Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 b55a3645a7a9e324…

MALICIOUS

Office (OLE)

70.1 KB Created: 2018-11-08 16:04:00 Authoring application: Microsoft Office Word First seen: 2019-03-10
MD5: 4e391a2d643c27658da55bbf08b4e3f2 SHA-1: afde4b8ea469214ef3f007ca7bdc349d1de95868 SHA-256: b55a3645a7a9e32453e40a1d80af54da601586452a6bc6faf91b1427a3f1405e
182 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The sample exhibits characteristics of the Emotet family, as indicated by ClamAV detection. It contains obfuscated PowerShell commands that attempt to download and execute a second-stage payload. The primary technique observed is the use of PowerShell for execution, likely initiated via a malicious document attachment.

Heuristics 5

  • ClamAV: Doc.Dropper.Emotet-6769504-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Emotet-6769504-0
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)