MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file contains Excel 4.0 macros, identified by the OOXML_XLM_MACROSHEET heuristic. These macros are designed to reassemble a payload from split formulas, as indicated by OOXML_XLM_REASSEMBLED_PAYLOAD. The embedded scripts reveal that the macros construct URLs such as 'http://a' and IP addresses like '185.106.123.81', '146.70.81.52', and '111.90.151.223' to download and execute a second-stage payload. ClamAV detection further confirms this as Qbot.
Heuristics 3
-
Excel 4.0 macro sheet (13 sheet(s)) critical OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOADAn Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
-
ClamAV: Xls.Downloader.Qbot02221-9940029-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Qbot02221-9940029-0
Extracted artifacts 13
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.bin84204085fe85367e7681df4821c9c4e56098f3d7566d83e84edcd3534c70d68a |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin | 363 bytes |
xlm_sheet_01.bin5b9d6eccf87cd91243b9dd9b96ba0fa47b77daae29fadca7658093960067b6b0 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin | 973 bytes |
xlm_sheet_02.bin131c5161199b9c9a47ba439afa368ee1d437822a436aaf10c98fcdc1b51ef3bf |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 2248 bytes |
xlm_sheet_03.bin976d457b33af0a3aac205bc14291ff7eb562393aef95313ada3ad67eabfe71bf |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet3.bin | 1701 bytes |
xlm_sheet_04.bin072348fc131c0e5bee07785715ae0e7a54dc95d3736c1b976a0027f5d8c21e83 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet4.bin | 645 bytes |
xlm_sheet_05.bin2dfe8d2bb4fab745107b42252269ba3ab98c81e0d91873fb2d042d30c5397c0e |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet5.bin | 674 bytes |
xlm_sheet_06.bin94795d25815d5803d636db2a64a1ea6a9b5da2054634958b95b83e9d5c5217c6 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet6.bin | 662 bytes |
xlm_sheet_07.bin61afdf368ea4b074b8c84550aa0abf3bef6a81923a1667a1c73970a51122da04 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet7.bin | 472 bytes |
xlm_sheet_08.bin2f2216a3a6f26b71c57b0253cacf6fcee0232bf8d3e4d84ff32b9f7686bf1b29 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet2.bin | 783 bytes |
xlm_sheet_09.bin1e59e814dd1c224a949286a84d83604c8d6e7b07e626af89ef9dc3325b45e9f9 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet8.bin | 423 bytes |
xlm_sheet_10.bin236b5e769c473d37868940897fb1101fd143ccf3680334512afd22302ed30bf5 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet3.bin | 708 bytes |
xlm_sheet_11.binfaed96bcd1f22b6efc8a50fd866a609a46e66f1f3274e931d6a04353ac0f64d2 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet4.bin | 708 bytes |
xlm_sheet_12.binfbd75cdf64faebad45d9a08ba6cd8fc2a92260add16a5db9eba84c9466375801 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet9.bin | 423 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.