Emotet Office (OLE) / .XLSX malware analysis — malicious · 6acc2334b5f76788

MALICIOUS

Office (OLE) / .XLSX

121.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: c1b3970b1a97a1bf2651910efe468668 SHA-1: 08dc0fb485195ff0c6e37f8642aec3e044aed0f2 SHA-256: 6acc2334b5f7678871bb99b5c9635391de01e78a96115ccb74fad2008d6462c3

240 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Excel file containing a Workbook_Open VBA macro that utilizes CreateObject to execute a VBScript payload. The VBScript payload, obfuscated within the document body, appears to download and execute additional malware from multiple URLs. The ClamAV detection and heuristic firings strongly indicate this is an Emotet downloader.

Heuristics 6

ClamAV: Xls.Downloader.Emotet-ab81c42b2bd4747e-9951196-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Emotet-ab81c42b2bd4747e-9951196-0
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `faf50200d5a9adeeda00cc1da1bbf8f6abf0317a1e97a58db8ae804ba12ba446`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13985 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.