Emotet — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 792511ea1470befd…

MALICIOUS

Office (OOXML) / .XLSX

1.16 MB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-04-19
MD5: bce20502765af25b342302d353fc5172 SHA-1: 241678863f7f8d9af0a9175803ff75b5b3846e01 SHA-256: 792511ea1470befd948469b51e18803f15054dc6639fb14fbcb8acd68a4b5ce6
260 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The file contains critical heuristics indicating Excel 4.0 macros that reassemble WinAPI strings for downloading and executing payloads. Specifically, the macros construct calls to `URLDownloadToFileA` to download files to `C:\Rfgsg` and then execute them using `regsvr32`. This behavior is strongly associated with the Emotet family, which often uses macro-enabled documents as initial droppers.

Heuristics 5

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
  • XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOAD
    An Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
  • ClamAV: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
91be447cf4ed5b5fa18315c6180ef6d62647686972b570319f960439fe37d717		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject4.bin 3099136 bytes
ooxml_oleobject_00_ole10native_00.bin
a6724425b761391a2288cdb0e402bdc8cf2de9a4e93260c95af92b78344a367e		 ole-package OOXML xl/embeddings/oleObject4.bin Ole10Native stream: Ole10Native 3072068 bytes
emf_00.emf
3f0f6bb70f3d65dcc8d248d78ac320bcc22b1148ea5fdd2c1043065d03460133		 ooxml-emf OOXML EMF part: xl/media/image1.emf 6144552 bytes
xlm_sheet_00.bin
83397e9001624bdedd85e47d3086368ce2232893d46fc419bbd30d9c3ba1953a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 2021 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.