Emotet Office (OOXML) / .XLSX malware analysis — malicious · 17bb94b7cd51e966

MALICIOUS

Office (OOXML) / .XLSX

92.0 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 12.0000

MD5: 25b81798f93c9754f4b6141b2c018767 SHA-1: e4d4e702a50bd6d5299530f9d2b675641246be8d SHA-256: 17bb94b7cd51e96641c6e63528c7c372e61306fc722f67e4e0eecc7340f8fb60

260 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Excel file containing a Workbook_Open macro that executes obfuscated VBA code. This code utilizes CreateObject to call Wscript.Shell, which is then used to execute a batch file and a VBScript. The VBA code also attempts to download payloads from multiple URLs, including 'http://harperhousseproducts.com/Merchan2/ARSf1LIcOauhH1rDiH/', which is a strong indicator of Emotet activity. The presence of obfuscated auto-exec loaders and the detection by ClamAV as 'Xls.Downloader.EmotetRed02221-9938910-0' further support this classification.

Heuristics 6

Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
ClamAV: Xls.Downloader.EmotetRed02221-9938910-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.EmotetRed02221-9938910-0
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `de7bcbc45ff0a77d05d9af662bacc316e71be11a980e94f6673e556a5dd9d1bc`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	12808 bytes
`vbaProject_00.bin` `11db471c03f01f1a3b6de6518bfea1a6dc072b424b3fcdd53a8904ec60f4baac`	vba-project	OOXML VBA project: xl/vbaProject.bin	37888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.