Emotet — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 660165426dc4ee3a…

MALICIOUS

Office (OOXML) / .XLSX

265.4 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-03-04
MD5: f65cc65a384ea77166ead90b08b5bc12 SHA-1: 8154178fb6b2b637db657e74af8003368f8ab7cd SHA-256: 660165426dc4ee3a77c758448975e463bc9ba4e20c6633b102315b00cb121722
120 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file is identified as malicious by ClamAV with a signature indicating it is an Emotet downloader. Static analysis revealed the presence of Excel 4.0 macro sheets, which are commonly used to execute malicious code. These macros likely download and execute a second-stage payload, a common tactic for Emotet.

Heuristics 2

  • Excel 4.0 macro sheet (2 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • ClamAV: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
8d78e3769a11eef4b2c4a158d2a2f1c80660c84731a73485287bd3b77bd9b271		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 428 bytes
xlm_sheet_01.bin
8fec2b59edbe1b82d57b1b38e6c2c35c0451df8c1af0f9dd215fdcda31ac5da2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.