Emotet Office (OOXML) / .XLSX malware analysis — malicious · 3421588fe0ca7852

MALICIOUS

Office (OOXML) / .XLSX

209.7 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300

MD5: 16c057268576e80de1aa00034db220d2 SHA-1: dc034fdd786e578aa09278f34fa8bc1c0a0ddf7b SHA-256: 3421588fe0ca7852b49d2283863b729b7c397a471af18fd082d20ea71fc4b5b2

120 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature Xls.Downloader.Emotet-OOXML_XL. It contains multiple Excel 4.0 macro sheets, which are commonly used by Emotet to download and execute further stages. The presence of these macros indicates an attempt to execute arbitrary code, likely for payload delivery.

Heuristics 2

Excel 4.0 macro sheet (10 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
ClamAV: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0

Extracted artifacts 10

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `b61acd4a0ba88d71ebd2f7ca82aac4538464de57e07a65922adbeef70aed5bfe`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	322 bytes
`xlm_sheet_01.bin` `c929e0ffc2d481eb90271cd964986076d70152a5c5fd9629096bc1151c2b24df`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin	2098 bytes
`xlm_sheet_02.bin` `ddf8c38436343a2d996409ef39489240366954d6174dd8f15141de974606208a`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet2.bin	477 bytes
`xlm_sheet_03.bin` `a4cd811ea720d6f722baa224d498100a798e02b5c1f0e61cf30c0ab935978dc9`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet3.bin	428 bytes
`xlm_sheet_04.bin` `fdec1aedb1e4cc5ee3493af09839c18556aa14fbc179a3983a1010909b8d797e`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet4.bin	428 bytes
`xlm_sheet_05.bin` `99f8734479ddf751c5bd12852de35f602e40a2e05ac3b4c1addcec9724732e71`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet5.bin	428 bytes
`xlm_sheet_06.bin` `581a5f87132a006224bc11cded0735021e50f91bd2b7153978b9964fa0d687c7`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet6.bin	428 bytes
`xlm_sheet_07.bin` `a3ed4f701357d62073358cd906b485928cccebcb079a4c8c16576c5860d5fd09`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet7.bin	428 bytes
`xlm_sheet_08.bin` `cd51dd2118c09dff4f9c6ee29c46887f3492a09764c24d75ce7fed4b524fec4c`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet8.bin	428 bytes
`xlm_sheet_09.bin` `c4f5626052d3e47097277530276280f0e5d823b34ed49f93a9e1f8be6cfd7381`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet9.bin	348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.