Emotet Office (OOXML) / .XLSM malware analysis — malicious · bc03156657496d27

MALICIOUS

Office (OOXML) / .XLSM

5.00 MB Created: 2021-05-12 13:34:12 UTC Authoring application: Microsoft Excel 15.0300

MD5: 917f0f029e0fe98554173314c80c3afd SHA-1: 1f6f87d9b7958893443c1998d6007d279a7451db SHA-256: bc03156657496d27284538ffbade6ede4254bc183af09f28e600ae469c11a9be

270 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059.003 Windows Command Shell

The sample is an XLSM file containing VBA macros, specifically a Workbook_Open macro that utilizes `CreateObject` and `Wscript.Shell` to execute commands. This behavior is indicative of a downloader, as suggested by the ClamAV detection of 'Doc.Downloader.Emotet-10019767-0'. The script likely downloads and executes a second-stage payload from one of the embedded URLs. The presence of `rundll32.exe` and a DLL name in the heuristic firing further supports the execution of malicious code.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-10019767-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-10019767-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
URL https://premiersejahtera.co.id/images/products/pump/dispensing_pump/thumb/LylF7fwaEP.php
- https://renewandrestore.net/wp-content/plugins/wp-maintenance-mode/includes/classes/6XvPE6GNMcI.php
- https://realsteelcommercialframingllc.com/wp-content/themes/spicepress/css/font-awesome/THP5FuzpRJo2nph.php
- https://egesenel.com/images/ymT5ggSZm.php
- https://kene.xyz/wp-content/plugins/wp-popup-builder/css/fonts/qKbpaRgY3RaBeJ.php
- https://cok.ma/wp-content/plugins/revslider/includes/framework/SI59ulzEhK.php
- https://eastairfiltration.com.au/images/vYppDgV1505cY8Y.php
- https://goging.hr/images/xPXyS8rtOcC.php
- https://libreriajuridicaytecnica.com/wp-content/plugins/woocommerce-services/dist/chunks/24FyBPFqo0t0.php

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `8ab6caf3e7d01282666d9ea6cf70957e2dd3db98d6ba5394de44bc4f8c8a9422`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	3776473 bytes
`vbaProject_00.bin` `38b8aac769e52deeaeec234e4e91e27321bf7ac3770d6fc559de983ca88d0fed`	vba-project	OOXML VBA project: xl/vbaProject.bin	7449600 bytes
Detection ClamAV: Doc.Downloader.Emotet-10019767-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.