Emotet — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 58e3687a460faf09…

MALICIOUS

Office (OOXML) / .XLSX

1.07 MB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-04-28
MD5: 24105c234d1cbffce842eac674caaf99 SHA-1: f04e6b6fc34e9fffa4ea42ee494e795e8c491c9b SHA-256: 58e3687a460faf0976309ef8fb32ca90e3e87eac638808eb6a40848acbb21544
200 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Service Execution: Service Execution T1059.001 PowerShell: PowerShell T1105 Ingress Tool Transfer

The file contains Excel 4.0 macros, a known delivery mechanism for Emotet. The macros contain strings that indicate WinAPI calls for directory creation and execution, along with URLs that likely host second-stage payloads. Specifically, the macro attempts to download files from 'sferaopitical.com/HLlyJ513zu/Cnhfnvmh.png' and 'duddas.com.br/FMPhmkD9g2wZ/Cnhfnvmh.png' and save them to paths like 'C:\Gae gzsti\Oldfra.ooocxx'. The presence of 'regsvr32' suggests further execution of downloaded content.

Heuristics 4

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
  • ClamAV: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
40c119c61b868c791f8026a508e33e63ca4fac0d7a1c4dc7423000974f221b99		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject5.bin 2743296 bytes
ooxml_oleobject_00_ole10native_00.bin
7a7c5913ea54c058e6c966932426a757075833c57d5321b3033161e975cf6aa8		 ole-package OOXML xl/embeddings/oleObject5.bin Ole10Native stream: Ole10Native 2719588 bytes
emf_00.emf
7d56c82264dc501cee3b2f361127c7160d34aa3a6be5f44017eade57c559b1d1		 ooxml-emf OOXML EMF part: xl/media/image2.emf 5439552 bytes
xlm_sheet_00.bin
60b295ec520cfeea8dabac7bd1a846c8211853edb956cb11145b0ff1b24cc0a3		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 2954 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.