Emotet Office (OOXML) / .XLSX malware analysis — malicious · 6547a7982fb2f07e

MALICIOUS

Office (OOXML) / .XLSX

135.6 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300

MD5: 98508480a50f229324042e665c07aa1f SHA-1: db70936818890336480135b3e7083ec78fb734fc SHA-256: 6547a7982fb2f07ed961a492bd0181e8192af0b76abd6aa295121b43f1cc3b99

120 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV and contains Excel 4.0 macros, a common technique for Emotet. The macros are likely responsible for downloading and executing a secondary payload, as indicated by the heuristic firings and the presence of macro sheet data. The specific macro sheet file is provided as an IOC.

Heuristics 2

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
ClamAV: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `503cc5255e3893c37771adee7e13daba46e5b4071e56a514ef4cc61cc6d637cd`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin	1769 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.