Emotet — Office (OOXML) / .XLSX malware analysis

Heuristics 8

• Shell() call in VBA critical OLE_VBA_SHELL
  Shell() call in VBA
• ClamAV: Doc.Downloader.Emotet-10019767-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Doc.Downloader.Emotet-10019767-0
• ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
  ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
• Workbook_Open macro high OLE_VBA_WBOPEN
  Workbook_Open macro
• CreateObject call high OLE_VBA_CREATEOBJ
  CreateObject call
• VBA project inside OOXML medium OOXML_VBA
  Document contains vbaProject.bin — VBA macros present
• Environ() call (env variable access) low OLE_VBA_ENVIRON
  Environ() call (env variable access)
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
  URL https://akselhortum.com/UserFiles/urunler/sel-hortumlari/bezli-su-hortumlari/T7Rlgivlnw7.phptq

  • https://on-theweb.com/highlinetrail/2wUjN8d0D.phpP+Gcow6z;/P
  • https://atozcomputers.ie/blog/wp-content/uploads/2016/08/2kSSfoVcaBE.php|wldgiq5w
  • https://congxepsaigon.net/wp-content/themes/twentynineteen/sass/blocks/cMRovqbpE.php
  • https://hotel.aims.org.ng/yX5roDTNU.php$!B3-

Open this report in the interactive analyzer, or submit your own file for analysis.