Emotet Office (OOXML) / .XLSM malware analysis — malicious · 61ad9b2b8c9707a1

MALICIOUS

Office (OOXML) / .XLSM

50.9 KB Created: 2022-03-30 21:24:25 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-03-31

MD5: 6c487e69acb628fd9ab6b0d52e6e3d67 SHA-1: f7456392c27c97d83ef34b2e9960aed19741d2fe SHA-256: 61ad9b2b8c9707a14412bf30d2e17c11d75dd548e841d9b4eb6299ca1e0456d5

298 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1218.010 System Binary Proxy Execution: Regsvr32

The file is an XLSM document containing Excel 4.0 macros, which is a strong indicator of malicious intent. The macros utilize dangerous functions like FORMULA to construct and execute commands. Specifically, it appears to be downloading a DLL payload from one of the embedded URLs and executing it using regsvr32.exe, a technique commonly associated with Emotet. The presence of multiple suspicious URLs and the use of regsvr32.exe for execution are high-priority indicators.

Heuristics 8

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME

Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
Dangerous XLM formula APIs: FORMULA critical OOXML_XLM_DANGEROUS_FN

Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
ClamAV: Xls.Downloader.Emotet04220-9942583-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Emotet04220-9942583-0
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
External hyperlinks (3) low OOXML_EXTERNAL_HYPERLINKS

Document contains 3 external hyperlinks — clickable URLs are stored as external relationships. First target: https://rumkeke.com/wp-admin/A8/","
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 7 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/
- http://hoatuoiso1.com/replace/fVea/
- http://www.grandfurniture.com/thegrandbrands/eGd55tEm9qkPNOhViP/
- https://rumkeke.com/wp-admin/A8/
- https://www.restaurantgaig.com/wp-includes/HLDoANj/
- http://www.hiway91.com/wp-content/Y/
- http://schemas.openxmlformats.org/spreadsheetml/2006/main
- http://schemas.microsoft.com/office/excel/2006/main
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.xml` `2ef95bf166dbf14d5280e19f3c7c81a3e8bfde62220401b1871bb39e3fb952d3`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml	3358 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.