Emotet — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 ad451b053de3bb30…

MALICIOUS

Office (OOXML) / .XLSX

4.41 MB
MD5: 863ad8c3b256e1497c414d09c6bddfa7 SHA-1: ec0750b7269c3c1779ef8fbc2da00740ec526e46 SHA-256: ad451b053de3bb30a8daf56429ea46e386465aaf81bd52b2bef04f2c0589a4ba
276 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1059.005 Command and Scripting Interpreter: Visual Basic T1105 Ingress Tool Transfer

The file is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-10019767-0, indicating it's a known Emotet downloader. The presence of a Workbook_Open macro and CreateObject calls strongly suggests that the macro is designed to execute a secondary payload. While specific URLs were extracted, they were all confirmed as benign, suggesting the malicious payload is likely fetched from a different, unextracted source or dynamically generated.

Heuristics 8

  • ClamAV: Doc.Downloader.Emotet-10019767-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-10019767-0
    URL http://wish.com\
    • https://fonts.googleapis.com/css?family=Lato:400,400i,700,700i\
    • http://www.wish.com/c/5f64514464de81003ea2aa2a?utm_campaign=5fd5cb500e0fbc000f5e4df4&uuid=10d64ff83645434990daf4a8ff9ab1e7&cmpgnid=5fd5cb500e0fbc000f5e4df4&ee=v1_AYuvUQJF1AKpA6Kj81kEp6yZi9DZ9BtdanGvzN8z3hJn2nAfnhA1GKRx7qCz8pvBjnzgKuB4WiYbZ8wr6dAiYY&email_section=recommended_cids_2&exzpl=ctp-0&utm_medium=email&utm_source=Wish+Discount&recvuid=5fceddebe65fa800618b9f13&iscommerc=1\
    • https://contestimg.wish.com/api/image/fetch?contest_id=5f64514464de81003ea2aa2a&w=440&h=440&m=2\
    • http://www.wish.com/c/5f9a62240caa21142700b740?utm_campaign=5fd5cb500e0fbc000f5e4df4&uuid=10d64ff83645434990daf4a8ff9ab1e7&cmpgnid=5fd5cb500e0fbc000f5e4df4&ee=v1_AYuvUQJF1AKpA6Kj81kEp6yZi9DZ9BtdanGvzN8z3hJn2nAfnhA1GKRx7qCz8pvBjnzgKuB4WiYbZ8wr6dAiYY&email_section=recommended_cids_3&exzpl=ctp-0&utm_medium=email&utm_source=Wish+Discount&recvuid=5fceddebe65fa800618b9f13&iscommerc=1\
    • https://contestimg.wish.com/api/image/fetch?contest_id=5f9a62240caa21142700b740&w=440&h=440&m=2\
    • http://www.wish.com/home?utm_campaign=5fd5cb500e0fbc000f5e4df4&uuid=10d64ff83645434990daf4a8ff9ab1e7&cmpgnid=5fd5cb500e0fbc000f5e4df4&ee=v1_AYuvUQJF1AKpA6Kj81kEp6yZi9DZ9BtdanGvzN8z3hJn2nAfnhA1GKRx7qCz8pvBjnzgKuB4WiYbZ8wr6dAiYY&email_section=shop_now_extra_recs&exzpl=ctp-0&filter=xparam-5fd79e6e801566579fa959e5&utm_medium=email&utm_source=Wish+Discount&recvuid=5fceddebe65fa800618b9f13&iscommerc=1\
    • http://www.wish.com/mobile-apps?utm_campaign=5fd5cb500e0fbc000f5e4df4&uuid=10d64ff83645434990daf4a8ff9ab1e7&cmpgnid=5fd5cb500e0fbc000f5e4df4&ee=v1_AYuvUQJF1AKpA6Kj81kEp6yZi9DZ9BtdanGvzN8z3hJn2nAfnhA1GKRx7qCz8pvBjnzgKuB4WiYbZ8wr6dAiYY&email_section=download_apps&exzpl=ctp-0&utm_medium=email&utm_source=Wish+Discount&recvuid=5fceddebe65fa800618b9f13&iscommerc=1\
    • http://main.cdn.wish.com/latest/img/email/remix/components/right_arrow_2x.png?v=a0d0f13\
    • http://main.cdn.wish.com/latest/img/mobile_download_page/banner_google_equal.png?v=62cb513\
    • http://main.cdn.wish.com/latest/img/mobile_download_page/banner_apple_equal.png?v=61ed113\
    • http://www.wish.com/invite?utm_campaign=5fd5cb500e0fbc000f5e4df4&uuid=10d64ff83645434990daf4a8ff9ab1e7&cmpgnid=5fd5cb500e0fbc000f5e4df4&ee=v1_AYuvUQJF1AKpA6Kj81kEp6yZi9DZ9BtdanGvzN8z3hJn2nAfnhA1GKRx7qCz8pvBjnzgKuB4WiYbZ8wr6dAiYY&email_section=footer_referral_campaign&exzpl=ctp-0&utm_medium=email&utm_source=Wish+Discount&recvuid=5fceddebe65fa800618b9f13&iscommerc=1\
