Emotet Office (OLE) / .DOCX malware analysis — malicious · 83a2f7dbf23be7b5

MALICIOUS

Office (OLE) / .DOCX

162.2 KB Created: 2021-01-04 16:15:00 Authoring application: Microsoft Office Word

MD5: 903cf74108e9b545e66d34cb98a1327d SHA-1: 3dc698e297fa2e83ea8f1ac3162b95c4baec02e9 SHA-256: 83a2f7dbf23be7b549535650cf4f6bd0a988809c2921723bd31566e883eeb755

262 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1036 Masquerading

The sample contains a VBA macro that is automatically executed upon opening the document, as indicated by the Document_Open heuristic. The macro uses CreateObject to instantiate a Scripting.FileSystemObject, which is then used to create and write to files on the filesystem. This behavior is characteristic of malware downloaders, and the ClamAV detection name 'Doc.Downloader.EmotetRed02224-9938637-0' strongly suggests the Emotet family. The obfuscated string concatenation for 'Scripting.FileSystemObject' is a common evasion technique.

Heuristics 7

Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
ClamAV: Doc.Downloader.EmotetRed02224-9938637-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.EmotetRed02224-9938637-0
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `b7c08445609ad3b9c2a0766b1423df26453c524cbf6c8eca0da53a1732c00612`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.