Emotet — Office (OLE) / .XLSX malware analysis

Static analysis result for SHA-256 ce8ed57f03c2c373…

MALICIOUS

Office (OLE) / .XLSX

70.9 KB Created: 2022-01-20 19:00:43 Authoring application: Microsoft Excel
MD5: 7dc4bec2754fc93fdfb3ec9e4364e118 SHA-1: b7b66db7b3f387292a82d4b701eb3a9a60799b3d SHA-256: ce8ed57f03c2c3733b81f29e38332753051c9d5917d62760190dbc6b9dcebf45
140 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical heuristics indicate the presence of Excel 4.0 macros with an Auto_Open entry, a common technique for malware execution. ClamAV detection further confirms its malicious nature, specifically identifying it as an Emotet downloader variant. The macro sheet itself contains numerous LABELSST entries, suggesting complex macro logic, likely for obfuscation or payload delivery.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • ClamAV: Doc.Downloader.EmotetExcel01220-9937164-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.EmotetExcel01220-9937164-0
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
7f1f89a8b36a750dced08313a4e4f056192a6eac7194357c673dbbd2670a1a18		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 4219 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.