Emotet Office (OLE) / .XLSX malware analysis — malicious · 4249c01b9d26704b

MALICIOUS

Office (OLE) / .XLSX

180.0 KB Created: 2006-09-28 05:33:49 Authoring application: Microsoft Excel

MD5: 0666869275f4a406323b58da5a64a0b4 SHA-1: b2597d2daa2451598967e21cd3d87023fb46aca5 SHA-256: 4249c01b9d26704bf8e624f5ac5f4af93f994d49b431061be92ed859807c4ce8

160 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is identified as malicious by ClamAV with a specific Emotet signature. The VBA macro contains code that constructs a complex shell command using multiple variables, including URLs that are likely used to download and execute a second-stage payload. The reconstructed command includes multiple potential download URLs, such as 'http://everisyoublgobal.everis.com/wordpress/Z Y1wZJFiu34Bbj/', indicating a downloader functionality. The presence of WinExec API references and auto-execution via Workbook_Open further supports this.

Heuristics 4

ClamAV: Doc.Downloader.EmotetExcel02226-9938630-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.EmotetExcel02226-9938630-0
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `37a69795addc474a641047d4bba9da3f333e657eebcd055e17f72fda81b4b789`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	21667 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.