Emotet — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 c17c6c51fb35db72…

MALICIOUS

Office (OOXML) / .XLSX

1.04 MB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-05-10
MD5: 5579c7410723101f760101ff015200d0 SHA-1: f123e46cb194ceb8dd3b5452d1790eca31a7f08b SHA-256: c17c6c51fb35db72a4f7f72956402f9ef2efedfb3c1ad23795207d071c2f5687
120 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The file is identified as malicious by ClamAV with a detection name strongly suggesting Emotet. Heuristics indicate the presence of Excel 4.0 macro sheets, which are known to be used for malicious purposes. The macro content appears to construct commands for downloading and executing payloads, specifically referencing 'URLDownloadToFileA' and 'regsvr32', and includes a hardcoded 'HTTPS://' prefix, indicating a downloader functionality.

Heuristics 2

  • Excel 4.0 macro sheet (3 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • ClamAV: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
emf_00.emf
99c4051e1dcf13ece091a534e7cb4ea22730b13002bd6393892ee2556ab53299		 ooxml-emf OOXML EMF part: xl/media/image2.emf 2138392 bytes
xlm_sheet_00.bin
c1e642538a0307d087bb3c04d384ede6e7553aaf0a8fd4527681478388dff16d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 516 bytes
xlm_sheet_01.bin
8d52788dbd8a1e66cfdacabc0ea6572269204a00b2fab4c349de9f68f06b385f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 2918 bytes
xlm_sheet_02.bin
439bd931cf9465d52b43e94de7742790266c99ab4ff9835b3666d249c6c6be44		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 1381 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.