Emotet — Office (OOXML) / .DOCM malware analysis

Static analysis result for SHA-256 10aaca05e9ba57cb…

MALICIOUS

Office (OOXML) / .DOCM

132.0 KB Created: 2021-11-15 15:39:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: cbf26d9192ed79b5a9abd05019c6e4bf SHA-1: 8c94eefa89ddd99700760ec541e4497fb16b155b SHA-256: 10aaca05e9ba57cbec08ea4fac64500f3774c9e6be1df10e86f4d007e5bba9e5
62 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is detected as a known Emotet downloader variant by ClamAV. The presence of embedded URLs and the DOCM file type strongly suggest a macro-enabled document designed to lure the user into enabling content, which would then likely execute a Visual Basic script to download and run a secondary payload. The specific ClamAV detection name 'Doc.Downloader.EmotetRed112100-9910732-0' further supports this conclusion.

Heuristics 2

  • ClamAV: Doc.Downloader.EmotetRed112100-9910732-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.EmotetRed112100-9910732-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Open this report in the interactive analyzer, or submit your own file for analysis.