Qbot — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 51f1dfbc7c0b1cf4…

MALICIOUS

Office (OOXML) / .XLSX

1.18 MB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-04-20
MD5: 116b0b4e9b177a754401b319c7562a36 SHA-1: 5d5bf2238c2d201658538dcc46d61059f7351914 SHA-256: 51f1dfbc7c0b1cf466678a2e42cf20676fc2002cad8a85e3196c9143d8aed91b
200 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK
T1059.005 Service Execution: Service Execution T1059.001 PowerShell: PowerShell T1105 Ingress Tool Transfer: Ingress Tool Transfer

The sample contains Excel 4.0 macros that leverage WinAPI calls such as CreateDirectoryA. The macros appear to be designed to download and execute additional payloads. Specifically, the script attempts to create directories and then likely download files to these locations, indicated by strings like '714258.dat'. Finally, it uses 'regsvr32' to execute components from 'C:\Flopers\Gorl\Vertu.OCX', 'Vertua.OCX', and 'Vertub.OCX', suggesting a downloader or initial access mechanism for further stages of infection.

Heuristics 4

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
  • ClamAV: Xls.Downloader.Qbot04223-9946522-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Qbot04223-9946522-0
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
24683ff192d5ff2bf2f841df675e1bec8a46ae42de534fcdbc64fb77dd4f33a5		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject3.bin 4465152 bytes
emf_00.emf
481999fdbcc1fde5a4e3a4e9970e4bbf3c8dbeb2e2a366cc840aa848993159f4		 ooxml-emf OOXML EMF part: xl/media/image2.emf 2159428 bytes
xlm_sheet_00.bin
b32518012aa4e99ef99d2e277e5edd0e897f37530403ac3c1f095881c9f52ef4		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 2501 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.