    • https://blog.wish.com/\
    • http://main.cdn.wish.com/latest/img/email/remix/wish_blog.png?v=1e69b13\
    • https://www.tiktok.com/@wish\
    • http://main.cdn.wish.com/latest/img/email/remix/tiktok.png?v=20a8c13\
    • https://www.youtube.com/channel/UCS0V-1JLtAV3iihfzHcdhfg\
    • http://main.cdn.wish.com/latest/img/email/remix/youtube.png?v=1676313\
    • https://m.me/wish?ref=email_footer-uid_5fceddebe65fa800618b9f13\
    • http://main.cdn.wish.com/latest/img/email/remix/messenger.png?v=8e86513\
    • https://www.facebook.com/wish/\
    • http://main.cdn.wish.com/latest/img/email/remix/facebook.png?v=95b5313\
    • https://twitter.com/wishshopping\
    • http://main.cdn.wish.com/latest/img/email/remix/twitter.png?v=d06ee13\
    • https://www.instagram.com/wish/\
    • http://main.cdn.wish.com/latest/img/email/remix/instagram.png?v=a741613\
    • http://www.wish.com/unsubscribe-email?utm_campaign=5fd5cb500e0fbc000f5e4df4&uuid=10d64ff83645434990daf4a8ff9ab1e7&cmpgnid=5fd5cb500e0fbc000f5e4df4&ee=v1_AYuvUQJF1AKpA6Kj81kEp6yZi9DZ9BtdanGvzN8z3hJn2nAfnhA1GKRx7qCz8pvBjnzgKuB4WiYbZ8wr6dAiYY&email_section=unsubscribe&exzpl=ctp-0&d=v1_2FzhFkoqdeHAd59ANp1kCk97xRF98Tbif1MjPQkBy82hvTp1fqfwc9F2Htqtwbqtdea4uZmB1LmTWMsRToHT456R&no_deep_link=True&utm_medium=email&utm_source=Wish+Discount&action=unsubscribe&recvuid=5fceddebe65fa800618b9f13&iscommerc=1
    • http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\
    • http://www.w3.org/1999/xhtml\
    • https://esputnik.com/repository/applications/images/blank.gif\
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
    URL http://wish.com\
    • https://fonts.googleapis.com/css?family=Lato:400,400i,700,700i\
    • http://www.wish.com/c/5f64514464de81003ea2aa2a?utm_campaign=5fd5cb500e0fbc000f5e4df4&uuid=10d64ff83645434990daf4a8ff9ab1e7&cmpgnid=5fd5cb500e0fbc000f5e4df4&ee=v1_AYuvUQJF1AKpA6Kj81kEp6yZi9DZ9BtdanGvzN8z3hJn2nAfnhA1GKRx7qCz8pvBjnzgKuB4WiYbZ8wr6dAiYY&email_section=recommended_cids_2&exzpl=ctp-0&utm_medium=email&utm_source=Wish+Discount&recvuid=5fceddebe65fa800618b9f13&iscommerc=1\
    • https://contestimg.wish.com/api/image/fetch?contest_id=5f64514464de81003ea2aa2a&w=440&h=440&m=2\
    • http://www.wish.com/c/5f9a62240caa21142700b740?utm_campaign=5fd5cb500e0fbc000f5e4df4&uuid=10d64ff83645434990daf4a8ff9ab1e7&cmpgnid=5fd5cb500e0fbc000f5e4df4&ee=v1_AYuvUQJF1AKpA6Kj81kEp6yZi9DZ9BtdanGvzN8z3hJn2nAfnhA1GKRx7qCz8pvBjnzgKuB4WiYbZ8wr6dAiYY&email_section=recommended_cids_3&exzpl=ctp-0&utm_medium=email&utm_source=Wish+Discount&recvuid=5fceddebe65fa800618b9f13&iscommerc=1\
    • https://contestimg.wish.com/api/image/fetch?contest_id=5f9a62240caa21142700b740&w=440&h=440&m=2\
    • http://www.wish.com/home?utm_campaign=5fd5cb500e0fbc000f5e4df4&uuid=10d64ff83645434990daf4a8ff9ab1e7&cmpgnid=5fd5cb500e0fbc000f5e4df4&ee=v1_AYuvUQJF1AKpA6Kj81kEp6yZi9DZ9BtdanGvzN8z3hJn2nAfnhA1GKRx7qCz8pvBjnzgKuB4WiYbZ8wr6dAiYY&email_section=shop_now_extra_recs&exzpl=ctp-0&filter=xparam-5fd79e6e801566579fa959e5&utm_medium=email&utm_source=Wish+Discount&recvuid=5fceddebe65fa800618b9f13&iscommerc=1\
    • http://www.wish.com/mobile-apps?utm_campaign=5fd5cb500e0fbc000f5e4df4&uuid=10d64ff83645434990daf4a8ff9ab1e7&cmpgnid=5fd5cb500e0fbc000f5e4df4&ee=v1_AYuvUQJF1AKpA6Kj81kEp6yZi9DZ9BtdanGvzN8z3hJn2nAfnhA1GKRx7qCz8pvBjnzgKuB4WiYbZ8wr6dAiYY&email_section=download_apps&exzpl=ctp-0&utm_medium=email&utm_source=Wish+Discount&recvuid=5fceddebe65fa800618b9f13&iscommerc=1\
