SOC109 – Emotet Malware Detected (Malicious Word Document Infection)

🧠 Summary

This investigation was triggered by a SOC109 – Emotet Malware Detected alert involving a malicious Microsoft Word document (1word.doc).

Threat intelligence analysis confirmed that the file contains malicious macros associated with Emotet malware. The document was designed to execute hidden code upon opening and establish further malicious activity.

The affected host was immediately contained to prevent further spread.

---

🚨 Alert Overview

• Event ID: 85
• Rule: SOC109 – Emotet Malware Detected
• Severity: Medium
• Source Host: RichardPRD
• Source IP: 172.16.17.45
• User: Richard
• File Name: 1word.doc
• File Hash (SHA256): d34849e1c97f9e615b3a9b800ca1f11ed04a92b1014f55aa0158e3fffc22d78f
• File Size: 188.95 KB
• Action: Cleaned

---

🖥️ Endpoint Information

• Hostname: Rosa
• Operating System: Windows 10 (64-bit)
• Domain: LetsDefend
• Primary User: Rosa
• Containment Status: ✅ Contained

---

🔍 File Analysis

🔎 VirusTotal Results

🖥️ Contacted C2 Addresses

Result	Value
Detection Ratio	50 / 63
Verdict	Malicious

🧬 File Characteristics

• File Type: Microsoft Word Document (.doc)
• Behavior Tags:
  • macros
  • obfuscated
  • auto-open execution
  • WMI calls
  • hidden execution

🧠 Analysis

• High detection ratio confirms known malware sample
• Presence of macros → common Emotet delivery method
• Auto-execution behavior → indicates initial execution trigger

---

🌐 Network Analysis

🦹 Contacted Host Analysis

🕵🏽‍♂️ Log Result

Attribute	Value
Destination IP	209.197.3.8
Port	80
Request URL	vip0x008.map2.ssl.hwcdn.net
Process	Patch.exe

🛡️ Contained Affected Host

🧠 Analysis

• Suspicious outbound connection after infection
• Use of unusual domain structure → possible C2 or payload staging
• Process Patch.exe → not standard Windows process → highly suspicious

---

📊 Behavioral Indicators

Indicator	Status
Malicious File Detected	✅ Confirmed
Macro Execution	✅ Confirmed
Suspicious Process	✅ Patch.exe
External Communication	✅ Confirmed
Known Malware Family	✅ Emotet
Host Compromise	✅ Confirmed

---

🧾 Investigation Steps

1. Reviewed alert metadata and file details
2. Identified suspicious Word document (1word.doc)
3. Analyzed file hash using VirusTotal
4. Confirmed high-confidence malware detection (50/63)
5. Identified macro-based execution behavior
6. Investigated network logs for suspicious connections
7. Observed outbound traffic to suspicious domain/IP
8. Confirmed malicious process execution (Patch.exe)
9. Contained the affected host

---

🚨 Incident Response Actions

• ✅ Host isolated / contained
• ✅ Malicious file identified
• ✅ Threat intelligence correlation completed
• ✅ Network indicators identified
• ✅ Logs preserved for further analysis

---

📌 Final Verdict

Category	Result
Malware Presence	Confirmed
Malware Family	Emotet
Infection Vector	Malicious Word Document (Macro)
Command & Control	Suspected
Host Compromise	Confirmed
Alert Classification	True Positive
Incident Severity	High

---

🧬 MITRE ATT&CK Mapping

Tactic	Technique	Description
Initial Access	T1566.001 – Phishing Attachment	Malicious Word document delivery
Execution	T1204.002 – User Execution	User opened document
Execution	T1059.005 – Command Shell (via macros)	Macro execution
Persistence	T1547 – Boot or Logon Autostart	Potential persistence
Command & Control	T1071.001 – Web Protocols	HTTP communication
Defense Evasion	T1027 – Obfuscated Files	Obfuscated macros
Impact	T1105 – Ingress Tool Transfer	Payload download

---

🏁 Conclusion

This alert represents a confirmed Emotet malware infection delivered via a malicious Word document.

The document leveraged macro-based execution techniques to initiate malicious activity upon opening.

Subsequent behavior included:

• Execution of suspicious processes
• Communication with external infrastructure
• Potential payload delivery

Immediate containment was necessary to prevent:

• Lateral movement
• Credential theft
• Further malware deployment

---