Emotet Office (OLE) / .XLSX malware analysis — malicious · 4c3f80d1187f8c8e

MALICIOUS

Office (OLE) / .XLSX

142.5 KB Created: 2022-01-19 09:31:16 Authoring application: Microsoft Excel

MD5: a353d520ee0bccb8939aee5dc23d4a2b SHA-1: f25c772bbfd759219b006e5071ade2323f555aa3 SHA-256: 4c3f80d1187f8c8ed466219a7ad4ff851a00a00b84dc6582253fba6415c6f97a

140 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains Excel 4.0 macros, specifically an Auto_Open entry, which is a known technique for executing malicious code. ClamAV detection further confirms its malicious nature, identifying it as an Emotet downloader. The macro sheet is configured to run automatically when the workbook is opened, indicating an intent to download and execute a second-stage payload.

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
ClamAV: Doc.Downloader.EmotetExcel01220-9936774-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.EmotetExcel01220-9936774-0
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `592af8991900f2f7058dc7ea90a33320ae293c7e541db4222a7b7f9c04f59d96`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	8469 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.