    • http://main.cdn.wish.com/latest/img/email/remix/components/right_arrow_2x.png?v=a0d0f13\
    • http://main.cdn.wish.com/latest/img/mobile_download_page/banner_google_equal.png?v=62cb513\
    • http://main.cdn.wish.com/latest/img/mobile_download_page/banner_apple_equal.png?v=61ed113\
    • http://www.wish.com/invite?utm_campaign=5fd5cb500e0fbc000f5e4df4&uuid=10d64ff83645434990daf4a8ff9ab1e7&cmpgnid=5fd5cb500e0fbc000f5e4df4&ee=v1_AYuvUQJF1AKpA6Kj81kEp6yZi9DZ9BtdanGvzN8z3hJn2nAfnhA1GKRx7qCz8pvBjnzgKuB4WiYbZ8wr6dAiYY&email_section=footer_referral_campaign&exzpl=ctp-0&utm_medium=email&utm_source=Wish+Discount&recvuid=5fceddebe65fa800618b9f13&iscommerc=1\
    • https://blog.wish.com/\
    • http://main.cdn.wish.com/latest/img/email/remix/wish_blog.png?v=1e69b13\
    • https://www.tiktok.com/@wish\
    • http://main.cdn.wish.com/latest/img/email/remix/tiktok.png?v=20a8c13\
    • https://www.youtube.com/channel/UCS0V-1JLtAV3iihfzHcdhfg\
    • http://main.cdn.wish.com/latest/img/email/remix/youtube.png?v=1676313\
    • https://m.me/wish?ref=email_footer-uid_5fceddebe65fa800618b9f13\
    • http://main.cdn.wish.com/latest/img/email/remix/messenger.png?v=8e86513\
    • https://www.facebook.com/wish/\
    • http://main.cdn.wish.com/latest/img/email/remix/facebook.png?v=95b5313\
    • https://twitter.com/wishshopping\
    • http://main.cdn.wish.com/latest/img/email/remix/twitter.png?v=d06ee13\
    • https://www.instagram.com/wish/\
    • http://main.cdn.wish.com/latest/img/email/remix/instagram.png?v=a741613\
    • http://www.wish.com/unsubscribe-email?utm_campaign=5fd5cb500e0fbc000f5e4df4&uuid=10d64ff83645434990daf4a8ff9ab1e7&cmpgnid=5fd5cb500e0fbc000f5e4df4&ee=v1_AYuvUQJF1AKpA6Kj81kEp6yZi9DZ9BtdanGvzN8z3hJn2nAfnhA1GKRx7qCz8pvBjnzgKuB4WiYbZ8wr6dAiYY&email_section=unsubscribe&exzpl=ctp-0&d=v1_2FzhFkoqdeHAd59ANp1kCk97xRF98Tbif1MjPQkBy82hvTp1fqfwc9F2Htqtwbqtdea4uZmB1LmTWMsRToHT456R&no_deep_link=True&utm_medium=email&utm_source=Wish+Discount&action=unsubscribe&recvuid=5fceddebe65fa800618b9f13&iscommerc=1
    • http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\
    • http://www.w3.org/1999/xhtml\
    • https://esputnik.com/repository/applications/images/blank.gif\
  • VBA project inside OOXML medium OOXML_VBA
    Malformed OOXML local headers contain vbaProject.bin — VBA macros present
  • Malformed OOXML package with recoverable local headers low OOXML_MALFORMED_ZIP_LOCAL_HEADERS
    The OOXML ZIP central directory is invalid or missing, but local file headers expose a recoverable Office package. This can create parser divergence between tolerant Office/ZIP readers and scanners that rely only on the central directory.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
vbaProject_00.bin
21944ebea4bbb594dcd15584e918da36678ea149bc206074c5f86abe72bbade0		 vba-project Malformed OOXML local-header VBA project: xl/vbaProject.bin 6378496 bytes
Detection
ClamAV: Doc.Downloader.Emotet-10019767-0
Obfuscation or payload: unlikely
macros.bas
7ff7536f81ad8f41b844fc87d6589195544fddd52838242fb963c3cc2afed83e		 vba-macro oletools.olevba.extract_macros (decoded VBA source from malformed OOXML local headers) 3165290 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.