Emotet Office (OOXML) / .XLSX malware analysis — malicious · 5e73e8c9b885e1d0

MALICIOUS

Office (OOXML) / .XLSX

135.6 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300

MD5: d757af1d4e8cae5d7aa5fb03fd2b03e5 SHA-1: 669e51112dd4fe4656d56234ef0858030c644f59 SHA-256: 5e73e8c9b885e1d052cbc46c1e8c94c9fe70b0b507450333ceaef3841624bf76

120 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file was detected as malicious by ClamAV with the signature 'Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0', indicating it is an Emotet downloader. Static analysis revealed the presence of Excel 4.0 macros, which are commonly used by Emotet to download and execute further stages. The embedded macro sheet is the primary indicator of this malicious behavior.

Heuristics 2

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
ClamAV: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `503cc5255e3893c37771adee7e13daba46e5b4071e56a514ef4cc61cc6d637cd`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin	1769 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.