Emotet Office (OLE) / .XLSX malware analysis — malicious · 06447f18a06d497d

MALICIOUS

Office (OLE) / .XLSX

121.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: 8f48b64644969e8f6cfad6ca7e2ff9e3 SHA-1: 54b37f28fe462a2dc1a06ec8a004a0ef8df3df51 SHA-256: 06447f18a06d497d3e8e408700ae3bc1421808286ed6d0b80e832a989a8bb2e5

240 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros that trigger on workbook open, indicative of Emotet activity. The macros utilize CreateObject to execute Windows Script Host and attempt to download and execute payloads from multiple URLs. The presence of a Workbook_Open macro and the ClamAV detection strongly suggest a malicious downloader.

Heuristics 6

ClamAV: Xls.Downloader.Emotet-ab81c42b2bd4747e-9951196-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Emotet-ab81c42b2bd4747e-9951196-0
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `faf50200d5a9adeeda00cc1da1bbf8f6abf0317a1e97a58db8ae804ba12ba446`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13985 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.