Emotet — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 346767239ac72bd8…

MALICIOUS

Office (OOXML) / .XLSX

1.20 MB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-05-02
MD5: d533a61548c5eb63767f0b06e359d1a7 SHA-1: ed3535d9f2470a6d41581e685cd50b866824965a SHA-256: 346767239ac72bd86cf9e2317a980fe5cf7e0d43836cce29b715e2961829afbe
120 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains Excel 4.0 macros, identified by the OOXML_XLM_MACROSHEET heuristic and ClamAV detection as Emotet. The macros contain obfuscated strings that reconstruct URLs such as 'l i z e t y . c o m / m J Y v p o 2 x h x / O p h n . p n g' and 'e l b l o g d e l o s c a c h a n i l l a s . c o m . m x / S 3 s Y 8 R Q 1 0 / O p h n . p n g'. These URLs are likely used to download and execute a second-stage payload. The macros also reference local file paths like 'C:\Yerto\Narost\Beunse.oooooooooccccccccccxxxxxxxxxx', suggesting potential staging or unpacking activity.

Heuristics 2

  • Excel 4.0 macro sheet (3 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • ClamAV: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
emf_00.emf
39b5bc2fae3ca399c730a72513cf632b197a6280186bf539b67779302baad98a		 ooxml-emf OOXML EMF part: xl/media/image2.emf 6145428 bytes
xlm_sheet_00.bin
7e295c94c3c1bf9df08f2b41ce75aac9c0cb16a4af1b25a9813f98273f69e0b1		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 1214 bytes
xlm_sheet_01.bin
bd692be10c10dace410f6487b89f2810d6dea07bb3c883ac05ff8e2ed023318a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 2492 bytes
xlm_sheet_02.bin
5c96c59c64a0ef3ce4809143abd5fe78bceb89408d53154ced5a5c4bb664f87f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 1090 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.