Emotet — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 47b9b9ddc9f9e6c6…

MALICIOUS

Office (OLE) / .XLS

829.0 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel
MD5: 44d50e6b8575f1f478fbf8667300babf SHA-1: a9539ef15f3207ca5f60411ea62d1cec3d8b9db6 SHA-256: 47b9b9ddc9f9e6c66cd6ea322a51bec7b843502b30db19f119fa59794ee19cd6
460 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1105 Ingress Tool Transfer T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Xls.Downloader.Emotet-aa524936374996af-9950344-0. High-severity heuristics indicate the presence of VBA macros that utilize Shell() and CreateObject calls, along with references to VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress APIs. Crucially, a PE executable is embedded within the OLE file. The VBA macros are likely responsible for executing the embedded PE file, which is a common delivery mechanism for Emotet. The extracted embedded PE file was also detected by ClamAV as Win.Trojan.Razy-7331387-0.

Heuristics 11

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Xls.Downloader.Emotet-aa524936374996af-9950344-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Emotet-aa524936374996af-9950344-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
24b5bb60bab3e16a9d0ff9f5e32b7f7a1a58e8502d9d834797c44b7808d7db2f		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 28539 bytes
embedded_office_00002d35.exe
a1362eef97a91864cb31c30207f6508ed14b35aca30d6480aa78a20bcc4400ca		 embedded-pe Office MZ+PE at offset 0x2D35 837323 bytes
Detection
ClamAV: Win.Trojan.Razy-7331387-0
Obfuscation or payload: unlikely
ole10native_00.bin
547fb9814bd6f20c1d9f4e6682dadf4a017016d6eecc6d392b92783c1b8e26e0		 ole-package OLE Ole10Native stream: MBD003223DA/Ole10Native 673374 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.