Emotet Office (OOXML) / .XLSM malware analysis — malicious · 33c6380063fc1c6c

MALICIOUS

Office (OOXML) / .XLSM

74.1 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-03-15

MD5: a1eac2c86b740de40305fb4685fce449 SHA-1: e4bfdf6b14b35b6d9c800776f8db0320559ad550 SHA-256: 33c6380063fc1c6c31fb9221af75d4c70c8e112f1e06a219b48b43092703d2cd

250 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Service Execution: Visual Basic T1204.002 Malicious File Execution: User Execution T1105 Ingress Tool Transfer

This XLSM file contains Excel 4.0 macros, indicated by the 'OOXML_XLM_MACROSHEET' and 'OOXML_XLM_DANGEROUS_FN' heuristics. The macros utilize the 'FORMULA' API to construct and execute URLs, which are then used to download a second-stage payload, identified as 'regsvr32.exe' and 'ujg.dll'. The ClamAV detection as 'Xls.Downloader.Emotet03220-9941786-0' strongly suggests the Emotet family. The reconstructed URLs are: "http://baboonworks.com/Zw0xw dQ0IktrC/", "http://bangpmahospit al.com/bootstrap/im6LO UezHN UpvTG iRP/", "http://basepainters.com/wp-content/Zega/", "http://az-10.sakura.ne.jp/info/nXAq9xNk3zS/", "http://barcoindo.com/picture_library/2mz8F5eS084w cxP yNXZ/", "http://baronan dstagger.com/hqakgc/AkVs MU5 bee39y b9r79c/", and "http://ceibadisen o.com.mx/bander mex2/8ib08ZJ/".

Heuristics 6

Excel 4.0 macro sheet (3 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME

Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
Dangerous XLM formula APIs: FORMULA critical OOXML_XLM_DANGEROUS_FN

Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
ClamAV: Xls.Downloader.Emotet03220-9941786-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Emotet03220-9941786-0
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 6 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
- http://schemas.microsoft.com/office/excel/2006/main
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
- http://schemas.microsoft.com/office/spreadsheetml/2014/revision
- http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.xml` `561bd2ad03d5ff349d3a0a4fbda71b956dd8d97a0dbce4e25549bf8a7721c5df`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml	4049 bytes
`xlm_sheet_01.xml` `4f892349a6f0ce9450df5d764f02eea0a737d43225bc39e0b3e39eaafe266901`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.xml	1276 bytes
`xlm_sheet_02.xml` `f8dcec9dac216a8c4fc7140768d73598afe199c381abfb2f58ad13ed8f5733f6`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet2.xml	1152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.