ID85 - SOC109
Emotet Malware Detected
LetsDefend alert triage practice
Alert Overview
Investigation
Initial Triage: Threat Intel
MD5 hash d34849e1c97f9e615b3a9b800ca1f11ed04a92b1014f55aa0158e3fffc22d78f is flagged as malware/trojan on VirusTotal and is associated with the file 1word.doc.
Code insight reports show the document contains macros focused on string manipulation and object property settings, but no signs of obfuscation, suspicious function calls, or external code execution.
Based on that, the macros are considered benign.
Log Management
No inbound or outbound activity is logged from the host during the alert’s timeframe.
Endpoint Security
No activity was recorded in the alert window.
However, the device action report states the threat was cleaned automatically.
Playbook Execution
Define Threat Indicator
unexpected outgoing internet traffic
Check if the malware is quarantined/cleaned
quarantined
Analyze Malware
malicious
Check If Someone Requested the C2
not accessed
Add Artifacts
Artifact
Description
Type
d34849e1c97f9e615b3a9b800ca1f11ed04a92b1014f55aa0158e3fffc22d78f
malware
hash
Verdict
True Positive
Analyst Summary Report
Summary of findings
An alert was triggered due to a document file (1word.doc) identified as a trojan on VirusTotal. While static code analysis suggests the embedded macros were benign, the file hash is known to be associated with malware activity.
No related network or endpoint activity was observed during the timeline, and the endpoint agent successfully quarantined the file automatically. No signs of execution or C2 communication were found.
Remediation recommendations
- Verify user interaction with the file — confirm whether the document was opened, and if so, whether macros were enabled.
Conduct a deeper review of similar attachments in the environment to ensure this is not part of a broader phishing campaign.
Hunt for similar hashes or filenames in historical telemetry and email attachments.
Educate the user if needed on safe handling of macro-enabled documents.
No further action is needed unless new related activity surfaces.
More Alerts!
- ID-257 | SOC282 – Phishing Alert | LetsDefend Walkthrough
- ID-120 | SOC170 – Password Found in Requested URL | LetsDefend Walkthrough
- ID-045 | SOC114 – Malicious Attachment Detected | LetsDefend Walkthrough
- ID-084 | SOC104 – Malware Detected | Letsdefend Walkthrough
- ID-208 | SOC246 – Forced Authentication Detected | Letsdefend Walkthrough
SYN / ACK
Cybersecurity learner, log nerd, and TryHackMe badge hoarder. Let’s connect on LinkedIn before I get pulled into another packet capture.