Emotet Office (OLE) / .XLSX malware analysis — malicious · 630de09694e2ecbe

MALICIOUS

Office (OLE) / .XLSX

121.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: cc5ca8665e7d709a5299c59b64b4e4ce SHA-1: dc83ce331c7f6e6bdc1f9453835a739fdc351015 SHA-256: 630de09694e2ecbec5181a440a8971f7c8fcbef21f0c5796d890b6b7e85d8b46

240 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Xls.Downloader.Emotet-ab81c42b2bd4747e-9951196-0. The Workbook_Open VBA macro is designed to execute a batch file and a VBScript, which in turn appear to download payloads from multiple URLs. The macro also uses CreateObject to interact with Wscript.Shell and RDS.DataSpace, indicating execution of external commands and potentially remote data access.

Heuristics 6

ClamAV: Xls.Downloader.Emotet-ab81c42b2bd4747e-9951196-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Emotet-ab81c42b2bd4747e-9951196-0
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `faf50200d5a9adeeda00cc1da1bbf8f6abf0317a1e97a58db8ae804ba12ba446`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13985 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.