Emotet Office (OLE) / .DOCX malware analysis — malicious · 5bc9314961b874f0

MALICIOUS

Office (OLE) / .DOCX

132.3 KB Created: 2020-09-29 22:12:00 Authoring application: Microsoft Office Word

MD5: 68c9bf9f80b7461ce6a260b3d1dbac04 SHA-1: 9a097381e06d5909d41c94782c624751ebe9ec02 SHA-256: 5bc9314961b874f09854775cf9f6bce09cc9c8106200074edb961cd544efb675

202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro that utilizes CreateObject, indicating malicious intent. ClamAV detection confirms this, identifying it as Emotet. The obfuscated VBA script likely downloads and executes a secondary payload, a common Emotet tactic.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-9769437-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-9769437-0
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `46ea4f5c4c1cab321c0ffaa5340d45e7ba78bb5fcec47c12e0336c19b81c43df`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10333 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.