Qbot — Office (OOXML) malware analysis

Static analysis result for SHA-256 525a5f2d2c3f436e…

MALICIOUS

Office (OOXML)

23.6 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 14.0300
MD5: 17c9e41990f7f5d7e036cc600f7f06c3 SHA-1: c34f76e7b5b0f8afda4f476af0ba7ce91867bd9a SHA-256: 525a5f2d2c3f436e1860ad51e5a24a039141adf76e0dacf642bc38c2c6f1546f
302 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The file contains Excel 4.0 macros that are designed to download a second-stage payload from the URL 'https://ebsite1.codeomega.in/ds/26.gif'. The macros utilize WinAPI functions such as URLDownloadToFileA and ShellExecuteA, indicating an intent to download and execute a malicious file. This behavior is consistent with Qbot droppers.

Heuristics 6

  • ClamAV: Xls.Dropper.QbotDocu12020-9818439-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.QbotDocu12020-9818439-0
  • Excel 4.0 macro sheet (1 sheet(s)) critical 3 related findings OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
  • XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOAD
    An Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
  • URL reconstructed from XLM cell array (1 URL) critical OOXML_XLM_CELL_ARRAY_URL
    Excel 4.0 macro sheet stages its payload URL across individual numeric cells (one ASCII charcode per cell), inside an embedded HTA that uses VBScript Chr()/&-concat obfuscation, or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF12 record stream of every worksheet and macrosheet part and decoding RK/inline-string/shared-string cells in row-major and column-major order plus FORMULA cell-reference concatenation in token order.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ebsite1.codeomega.in/ds/26.gif Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
581964282792c79e613320e827a7b43dd0b0bd59b511ea08bac1e7be04d2efb4		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 27387 bytes
Preview script
First 1,000 lines of the extracted script
�  �  �   @      ��������    �      �           �  �  �             @   d d         � $                                    �  �  %      ��    & �  q           �  <         q         <     
   q         <         q         <     i   q         < j   k   q         < l   u   q         < v   v   q         < w   ~   q         <         q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �       q         <         q         <         q         <         q         <         q         <         q         <         q         <         q         <         q         <         q         < !   '   q         < (   (   q         < )   +   q         < ,   -   q         < .   4   q         < 5   5   q         < 6   7   q         < 8   8   q         < 9   9   q         < :   :   q         < ;   >   q         < ?   ?   q         < @   @   q         < A   A   q         < B   D   q         < E   E   q         < F   F   q         < G   G   q         < H   I   q         < J   J   q         < K   N   q         < O   O   q         < P   X   q         < Y   Y   q         < Z   ^   q         < _   _   q         < `   b   q         < c   c   q         < d   i   q         < j   j   q         < k   n   q         < o   o   q         < p   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �   q         < �   �?  q         �  �  %      ��    &                                      %      ��    &   h                        
                $j    �B  �    %      ��    &   j                         %               $�    �D�    �B  �    %      ��    &   �                        	?              �?  %   D�   e�$)   ��   J C J $s   !�   B �     %      ��    &   �                        	G              �?  -   D	   H�$#   _�   J C J Ds   !�D    B�    B �     %      ��    &   �                        	b                  H   D�
   �$-    �   J J C C J J    $�    �Ds   !�D    B� DK    �       B �     %      ��    &   �                                         D     �B �     %      ��    &   �                                      %      ��    &                            	e              E@  K   D�   	�$s    �   J J C C C C J    $"   d�Ds   !�D    B� DK    �        B	�     %      ��    &                            
                B 6     %      ��    &   �                	   	    N	           s h e l l 3 2   *      s    h     e    l     l    3     2 B P     %      ��    &   �                �   �     �         $@%      ��    &   �                �   �     �        �V@%      ��    &                    �   �     �        �V@%      ��    &   
                �   �     �         $@%      ��    &                    �   �     �          @%      ��    &                    �   �    2�           e       D�   ��D�   �� D4   �� Ao     %      ��    &   )                �   �     �          @%      ��    &   .                �   �     �        �V@%      ��    &   4                �   �     �         �?%      ��    &   :                �   �     �         N@%      ��    &   Q                �   �     �          @%      ��    &   R                �   �     �         ,@%      ��    &   U                �   �     �          @%      ��    &   a                �   �     �         4@%      ��    &   i                �   �    2�           D       DQ   ��D:   �� DU   �� Ao     %      ��    &   t                �   �    2�           u       D�   ��D�   �� Dt   �� Ao       �         N@%      ��    &   �                �   �     �        �C@  �         2@%      ��    &   �                �   �     �         T@%      ��    &   �                                   @k@%      
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.