Qbot — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 3bfb1ddbaf040fe2…

MALICIOUS

Office (OOXML) / .XLSX

1.31 MB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-05-26
MD5: eb1a91286ae2a889dbf6b45714ef007d SHA-1: 1976b19350a087136699d87b19bc0734d3eb202a SHA-256: 3bfb1ddbaf040fe2499dd7145a58a3b8a3bf09dd0adf8dc78c5f8b1f55399df6
262 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK
T1059.005 Service Execution: Visual Basic T1204.002 Malicious Link: Malicious File T1059.001 Command and Scripting Interpreter: PowerShell T1059.003 Command and Scripting Interpreter: Windows Command Shell T1059.006 Command and Scripting Interpreter: Python

This file contains Excel 4.0 macros, which are known to be used for malicious purposes. The macros utilize dangerous functions like GOTO, REGISTER, and EXEC to download and execute a second-stage payload. The ClamAV detection as 'Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0' strongly suggests a Qbot family infection. The embedded URLs and file paths indicate potential download locations for the payload.

Heuristics 6

  • Excel 4.0 macro sheet (6 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: GOTO, REGISTER, EXEC, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
a7e3733b1363628adf7f51c156b74365950f080ba7eb4fb4a9f0561e8e860639		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1955 bytes
xlm_sheet_01.xml
b44fde067371b12dff23c94bd54325d79e5ed12a642515c6814a3d3bcee92f70		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 1647 bytes
xlm_sheet_02.xml
df5dcaca6a4f73d2d3be21c15544097e49bc8f2c3942e49075fe6111bf9a9c06		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.xml 1522 bytes
xlm_sheet_03.xml
f4c2e30869426e0361f025e6392fc8e2e068bedc236f165352f6b1b990b6a40f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.xml 1521 bytes
xlm_sheet_04.xml
d6235f8a5edd43e99b29c95384f3bbc577ea8a7c083dff4fdf82519e38769532		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.xml 1523 bytes
xlm_sheet_05.xml
c04e216d19774237836ba44a0779b3ff7986a81d2f6ddcc95cfb7b0cf99d3883		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet6.xml 1632 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.