Qbot — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 593ddfe9dfe7fb77…

MALICIOUS

Office (OOXML) / .XLSX

1.01 MB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-05-31
MD5: b5315225bfbcf52a8c43b91dde856b00 SHA-1: 737d1dca2be1378027e945f872293315e9f914bb SHA-256: 593ddfe9dfe7fb77c416ba293e3e3f7a04a7df4fb102bde52ca151eda7f71820
140 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The file is identified as malicious by ClamAV with the signature Xls.Downloader.Qbot-b760f03262b6e23b-9950440-0, indicating it belongs to the Qbot family. Critical heuristics indicate the presence of Excel 4.0 macro sheets and VBA macros. The Excel 4.0 macro sheet contains commands that appear to construct file paths and potentially execute them, suggesting a downloader functionality. The VBA macros are present but do not contain immediately discernible malicious code in the provided excerpt.

Heuristics 3

  • Excel 4.0 macro sheet (4 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • ClamAV: Xls.Downloader.Qbot-b760f03262b6e23b-9950440-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Qbot-b760f03262b6e23b-9950440-0
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
99c67d49f4dac3a19637302777183b6e6c2d9adfb888d2f96b7a4984c79bdd21		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1564 bytes
vbaProject_00.bin
773cf33985832fbcd43ac2a6d6e0103fdcee1b219454afdaf327796c476e1c4d		 vba-project OOXML VBA project: xl/vbaProject.bin 13312 bytes
emf_00.emf
9a4ead196bb64cb992422e6828bf80b23e6627cf8b47eae0bf68eafb138b9739		 ooxml-emf OOXML EMF part: xl/media/image3.emf 468828 bytes
emf_01.emf
ba94633e42456b5ad448f85a47594699adffa25ad01d5172717ef32f87a74036		 ooxml-emf OOXML EMF part: xl/media/image2.emf 610348 bytes
xlm_sheet_00.bin
23c006bffbb3bdc03c9f54337de70f29ccba8148f7fa280d08c2c043a3148074		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 2140 bytes
xlm_sheet_01.bin
3e948c9c339f764828260ff9b5b24eefe008eebaed3227023a84ce532391a5ce		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 1906 bytes
xlm_sheet_02.bin
8eb04f3d7c0c7ba161f40f9a79a5d9844f29fa0bcbdd41dd60e79393fb8f78f3		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 371 bytes
xlm_sheet_03.bin
763c47c6718ba979ac5c080555006da07286839483ab22c505974a674f51b7d5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 1018 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.