Emotet — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 608123ae1ac67726…

MALICIOUS

Office (OOXML) / .XLSX

1.07 MB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-04-28
MD5: e3823f256e92703645f7f4d73ade404b SHA-1: c9ebd4234e96ff1d2a0a0fe09b1d40d8a444e10a SHA-256: 608123ae1ac67726ef33a5bdbd638c9cd5981045cb851f9f91193e163fef622a
260 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Excel file containing Excel 4.0 macros, identified by critical heuristics. These macros contain strings related to WinAPI functions like 'Kernel32' and 'CreateDirectoryA', and also 'regsvr32'. The macros appear to be reassembled from split formulas and CHAR() functions, indicating a downloader. The extracted URLs, 'sferaooptical.com/HLlyJ513zu/Cnhfnvmh.png' and 'duddas.com.br/FMPhmkD9g2wZ/Cnhfnvmh.png', are likely sources for the second-stage payload. ClamAV detection confirms this as Emotet.

Heuristics 5

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
  • XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOAD
    An Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
  • ClamAV: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
40c119c61b868c791f8026a508e33e63ca4fac0d7a1c4dc7423000974f221b99		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 2743296 bytes
ooxml_oleobject_00_ole10native_00.bin
7a7c5913ea54c058e6c966932426a757075833c57d5321b3033161e975cf6aa8		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 2719588 bytes
emf_00.emf
7d56c82264dc501cee3b2f361127c7160d34aa3a6be5f44017eade57c559b1d1		 ooxml-emf OOXML EMF part: xl/media/image2.emf 5439552 bytes
xlm_sheet_00.bin
60b295ec520cfeea8dabac7bd1a846c8211853edb956cb11145b0ff1b24cc0a3		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 2954 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.