Emotet — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 cf7c160e2a54eb1b…

MALICIOUS

Office (OOXML) / .XLSX

1.07 MB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-04-27
MD5: 6a5ba10d14809c1a8e4b5bf47c681382 SHA-1: 597f9408fdd65dae3f17f5b87e69b5640f989b71 SHA-256: cf7c160e2a54eb1b8b7be65d36482a2e83f9c30426e0074e1054567e979408f3
200 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Service Execution: Visual Basic T1204.002 Malicious File: User Execution: Malicious File T1105 Ingress Tool Transfer

The sample contains critical heuristics indicating Excel 4.0 macros with WinAPI and download strings, and is detected as Emotet by ClamAV. The extracted Excel 4.0 macro sheet contains strings that reconstruct to URLs such as 'sferaooptical.com/HLlyJ513zu/Cnhfnvmh.png' and 'duddas.com.br/FMPhmkD9g2wZ/Cnhfnvmh.png', and paths like 'C:\Gae gzsti\Oldfra.ooocxx'. This strongly suggests the macro's intent is to download and execute a second-stage payload from these URLs, a common Emotet delivery technique.

Heuristics 4

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
  • ClamAV: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
40c119c61b868c791f8026a508e33e63ca4fac0d7a1c4dc7423000974f221b99		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 2743296 bytes
ooxml_oleobject_00_ole10native_00.bin
7a7c5913ea54c058e6c966932426a757075833c57d5321b3033161e975cf6aa8		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 2719588 bytes
emf_00.emf
7d56c82264dc501cee3b2f361127c7160d34aa3a6be5f44017eade57c559b1d1		 ooxml-emf OOXML EMF part: xl/media/image2.emf 5439552 bytes
xlm_sheet_00.bin
60b295ec520cfeea8dabac7bd1a846c8211853edb956cb11145b0ff1b24cc0a3		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 2954 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.