Emotet — Office (OOXML) / .DOC malware analysis

Static analysis result for SHA-256 a23a5e497cee5c70…

MALICIOUS

Office (OOXML) / .DOC

319.1 KB Created: 2020-05-21 17:33:00 UTC Authoring application: Microsoft Office Word 14.0000
MD5: d3b8a74de21fe4a2c1f313b18b5d9251 SHA-1: 903edebb7790b53dccec1b4adfd21f9ed659920e SHA-256: a23a5e497cee5c703a5503ecaf41847813a44b3aabcfb3c55195ac980eb506c7
200 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1204.002 Malicious File

The file is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-10024800-0, indicating it's a known Emotet downloader variant. The presence of a Document_Open macro strongly suggests that the VBA code within the document is executed automatically upon opening. This macro is likely responsible for downloading and executing a secondary payload, a common tactic for Emotet. No specific URLs or further script details were extracted, but the heuristic firings are sufficient to attribute the behavior.

Heuristics 6

  • ClamAV: Doc.Downloader.Emotet-10024800-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-10024800-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f6b45db144160614cd2f4a71353fc452e38aeef644897f0fcf9795b87d3005ac		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 22527 bytes
vbaProject_00.bin
9bd394728c042074158f7e480c38b7be2685bb354242f996a6817fa2fdfa74f5		 vba-project OOXML VBA project: word/vbaProject.bin 127488 bytes
Detection
ClamAV: Doc.Downloader.Emotet-10024800-0
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.