Win.Trojan.Emotet-6397178-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 579515235699de4c…

MALICIOUS

Office (OLE)

49.0 KB First seen: 2017-10-28
MD5: 7c018b6ced1d4a8d4c7289f52bd17435 SHA-1: 783d911ded13bb9b2ebf3b3ac194d244755a0bdc SHA-256: 579515235699de4c530babb5b0c38084aa14c54731d90cbb60e3ca9227c8af9d
142 Risk Score

Malware Insights

Win.Trojan.Emotet-6397178-0 · confidence 95%

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment

The file was detected as Win.Trojan.Emotet-6397178-0 by ClamAV. Heuristics indicate a reference to PowerShell and an embedded URL, which are common tactics for Emotet to download and execute further stages. The large slack space in the OLE structure is also a notable anomaly.

Heuristics 4

  • ClamAV: Win.Trojan.Emotet-6397178-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Emotet-6397178-0
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 50,223 bytes but its declared streams total only 4,096 bytes — 46,127 bytes (92%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)