Emotet Office (OOXML) malware analysis — malicious · dad1b60c001deb55

MALICIOUS

Office (OOXML)

132.3 KB Created: 2020-01-22 15:12:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-06-28

MD5: f726e685988e788c62643a4a25f2aac2 SHA-1: f9bc4228d6f9748fec81109d945784ef37622ce7 SHA-256: dad1b60c001deb55fd561c435e1825db93fd1dc33d40fcf6d99a469e56d0f6e0

262 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is identified as malicious by ClamAV with the signature Doc.Dropper.Emotet-7557177-0, indicating it's a known Emotet variant. The presence of a Document_Open macro and a GetObject call strongly suggests the execution of a malicious payload, typical for Emotet droppers. The macro's intent is to download and execute a second-stage payload, aligning with Emotet's known behavior.

Heuristics 6

ClamAV: Doc.Dropper.Emotet-7557177-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Emotet-7557177-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	10527 bytes
SHA-256: `18f1ff0c3e1448fe368048d4dab4f6fc98a789faf8abc001e432782c4a0f2c93`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Cgczwrhlhkkoe" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() Plzcuvcewxetl.Ihbixyifojuw End Sub Attribute VB_Name = "Szpxcpgvzvhm" Attribute VB_Base = "0{6CA09DF2-A485-4598-A215-62DCB8D3366F}{BA167402-DE84-4CDA-9CCE-D929B965876F}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Kytjkwvonpovs" Attribute VB_Base = "0{9B1A991C-6D49-4ED5-AA1F-9CACA8E66DB3}{27C9A0DF-3984-4F00-813E-335F2592531D}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Sstktxbya" Attribute VB_Base = "0{FE1835A3-9E31-47FF-8CE3-2A4DC4DF230B}{F1744F5F-90BD-4592-9E88-1A8CC8655A44}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Oaqxwtwsms" Attribute VB_Base = "0{B95D81D0-0C42-43E2-9D20-9DB3B756ECE3}{770F4709-D8E2-4F3F-9739-BDF9A3C4E8F0}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Meosnpxde" Attribute VB_Base = "0{BFFDC695-0A13-4B62-AD3F-5BF320CFDF1E}{6A9ADC49-A506-435F-812A-0C81190B5F0A}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Dxaijaizsj" Attribute VB_Base = "0{36B1C958-94CE-45A7-83E5-5FF01D7E443E}{4F800058-5BFC-4E32-A6AA-38C5DF2A29F1}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Uxqtvzztl" Attribute VB_Base = "0{B78BEB4F-6AA3-43DF-B5F4-37F05C8B6352}{37D59B05-EE58-4108-80F9-73F7C68678D5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Ggfeoidwepo" Attribute VB_Base = "0{ADB51EDE-7FE5-4C05-AEDA-6E8CF4F806D8}{CF05D820-5610-4808-8DB5-5E5957F5FC9A}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Vknsdsmvkwtvw" Attribute VB_Base = "0{5C35D60D-E166-4EA5-80E6-79BAEDF1DDE1}{4E74A604-2D90-4F0C-B7C4-BF8E05AA0E85}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Efgapjuc" Attribute VB_Base = "0{CBB10D98-CCFE-47F0-A717-CAA0BB63F60B}{5AE49B1A-FCD8-475A-AD84-B86438A8DA37}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Urpmxsgkrxklh" Attribute VB_Base = "0{4FA1C7E5-30FE-4AB6-B802-C315B875BE86}{7E53A0A7-073B-468A-BBDE-78F5452029BB}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDeriv ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	96768 bytes
SHA-256: `5871b20d3d249e4808a6e5c3e6e7ada53b9fc98aeb31914543d9e72d1db62509`
Detection ClamAV: Doc.Dropper.Emotet-7557177-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.