Emotet — Office (OLE) / .XLSX malware analysis

Static analysis result for SHA-256 e1727c3aaa854ddf…

MALICIOUS

Office (OLE) / .XLSX

141.2 KB Created: 2022-01-18 14:11:14 Authoring application: Microsoft Excel
MD5: 1ad193eef2bdd45d87c564dbb1f6d560 SHA-1: 685b08e24c95c8af72e13f62df3f7859203cb3ae SHA-256: e1727c3aaa854ddf777f23d7783fa1a77d690ca625cfa0e70fa04bc42110728e
140 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical heuristics indicate the presence of Excel 4.0 macros with an Auto_Open entry, a common technique for Emotet. ClamAV also specifically detected this as an Emotet downloader variant. The macro sheet is designed to execute automatically when the workbook is opened, facilitating the download of additional malicious content.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • ClamAV: Doc.Downloader.EmotetExcel01220-9936774-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.EmotetExcel01220-9936774-0
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
c355a4e8b51815f97cf3e202ab7d47ce16f5f701c419b0e7a11ef751a8ea709e		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 3661 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.