Emotet Office (OOXML) / .XLSX malware analysis — malicious · 130b7abb44330b08

MALICIOUS

Office (OOXML) / .XLSX

265.1 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-02-24

MD5: 9fcebc0d86396a14d34d2e88612d1306 SHA-1: 028d90b3d7a3962151e327bbaeaa1d0d782c1b46 SHA-256: 130b7abb44330b081d87a33dc5eb2600a1bb220212c54a10cdc4d0523f3360a4

120 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with a signature indicating it is an Emotet downloader. Static analysis revealed the presence of Excel 4.0 macros, a common technique for initial execution and payload delivery. The macro sheet likely contains code to fetch and run a further stage, consistent with Emotet's typical behavior.

Heuristics 2

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
ClamAV: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `0739caeaa979fb9b94d312f443a973e7c53ed4452081346db704e2fcaccfba81`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin	1768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.