Emotet Office (OLE) / .XLS malware analysis — malicious · 21f85ed5f61ca451

MALICIOUS

Office (OLE) / .XLS

180.0 KB Created: 2006-09-28 05:33:49 Authoring application: Microsoft Excel

MD5: 4eaac297e5d8ce02633a9515fe170550 SHA-1: 5aba3e98fd65b0242474ce5efa69a2872ebea344 SHA-256: 21f85ed5f61ca451f79ca5ea174a644de634645d79c5f8d28d5e375079cd71c5

160 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The file is identified as malicious by ClamAV and contains VBA macros that execute a batch script. The batch script, located at 'c:\programdata\hfwiue.bat', is designed to download and execute a second-stage payload from a list of hardcoded URLs. The script also attempts to reconstruct a command using 'Shell -e' and a long string of concatenated URLs, indicating a downloader functionality.

Heuristics 4

ClamAV: Doc.Downloader.EmotetExcel02226-9938630-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.EmotetExcel02226-9938630-0
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `37a69795addc474a641047d4bba9da3f333e657eebcd055e17f72fda81b4b789`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	21667 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.