MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The file is an Excel 4.0 macro-enabled spreadsheet. Heuristics indicate the presence of WinAPI and download strings within the XLM macros, specifically mentioning URLDownloadToFileA and ShellExecuteA. The macros are reassembled from CHAR() and split formulas, suggesting a downloader functionality. The ClamAV detection name 'Xls.Dropper.QbotDocu12020-9818439-0' strongly suggests the Qbot family and a dropper role.
Heuristics 4
-
ClamAV: Xls.Dropper.QbotDocu12020-9818439-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.QbotDocu12020-9818439-0
-
Excel 4.0 macro sheet (1 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGSExcel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
-
XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOADAn Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.bin3fd5d57a928c8ba818db7c001502d9473d992f17b434009561c9d63b9b02fe10 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 22574 bytes |
Preview scriptFirst 1,000 lines of the extracted script
� � � @ �������� � h 20 � � � � @ d d � $ � � % �� & � q � < �? q � � % �� & h
$j �B � % �� & j
% $� �D� �B � % �� & *
% �� & :
�F@% �� & ;
�S@% �� & <
@% �� & =
<@% �� & >
@T@% �� & ?
?@% �� & @
Y@% �� & A
W@% �� & B
@V@% �� & C
@% �� & D
N@% �� & E
T@% �� & F
Y@% �� & G
4@% �� & H
Y@% �� & I
�V@% �� & J
�V@% �� & K
D@% �� & Q
\
1@% �� & R
\
@% �� & S
\
% �� & T
\
@ @W O p e n " DU W�DV W� DW W� DX W�B P % �� & U
\
@ *W O DU Y�DU Z� Ao Y @ Z "@% �� & V
\
@ 2W p DV X�DV Y� DV Z� Ao X @ Y 4@ Z @% �� & W
\
2W o DW X�DW Y� DW Z� Ao X �? Y �? Z �? \ % �� & X
\
�? 2W n DX X�DX Y� DX Z� Ao X $@ Y $@ Z $@ \ % �� & Y
\
\ % �� & Z
\
I@ \ % �� & [
\
0@ \ % �� & \
\
�? \ % �� & ]
\
.@ \ % �� & ^
\ \ % �� & _
\ \ % �� & ` \ \ \ % �� & a \ \ \ % �� & b \ \ \ % �� & c \ \ \ % �� & d \ \ \ % �� & e \ \ \ % �� & f \ \ \ % �� & g \ \ \ % �� & h \ \ \ % �� & i \ \ \ % �� & j \ \ \ % �� & k \ \ \ % �� & l \ \ \ % �� & m \ \ \ % �� & n \ \ \ % �� & o \ \ \ % �� & p \ \ \ % �� & q \ \ \ % �� & r \ \ \ % �� & s \ \ \ % �� & t \ \ \ % �� & u \ \ \ % �� & � a a a % �� & � a a a % �� & � a a a % �� & � a a a % �� & �
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.