Emotet Office (OOXML) / .XLSX malware analysis — malicious · e85c3d74bd674383

MALICIOUS

Office (OOXML) / .XLSX

1.20 MB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-05-03

MD5: 0809f8136b39b711f8d8abe773600be0 SHA-1: de27b4d48a1e49126defb438e0e20b7f2b4a090b SHA-256: e85c3d74bd674383230c752ba6cdfbd49ce03e324c59ee72813211bfd8cd90d3

120 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file contains Excel 4.0 macros, as indicated by the 'OOXML_XLM_MACROSHEET' heuristic. The ClamAV detection 'Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0' strongly suggests the Emotet family. The macros appear to be designed to download a payload from URLs such as 'lize.com/mJYvpo2xhx/Ophn.png' and 'com.mx/S3sY8RQ10/Ophn.png'. Additionally, paths like 'C:\Yerto\Narost\Beunse.oooooooooxxxxxxxx' are present, potentially indicating dropped files or staging locations.

Heuristics 2

Excel 4.0 macro sheet (3 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
ClamAV: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`emf_00.emf` `39b5bc2fae3ca399c730a72513cf632b197a6280186bf539b67779302baad98a`	ooxml-emf	OOXML EMF part: xl/media/image2.emf	6145428 bytes
`xlm_sheet_00.bin` `7e295c94c3c1bf9df08f2b41ce75aac9c0cb16a4af1b25a9813f98273f69e0b1`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	1214 bytes
`xlm_sheet_01.bin` `bd692be10c10dace410f6487b89f2810d6dea07bb3c883ac05ff8e2ed023318a`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet2.bin	2492 bytes
`xlm_sheet_02.bin` `5c96c59c64a0ef3ce4809143abd5fe78bceb89408d53154ced5a5c4bb664f87f`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet3.bin	1090 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.