Emotet — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 a203728211bbed3c…

MALICIOUS

Office (OLE) / .XLS

71.0 KB Created: 2022-01-20 19:00:43 Authoring application: Microsoft Excel
MD5: d86819b35c3520d8d352bc596652dd78 SHA-1: 4be60803a0d343285472caa91686c722be008832 SHA-256: a203728211bbed3c28d36190068db7249c40d520ec56121989e3fd4e41fced87
140 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.005 Visual Basic T1059.001 PowerShell

The critical heuristic OLE_XLM_AUTOOPEN_DEFINEDNAME indicates the presence of an Excel 4.0 Auto_Open macro, which is a common initial access vector for Emotet. The ClamAV detection further supports the Emotet family attribution. The macro sheet is designed to execute malicious code automatically when the workbook is opened, likely serving as a downloader for further payloads.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • ClamAV: Doc.Downloader.EmotetExcel01220-9937164-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.EmotetExcel01220-9937164-0
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
7f1f89a8b36a750dced08313a4e4f056192a6eac7194357c673dbbd2670a1a18		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 4219 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.