Emotet Office (OOXML) / .XLSM malware analysis — malicious · f523d942a9175ca6

MALICIOUS

Office (OOXML) / .XLSM

92.0 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 12.0000

MD5: d17b6e44ca41f3aa80b007e4716f2292 SHA-1: f3bf613bfc1dc863126a7ff340bdda1bd9f0c4f1 SHA-256: f523d942a9175ca6305e681dfb2627792b83b18eb0d714da6f04a26772b7faf1

200 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The file is an XLSM document containing VBA macros, specifically a Workbook_Open macro, which is a common delivery mechanism for Emotet. The embedded VBA code, when deobfuscated, reveals commands that download and execute a VBScript payload from multiple URLs. The ClamAV detection name 'Xls.Downloader.EmotetRed02221-9938910-0' further supports the Emotet family attribution. The deobfuscated command line includes the execution of 'c:\programdata\yhjlswle.vbs' and 'c:\programdata\ughldskbhn.bat', indicating a multi-stage download and execution process.

Heuristics 5

ClamAV: Xls.Downloader.EmotetRed02221-9938910-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.EmotetRed02221-9938910-0
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `de7bcbc45ff0a77d05d9af662bacc316e71be11a980e94f6673e556a5dd9d1bc`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	12808 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`vbaProject_00.bin` `740f705c8207ea2e0b04c7afbe2f71f47e3b70f937b9191307e8bcafdbe85bda`	vba-project	OOXML VBA project: xl/vbaProject.bin	37888 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.