Emotet Office (OOXML) / .XLSX malware analysis — malicious · 534f993e4231e697

MALICIOUS

Office (OOXML) / .XLSX

1.20 MB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-05-03

MD5: c437087cad4cdb4b4f729ac59c260cb9 SHA-1: 415845b6249139ad4a504de4d3d11848de2a207f SHA-256: 534f993e4231e697e3d36d098ea5a16aa8a2c84867058d43c93dba02234bb18c

120 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file contains critical heuristic firings indicating Excel 4.0 macro sheets, and ClamAV identifies it as Xls.Downloader.Emotet. The embedded Excel 4.0 macros contain URLs that appear to be used for downloading a second-stage payload. Specifically, the macros reference URLs such as 'fastesol.com/GOTOWQcoYbx/Bmnby.png', 'multiconstruction.net/fHUfV7iG/Bmnby.png', and 'psmyanmar.com/nMpEHCcKIwo/Bmnby.png', strongly suggesting a downloader functionality consistent with the Emotet family.

Heuristics 2

Excel 4.0 macro sheet (3 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
ClamAV: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`emf_00.emf` `39b5bc2fae3ca399c730a72513cf632b197a6280186bf539b67779302baad98a`	ooxml-emf	OOXML EMF part: xl/media/image2.emf	6145428 bytes
`xlm_sheet_00.bin` `a9f868269522898a013d877df811244a7fe65164efad127dc9f4af597e91e4a1`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	1034 bytes
`xlm_sheet_01.bin` `06a3941443f7553c10c77f933201f355688955904dc3fb37b7e7d4d0769fd904`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet2.bin	3422 bytes
`xlm_sheet_02.bin` `ba2933b2ed60c56d54a4b46781f406bf9d5492b9a63d3e7a62e3a83c1877a9a2`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet3.bin	1340 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.