MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1566.001 Spearphishing Attachment
The sample exhibits characteristics of the Emotet family, as indicated by ClamAV detection. It contains obfuscated PowerShell commands that attempt to download and execute a second-stage payload. The primary technique observed is the use of PowerShell for execution, likely initiated via a malicious document attachment.
Heuristics 5
-
ClamAV: Doc.Dropper.Emotet-6769504-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Emotet-6769504-0
-
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Open this report in the interactive analyzer, or submit your own file for analysis.