Qbot — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 1382e72bc2cda641…

MALICIOUS

Office (OOXML) / .XLSX

117.7 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-03-11
MD5: a1054dfe69e53cf20c3d013d713a653e SHA-1: 7fd5685cc1670f041a016ce34cbcb28b31e5eb44 SHA-256: 1382e72bc2cda641ebbafbcecbc4631b9639997077944ead40d3204cb608f472
180 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The file is an Excel spreadsheet containing multiple Excel 4.0 macro sheets. Heuristics indicate that these macros are used to reassemble a payload and download content from a URL. The ClamAV signature also explicitly identifies the file as a Qbot downloader. The embedded scripts contain functions like 'UrlMon' and 'Directory' which are consistent with downloading and executing payloads.

Heuristics 3

  • Excel 4.0 macro sheet (12 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOAD
    An Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
  • ClamAV: Xls.Downloader.Qbot03220-9942292-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Qbot03220-9942292-0

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
294ede1542984d5f1f1263eb2584ef46b448bf7a8e6abbc440c8793d2e7cce4d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 982 bytes
xlm_sheet_01.bin
48bcefb726800818b1ec3e8999648ef3c55cc38ed66e64f1bb4bad2c23d422ea		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 703 bytes
xlm_sheet_02.bin
50d38e242c72bf920d3068e936450ddb6fbc05047ff6e164d1c2c79a64f657d4		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 2997 bytes
xlm_sheet_03.bin
bbb7975ab842022f0808c427ff1955d2a286bc5cb79a524818fd581fb299575b		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin 1338 bytes
xlm_sheet_04.bin
2e92e3a57797ef82ce6293b25ad566ac5e7e3bb3d90bb360be34a9e9221ac984		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.bin 777 bytes
xlm_sheet_05.bin
543b5f79d431605307d5ececf494efed92231b068c373c20f73e66e17797fcc9		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 703 bytes
xlm_sheet_06.bin
396f335f40b1eb504c6acdaa0658a74c667d073a82ebf346bd3835f0315031d5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.bin 777 bytes
xlm_sheet_07.bin
d48d79067fcc74f9318a7436081374c5155baef7586e62262e4c36e1d25d05bf		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.bin 562 bytes
xlm_sheet_08.bin
f3beeaf0a81a225db880c06f58619567ae2efd6e35a2ec1cd93cf27a4e123695		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.bin 393 bytes
xlm_sheet_09.bin
c5c1c7d7ce3444c8fad5b636765e9e57d733d3ac6fcc74100306e91072c0f361		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.bin 442 bytes
xlm_sheet_10.bin
b956b926bf4f010b2889988755963f4271011fc7e55855977ead7a34320d13bb		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 763 bytes
xlm_sheet_11.bin
38e7918b13a0d2ecf92d19ee736358e49e1ef3ef1764d18c9774dfedaa0d81f2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.bin 393 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.