MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file was detected as malicious by ClamAV with the signature 'Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0', indicating it is likely an Emotet downloader. The critical heuristic 'OOXML_XLM_MACROSHEET' confirms the presence of Excel 4.0 macros, which are commonly used by Emotet to execute malicious code. These macros likely download and execute a secondary payload, consistent with Emotet's typical behavior.
Heuristics 2
-
Excel 4.0 macro sheet (3 sheet(s)) critical OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
ClamAV: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.bin217b976a1455d38cebc8bbf74bc13fc9a02ab2650105512004d338387d72a161 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin | 2327 bytes |
xlm_sheet_01.bin0e373ab2ec31374e963ab69abd60915e474f90635ea55cbbed3537dc849e5b41 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 428 bytes |
xlm_sheet_02.binbbb48aa334e3c48c0aeb3ba76da4d017bf3b3af8d04b19e3d22bb6a81512b412 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet2.bin | 428 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.