Emotet — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 3154dc45218c972f…

MALICIOUS

Office (OOXML) / .XLSX

92.0 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 12.0000
MD5: f2650ef130bb6530e53cf2aec74f6b7e SHA-1: 4d1dfe569638023c2715f67945df6af635cd996c SHA-256: 3154dc45218c972f964c27c649814ec9faa320eb7b5a3ef0559b4fa86c0e2149
200 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The file is identified as malicious by ClamAV with the signature 'Xls.Downloader.EmotetRed02221-9938910-0'. The presence of a Workbook_Open macro and a CreateObject call strongly suggests malicious intent. The DOC BODY contains obfuscated commands that, when decoded, reveal the use of 'Wscript.Shell' to execute a VBScript from 'c:\programdata\yhjlswle.vbs' and a batch file from 'c:\programdata\ughldskbhn.bat'. The VBA script itself is designed to create charts and potentially export them, but the primary malicious functionality is driven by the shell execution and the downloaded payloads from the listed URLs.

Heuristics 5

  • ClamAV: Xls.Downloader.EmotetRed02221-9938910-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.EmotetRed02221-9938910-0
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
de7bcbc45ff0a77d05d9af662bacc316e71be11a980e94f6673e556a5dd9d1bc		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 12808 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
379e7df2fa96130a2c5afedd28b24bd412109c6eeb539d6c65c2370f4aba6a9c		 vba-project OOXML VBA project: xl/vbaProject.bin 37888 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.