Emotet — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 f04edb8c32977dd0…

MALICIOUS

Office (OLE) / .XLS

101.0 KB Created: 2022-04-01 07:14:19 Authoring application: Microsoft Excel First seen: 2022-04-21
MD5: b0e30b3f087eb67213349c0677c27b8b SHA-1: 98a8a59c7948b33c5fe31a765fb781e05f5a5753 SHA-256: f04edb8c32977dd0aaaa8601f85c299f68566257f9bcf6bbcaa2a2e49905c548
200 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059.001 PowerShell

The critical heuristics indicate the presence of Excel 4.0 macros with dangerous functions, specifically the 'RUN' function, and ClamAV identifies the file as 'Xls.Downloader.Emotet'. The macro code reconstructs multiple URLs and a Windows system path, suggesting a downloader functionality. The reconstructed URLs are: "http://dlfreight.com/wp-includes/zLuZdtVkoriGaRE/", "http://hadramout21.com/jetpack-temp/KjOqTnCwVbrz8w/", "http://groupesth.com/wp-admin/2hhcMwfoG0aRi1t/", "http://dataline.com/aspnet_client/56LwAJvY/", and "http://greycocunut.com/edm/0ywf2bF/". The macro also attempts to execute 'regsvsr32.exe' from the 'windows\SystemW64\' directory, likely to download and execute a second-stage payload.

Heuristics 4

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • ClamAV: Xls.Downloader.Emotet-b2cbc93e36c0c13e-9950560-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Emotet-b2cbc93e36c0c13e-9950560-0
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
66a420ef679e9f3d020a70001f9e809f7b557357f1c23d3c5d6bcd0b0973a144		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 7055 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.