Emotet — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 191b06be81a8308c…

MALICIOUS

Office (OOXML) / .XLSX

1.03 MB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-04-27
MD5: d40b275335b2d24e7d73c7b1be58e88b SHA-1: d02a18d5b88ecc123fc94e8988cbe909512fa6bd SHA-256: 191b06be81a8308c2319936c32c856ab2472aad12b04846d956dee84e6062c43
180 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is identified as malicious by ClamAV and exhibits critical heuristic firings for OOXML XLM macros with WinAPI and download strings. The embedded XLM macro sheet contains WinAPI calls such as CreateDirectoryA and references to 'regsvr32', indicating an attempt to download and execute further stages. The macro also attempts to create files in the 'C:\Lastastati\' directory, suggesting a downloader functionality.

Heuristics 3

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
  • ClamAV: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
emf_00.emf
877e4543f89ce8edb4ba9c66218abfc871d4a1c4f42f3f21f1e998a11b32f267		 ooxml-emf OOXML EMF part: xl/media/image1.emf 6145428 bytes
xlm_sheet_00.bin
7b8101fc2a3a581cae3ed75e750022933ba4a1a2d03b29d213d39fc67d9624b5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 2280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.