EmotetGrey Office (OLE) / .DOCX malware analysis — malicious · df99e658b4622084

MALICIOUS

Office (OLE) / .DOCX

233.8 KB Created: 2020-08-12 11:00:00 Authoring application: Microsoft Office Word

MD5: 1c37126117798cd6ab61fce1f106de16 SHA-1: 6f678014a7ca37d00b06e856e479ca8b2b50bdc8 SHA-256: df99e658b462208410a7ad4c658054dd77d121c42e279f4e9689170a18ac04cb

120 Risk Score

Malware Insights

EmotetGrey · confidence 95%

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is identified as malicious by ClamAV with the signature 'Doc.Dropper.EmotetGrey1220-9816015-0', strongly suggesting the EmotetGrey family. The presence of VBA macros, specifically a Document_Open macro, indicates an attempt to automatically execute code when the document is opened. This macro likely serves as a dropper, downloading and executing a secondary payload. The embedded URL, though benign in reputation, is noted as being present within the document text.

Heuristics 4

ClamAV: Doc.Dropper.EmotetGrey1220-9816015-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.EmotetGrey1220-9816015-0
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `0f4fc0234c19c90fb05a4b67cd52fb97c5d3e7db77e894713a8696e86ad5c11b`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	371 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.