MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file is identified as malicious by ClamAV with the signature Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0. Static analysis revealed the presence of Excel 4.0 macros. These macros contain URLs such as 'ordisoss.com/9bVAa06WXzsj/Knhfn.png' and 'ncelltech.com/qVFmE4M5BR/Knhfn.png', which are likely used to download and execute a second-stage payload. The presence of these elements strongly suggests a downloader functionality, consistent with the Emotet family.
Heuristics 2
-
Excel 4.0 macro sheet (3 sheet(s)) critical OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
ClamAV: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.bin56ddade77d7e32930aed597b7717dc3eff76587b10e692229752e1522d34b56e |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 998 bytes |
xlm_sheet_01.bin6596a1a91ff1e8511c9bacd26b0ed25c9acae41209ca6bf1af5b0af2340b0150 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet2.bin | 2652 bytes |
xlm_sheet_02.bin4aa675529670262d62d2072b2082c4d2e236f5f4a3a27db04178011a4f7c7c65 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet3.bin | 1336 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.