Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 e961d16d0e83e87e…

MALICIOUS

Office (OLE)

238.8 KB Created: 2020-08-21 23:32:00 Authoring application: Microsoft Office Word First seen: 2020-09-07
MD5: 7d0bdfb32036038af67e95d9a0924da4 SHA-1: 84f3ef8782356a5f88b8a9eea4d74e017cfb1166 SHA-256: e961d16d0e83e87ec70b515c5a8e73bc9ab0582eed71bc5c054320c66ecaa837
62 Risk Score

Malware Insights

Emotet · confidence 85%

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file is identified as a malicious dropper by ClamAV, specifically matching the EmotetGrey signature. While the document body is heavily corrupted and unreadable, the presence of an embedded URL, even one confirmed as benign, combined with the dropper classification, strongly indicates its purpose is to download and execute a secondary stage payload. The Emotet family is known for its use of such dropper functionalities.

Heuristics 2

  • ClamAV: Doc.Dropper.EmotetGrey1220-9816015-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.EmotetGrey1220-9816015-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)