MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The sample contains Excel 4.0 macros, as indicated by the OOXML_XLM_MACROSHEET heuristic. The ClamAV detection explicitly names this as 'Xls.Downloader.Emotet-OOXML_XL'. The macros appear to construct URLs such as 'ordisOS.com/9bVAa06WXzsj/Knhfn.png' and 'ncelltech.com/qVFmE4M5BR/Knhfn.png', likely for downloading a second-stage payload. This aligns with Emotet's typical delivery mechanism.
Heuristics 2
-
Excel 4.0 macro sheet (3 sheet(s)) critical OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
ClamAV: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.bin56ddade77d7e32930aed597b7717dc3eff76587b10e692229752e1522d34b56e |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 998 bytes |
xlm_sheet_01.bin6596a1a91ff1e8511c9bacd26b0ed25c9acae41209ca6bf1af5b0af2340b0150 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet2.bin | 2652 bytes |
xlm_sheet_02.bin4aa675529670262d62d2072b2082c4d2e236f5f4a3a27db04178011a4f7c7c65 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet3.bin | 1336 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.