Office (OOXML) malware analysis — malicious · 3821f968e3c1d970

MALICIOUS

Office (OOXML)

23.6 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 14.0300

MD5: ec2615c4c80fd5e3c2d2d8f7f2db210a SHA-1: cd57d79685392ef37e969ea80636628b64e4d140 SHA-256: 3821f968e3c1d9701dee28091b3c148175e7e188c7357e40566364eeb48e519b

302 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file contains Excel 4.0 macros that are designed to download a second-stage payload from the URL https://backend.zafaranahouse.com/ds/26.gif. The macros utilize WinAPI functions such as URLDownloadToFileA and ShellExecuteA, indicating a dropper functionality. The ClamAV detection name 'Xls.Dropper.QbotDocu12020-9818439-0' further supports this assessment.

Heuristics 6

ClamAV: Xls.Dropper.QbotDocu12020-9818439-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.QbotDocu12020-9818439-0
Excel 4.0 macro sheet (1 sheet(s)) critical 3 related findings OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS

Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOAD

An Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
URL reconstructed from XLM cell array (1 URL) critical OOXML_XLM_CELL_ARRAY_URL

Excel 4.0 macro sheet stages its payload URL across individual numeric cells (one ASCII charcode per cell), inside an embedded HTA that uses VBScript Chr()/&-concat obfuscation, or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF12 record stream of every worksheet and macrosheet part and decoding RK/inline-string/shared-string cells in row-major and column-major order plus FORMULA cell-reference concatenation in token order.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://backend.zafaranahouse.com/ds/26.gif Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_sheet_00.bin
581964282792c79e613320e827a7b43dd0b0bd59b511ea08bac1e7be04d2efb4 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 27387 bytes

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `581964282792c79e613320e827a7b43dd0b0bd59b511ea08bac1e7be04d2efb4`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	27387 bytes
Preview script First 1,000 lines of the extracted script � � � @ �� @ d d � $ � � % �� & � q � < q < q < q < i q < j k q < l u q < v v q < w ~ q < q < � � q < � � q < � � q < � � q < � � q < � � q < � � q < � � q < � � q < � � q < � � q < � � q < � � q < � � q < � � q < � � q < � � q < � � q < � � q < � � q < � � q < � � q < � � q < � � q < � � q < � � q < � � q < � q < q < q < q < q < q < q < q < q < q < ! ' q < ( ( q < ) + q < , - q < . 4 q < 5 5 q < 6 7 q < 8 8 q < 9 9 q < : : q < ; > q < ? ? q < @ @ q < A A q < B D q < E E q < F F q < G G q < H I q < J J q < K N q < O O q < P X q < Y Y q < Z ^ q < _ _ q < ` b q < c c q < d i q < j j q < k n q < o o q < p � q < � � q < � � q < � � q < � � q < � �? q � � % �� & % �� & h $j �B � % �� & j % $� �D� �B � % �� & � ? �? % D� e�$) �� J C J $s !� B � % �� & � G �? - D H�$# _� J C J Ds !�D B� B � % �� & � b H D� �$- � J J C C J J $� �Ds !�D B� DK � B � % �� & � D �B � % �� & � % �� & e E@ K D� �$s � J J C C C C J $" d�Ds !�D B� DK � B � % �� & B 6 % �� & � N s h e l l 3 2 * s h e l l 3 2 B P % �� & � � � � $@% �� & � � � � �V@% �� & � � � �V@% �� & � � � $@% �� & � � � @% �� & � � 2� e D� ��D� �� D4 �� Ao % �� & ) � � � @% �� & . � � � �V@% �� & 4 � � � �?% �� & : � � � N@% �� & Q � � � @% �� & R � � � ,@% �� & U � � � @% �� & a � � � 4@% �� & i � � 2� D DQ ��D: �� DU �� Ao % �� & t � � 2� u D� ��D� �� Dt �� Ao � N@% �� & � � � � �C@ � 2@% �� & � � � � T@% �� & � @k@% ... (truncated)

Preview script

First 1,000 lines of the extracted script

�  �  �   @      ��������    �      �           �  �  �             @   d d         � $                                    �  �  %      ��    & �  q           �  <         q         <     
   q         <         q         <     i   q         < j   k   q         < l   u   q         < v   v   q         < w   ~   q         <         q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �       q         <         q         <         q         <         q         <         q         <         q         <         q         <         q         <         q         <         q         < !   '   q         < (   (   q         < )   +   q         < ,   -   q         < .   4   q         < 5   5   q         < 6   7   q         < 8   8   q         < 9   9   q         < :   :   q         < ;   >   q         < ?   ?   q         < @   @   q         < A   A   q         < B   D   q         < E   E   q         < F   F   q         < G   G   q         < H   I   q         < J   J   q         < K   N   q         < O   O   q         < P   X   q         < Y   Y   q         < Z   ^   q         < _   _   q         < `   b   q         < c   c   q         < d   i   q         < j   j   q         < k   n   q         < o   o   q         < p   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �?  q         �  �  %      ��    &                                      %      ��    &   h                        
                $j    �B  �    %      ��    &   j                         %               $�    �D�    �B  �    %      ��    &   �                        	?              �?  %   D�   e�$)   ��   J C J $s   !�   B �     %      ��    &   �                        	G              �?  -   D	   H�$#   _�   J C J Ds   !�D    B�    B �     %      ��    &   �                        	b                  H   D�
   �$-    �   J J C C J J    $�    �Ds   !�D    B� DK    �       B �     %      ��    &   �                                         D     �B �     %      ��    &   �                                      %      ��    &                            	e              E@  K   D�   	�$s    �   J J C C C C J    $"   d�Ds   !�D    B� DK    �        B	�     %      ��    &                            
                B 6     %      ��    &   �                	   	    N	           s h e l l 3 2   *      s    h     e    l     l    3     2 B P     %      ��    &   �                �   �     �         $@%      ��    &   �                �   �     �        �V@%      ��    &                    �   �     �        �V@%      ��    &   
                �   �     �         $@%      ��    &                    �   �     �          @%      ��    &                    �   �    2�           e       D�   ��D�   �� D4   �� Ao     %      ��    &   )                �   �     �          @%      ��    &   .                �   �     �        �V@%      ��    &   4                �   �     �         �?%      ��    &   :                �   �     �         N@%      ��    &   Q                �   �     �          @%      ��    &   R                �   �     �         ,@%      ��    &   U                �   �     �          @%      ��    &   a                �   �     �         4@%      ��    &   i                �   �    2�           D       DQ   ��D:   �� DU   �� Ao     %      ��    &   t                �   �    2�           u       D�   ��D�   �� Dt   �� Ao       �         N@%      ��    &   �                �   �     �        �C@  �         2@%      ��    &   �                �   �     �         T@%      ��    &   �                                   @k@%      
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.