Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 e1a0197a38a161dd…

MALICIOUS

Office (OLE)

225.2 KB First seen: 2019-05-31
MD5: 24bcc8c9014610bcf6f2630ed68b8936 SHA-1: 7c3b35ab966ab07a4535fa4b7cb53760d90ab4f9 SHA-256: e1a0197a38a161dd1ffd763227a7233a621c747727e789dbb9460e875b3ad68b
64 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

ClamAV identified this file as Doc.Downloader.Emotet-6958933-0, a known downloader family. Although VBA macros could not be extracted due to an unsupported Office format, the detection strongly suggests the file's purpose is to download and execute a secondary payload. The presence of a benign URL does not detract from this assessment.

Heuristics 3

  • ClamAV: Doc.Downloader.Emotet-6958933-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6958933-0
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (IndexError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)