Qbot — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 356d2a40b4118010…

MALICIOUS

Office (OOXML) / .XLSX

265.0 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-02-21
MD5: 859a4351140b547a20126ce6405227a1 SHA-1: d0c4191ea64b4991a921c9c4e8bc8c51a4157bb4 SHA-256: 356d2a40b411801099ec995ee7c592937b4e4ad53a0485312263e17ce9bc7cdb
180 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file is identified as malicious by ClamAV with the signature Xls.Downloader.Qbot02221-9940029-0, indicating a Qbot downloader. The presence of multiple Excel 4.0 macro sheets (xlm_macrosheet) strongly suggests that the macros are designed to execute malicious code. These macros are typically used to download and run a second-stage payload, which is characteristic of Qbot's infection chain.

Heuristics 3

  • Excel 4.0 macro sheet (13 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.
  • ClamAV: Xls.Downloader.Qbot02221-9940029-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Qbot02221-9940029-0

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
ea06a8953b3a9ba04d3865efae4d5859773d9bdefc867b3f2871edae162a58a5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 363 bytes
xlm_sheet_01.bin
8642bb0e181f1edb15b48ea3cfd073523b0d22320da1a021cc7ac775ff2c37f8		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin 792 bytes
xlm_sheet_02.bin
65625823fdbd66473832fda4bf3634e61ab63ddb9dfad701ab1a98703f3dfa48		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 2637 bytes
xlm_sheet_03.bin
c03172c35f4222986d0f893e530117fe3e65fbbb466e3ce9c78b2d66f57c1bf2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.bin 1192 bytes
xlm_sheet_04.bin
ef1881d622b9d949d1c108f9ca407429b9aba0561e0e2f3ef55d807e75160de4		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.bin 673 bytes
xlm_sheet_05.bin
f5caf48bc59f65c54c5caff7cd3772d19a8bbd25b1a3ff95144fede3829b23ff		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.bin 702 bytes
xlm_sheet_06.bin
0a270391e734c3cab9d718aedb0d3853ac33327b54717f9adea594e464d043d0		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.bin 826 bytes
xlm_sheet_07.bin
5735eea820db93e2d1cc8ac0c5664b6604916e79f5cf07589f20c7c0f7f3f9ae		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.bin 552 bytes
xlm_sheet_08.bin
db67694c3a69d8c5ec6b308472cf4843ce36a58f021fc3dbfb1711f2fd8faef7		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.bin 483 bytes
xlm_sheet_09.bin
9404b45a3bda56d5d118ae02bb78d0081df90f15d34ff4d8fb5a64e7c9e9cb53		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 875 bytes
xlm_sheet_10.bin
855aef3f6ebdc2b03750a1539f7610ea13ec551ce449f5e3b99c7190fb41b0f8		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 780 bytes
xlm_sheet_11.bin
11aa56fa068a4335b670a35a2546a855747d55316f31d03ea70468494c80392b		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 760 bytes
xlm_sheet_12.bin
61dcf4307e1b88bb124a024cf4181495210e853042b5805b040d16b7fb925c75		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.bin 679 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.