Emotet — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 562437c3d3c65d35…

MALICIOUS

Office (OLE) / .XLS

73.0 KB Created: 2015-06-05 18:19:34 Authoring application: Microsoft Excel First seen: 2022-05-16
MD5: ef18b9279ae7fd0b0561477880c3ea96 SHA-1: 3c8ba1674b623dd393abb782a10f0b51e6fd7dcc SHA-256: 562437c3d3c65d35ecf7e6cea33e243c1185e0fd33b246026b02c870fd48e4ca
200 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059.001 PowerShell

The file is identified as malicious by ClamAV and exhibits critical heuristic firings for Excel 4.0 macros, specifically an Auto_Open macro that utilizes dangerous functions like RUN. The macro constructs several URLs by concatenating string fragments, which are likely used to download and execute a second-stage payload. The reconstructed URLs are: "http://anguianoss.com/wp-admin/BLMH9Q3bG/", "http://www.ismarttechnologies.com/blogs/LjCTItLtHGBM4S3/", "http://salldemode.com/tgroup.ge/kI1nxjDArzglOLCZk5/", "https://www.bereke-the-ber.com/hatax/JfjLv/", "https://bosny.com/aspnet_client/WXKDqsBEiPvG/", and "https://psjambi.id/about/yJ6C01yO1uR/d/". This behavior is consistent with Emotet's typical download and execution chain.

Heuristics 4

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • ClamAV: Xls.Downloader.Emotet-ea85857e7e81817a-9950241-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Emotet-ea85857e7e81817a-9950241-0
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
9aad8521d90ca7f536d86e805137dbff97d82a2ac842ee968dd491451c1e0d83		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6831 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.