Emotet Office (OLE) / .XLSX malware analysis — malicious · 81e9d87903290e4a

MALICIOUS

Office (OLE) / .XLSX

121.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: d82018c31be4029fea140b8db8b78e05 SHA-1: 0cf7c5403e073877d522d26e203934449ba71cd1 SHA-256: 81e9d87903290e4a525beb865f5cccca9838bdd51238dc4fd0b9ae623bf609bb

240 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, including a Workbook_Open event, which is a common technique for Emotet. The macros reference Windows Script Host and attempt to execute obfuscated commands from the document body. These commands appear to download and execute files from multiple URLs, suggesting a downloader functionality. The ClamAV detection also strongly indicates Emotet.

Heuristics 6

ClamAV: Xls.Downloader.Emotet-ab81c42b2bd4747e-9951196-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Emotet-ab81c42b2bd4747e-9951196-0
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `faf50200d5a9adeeda00cc1da1bbf8f6abf0317a1e97a58db8ae804ba12ba446`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13985 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.