Emotet Office (OOXML) / .XLSM malware analysis — malicious · d0a4f5b02f169055

MALICIOUS

Office (OOXML) / .XLSM

46.5 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-03-02

MD5: 5ae705ad4a1aefe4bb12645c3dc13735 SHA-1: 443dff52ae1209eb566bc8576a89606cbbb79684 SHA-256: d0a4f5b02f1690554ff4a8231ec1307111c1e993a1fe8dcf0ea648b622ca1f0c

250 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Service Execution: Visual Basic T1059.001 Command and Scripting Interpreter: PowerShell T1204.002 Malicious File: User Execution: Malicious File T1105 Ingress Tool Transfer

The file is an XLSM document containing Excel 4.0 macros, which is a known delivery mechanism for Emotet. The macros utilize dangerous XLM formula APIs to download a payload from one of the provided URLs. Specifically, the script reconstructs the command 'regsvr32.exe' and concatenates it with a URL to download and execute a second-stage payload. The presence of multiple suspicious URLs and the ClamAV detection further support this assessment.

Heuristics 6

Excel 4.0 macro sheet (3 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME

Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
Dangerous XLM formula APIs: FORMULA critical OOXML_XLM_DANGEROUS_FN

Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
ClamAV: Xls.Downloader.Emotet03220-9940726-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Emotet03220-9940726-0
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 5 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://gymsportive.com/0zwe/pSiUh/
- http://praachichemfood.com/old-files==-/vo68ZI/
- http://danialteb.com/wp-admin/NqRYgwPERRPoTs/
- http://curtistreeclimbing.com/css/2oFtx1t5P8qcVKnCl/
- http://totalplaytuxtla.com/sitio/IduhreKcPbD/
- http://skanev.com/wp-content/AT5Doj207guJES0BMk/
- http://schemas.openxmlformats.org/spreadsheetml/2006/main
- http://schemas.microsoft.com/office/excel/2006/main
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
- http://schemas.microsoft.com/office/spreadsheetml/2014/revision
- http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.xml` `c2beed76b90707ab99d3556b095847fbe67565665bab2978d4d40d1b769c68e7`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml	4017 bytes
`xlm_sheet_01.xml` `3f1e04bcb932a0d7a0ca09ad6e05d398d7a144c4cda86314010c0ec3e9f94573`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.xml	1278 bytes
`xlm_sheet_02.xml` `3877aa64e871d2d6fcc766f5b3af64ba0d301f656023d2e6e43652b8210d827c`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet2.xml	1152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.