Emotet — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 11fe9c7862e9ca69…

MALICIOUS

Office (OOXML) / .XLSX

1.03 MB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-04-27
MD5: 167a09137b67f07228034453462b56b3 SHA-1: b245e829bf6bfa72ba16170a2606718e088c329a SHA-256: 11fe9c7862e9ca69b4f0bc796e660305442bcbe09012e4b2212195be474ed6ac
240 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains Excel 4.0 macros that leverage WinAPI functions like CreateDirectoryA. The macros appear to be reassembled from CHAR() and split formulas, indicating a downloader. The ClamAV detection explicitly names Emotet, and the macro's functionality of creating directories and using regsvr32 to execute downloaded payloads aligns with Emotet's typical behavior.

Heuristics 4

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
  • XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOAD
    An Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
  • ClamAV: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
emf_00.emf
877e4543f89ce8edb4ba9c66218abfc871d4a1c4f42f3f21f1e998a11b32f267		 ooxml-emf OOXML EMF part: xl/media/image1.emf 6145428 bytes
xlm_sheet_00.bin
7b8101fc2a3a581cae3ed75e750022933ba4a1a2d03b29d213d39fc67d9624b5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 2280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.