://issac.org/buckinghamshire/smtp https://jordy.name/global/standardization/iceland-krona
Rem https://anne.net/hack/panel/interface https://dawn.name/refined-soft-towels
Rem http://vernie.biz/health/product/latvia https://austen.name/program
Rem http://yasmin.info/interactions/evolve http://evangeline.info/firewall/shoes-games--health/sdd
Rem https://vance.info/ssl/payment/manors http://neva.info/override
Rem http://amy.biz/quantify http://nicklaus.com/home--electronics/refined-fresh-cheese
Rem https://jocelyn.name/handcrafted/won http://natalie.biz/monetize/leading-edge/indonesia
Rem http://dax.info/cotton/money-market-account/teal http://emmett.name/awesome-metal-chair/metal/payment
Rem https://buster.info/technologies/handcrafted-concrete-fish/zloty https://josephine.com/credit-card-account/png
Rem http://pink.net/handmade/trinidad-and-tobago-dollar/savings-account https://cordia.com/ability/magnetic
Rem http://ted.com/planner/south-carolina https://sonny.com/content
Rem http://wilfred.biz/stand-alone/credit-card-account/us-dollar https://makenzie.name/future/index
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.