Emotet — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 3b88082b98ac63d2…

MALICIOUS

Office (OLE) / .XLS

70.9 KB Created: 2022-01-20 19:00:43 Authoring application: Microsoft Excel
MD5: 2eafedc8284a578087ce65f5c70ea799 SHA-1: 128f2b1529a6400d9f5b01683f8f8699b64fcc1a SHA-256: 3b88082b98ac63d24a19d2c48be5a67d0a1dc032772df4ae97c58d321c1131f7
140 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical heuristic OLE_XLM_AUTOOPEN_DEFINEDNAME indicates the presence of an Excel 4.0 Auto_Open macro, which is a common execution vector for Emotet. The ClamAV detection further supports this attribution. The macro sheet is designed to run malicious code automatically when the Excel file is opened, likely to download and execute a secondary payload.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • ClamAV: Doc.Downloader.EmotetExcel01220-9937164-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.EmotetExcel01220-9937164-0
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
7f1f89a8b36a750dced08313a4e4f056192a6eac7194357c673dbbd2670a1a18		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 4219 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.