Emotet — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 57f264abfb7e4b29…

MALICIOUS

Office (OOXML) / .XLSX

1.20 MB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-04-28
MD5: 0a19d7a06a25dc393f77bf58e16d86d9 SHA-1: 8ab3df86e467cdb61676f21e311cb072283d9145 SHA-256: 57f264abfb7e4b29efc7c178a5c64097f27f6067ef8e28879d8f7a5997582d97
200 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Service Execution: Service Utility T1059.001 PowerShell T1105 Ingress Tool Transfer

The sample contains critical Excel 4.0 macros, including strings related to WinAPI functions like CreateDirectoryA and Kernel32. The macros appear to be designed to create directories and potentially download and execute additional payloads, as indicated by the ClamAV detection name 'Xls.Downloader.Emotet-OOXML_XL'. The reconstructed paths suggest an attempt to drop files in a specific directory. The presence of an embedded OLE object further supports a malicious downloader role.

Heuristics 4

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
  • ClamAV: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
4bad71bbe5a530a4ecb623fd5daea8cac187a6dc6f61565c470ee7261327c19f		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 2706944 bytes
ooxml_oleobject_00_ole10native_00.bin
908a9061823bfb3e7f9f6928ed4da796b96e6132468adee38685b01e1078a8c7		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 2683300 bytes
emf_00.emf
33c042ac8babe18b25e94413a9c9fb98a54bbce22a09d1e6fd07f6be12b2b5ec		 ooxml-emf OOXML EMF part: xl/media/image1.emf 5367000 bytes
xlm_sheet_00.bin
87833ac5dd31547f952341facc430f1957f03f6a8fc0ad92753af33aeaac7613		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 2427 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.