Qbot — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 6cc35c64d7f28ab6…

MALICIOUS

Office (OOXML) / .XLSX

265.0 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-02-21
MD5: 38f72dfb45a2a073f636539c6b007577 SHA-1: d1a02157556447815b8bca73001d0141dc0ddab1 SHA-256: 6cc35c64d7f28ab60d23e7bd1d21928ee46aa8923f0a40bccb317e3b5a57353d
180 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The file contains Excel 4.0 macros, which are known to be used for malicious purposes. The macros are designed to reassemble a payload from split formulas and download it from the provided URLs. This behavior is consistent with Qbot downloader activity.

Heuristics 3

  • Excel 4.0 macro sheet (13 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOAD
    An Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
  • ClamAV: Xls.Downloader.Qbot02221-9940029-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Qbot02221-9940029-0

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
ea06a8953b3a9ba04d3865efae4d5859773d9bdefc867b3f2871edae162a58a5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 363 bytes
xlm_sheet_01.bin
8642bb0e181f1edb15b48ea3cfd073523b0d22320da1a021cc7ac775ff2c37f8		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin 792 bytes
xlm_sheet_02.bin
65625823fdbd66473832fda4bf3634e61ab63ddb9dfad701ab1a98703f3dfa48		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 2637 bytes
xlm_sheet_03.bin
c03172c35f4222986d0f893e530117fe3e65fbbb466e3ce9c78b2d66f57c1bf2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.bin 1192 bytes
xlm_sheet_04.bin
ef1881d622b9d949d1c108f9ca407429b9aba0561e0e2f3ef55d807e75160de4		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.bin 673 bytes
xlm_sheet_05.bin
f5caf48bc59f65c54c5caff7cd3772d19a8bbd25b1a3ff95144fede3829b23ff		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.bin 702 bytes
xlm_sheet_06.bin
0a270391e734c3cab9d718aedb0d3853ac33327b54717f9adea594e464d043d0		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.bin 826 bytes
xlm_sheet_07.bin
5735eea820db93e2d1cc8ac0c5664b6604916e79f5cf07589f20c7c0f7f3f9ae		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.bin 552 bytes
xlm_sheet_08.bin
db67694c3a69d8c5ec6b308472cf4843ce36a58f021fc3dbfb1711f2fd8faef7		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.bin 483 bytes
xlm_sheet_09.bin
9404b45a3bda56d5d118ae02bb78d0081df90f15d34ff4d8fb5a64e7c9e9cb53		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 875 bytes
xlm_sheet_10.bin
855aef3f6ebdc2b03750a1539f7610ea13ec551ce449f5e3b99c7190fb41b0f8		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 780 bytes
xlm_sheet_11.bin
11aa56fa068a4335b670a35a2546a855747d55316f31d03ea70468494c80392b		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 760 bytes
xlm_sheet_12.bin
61dcf4307e1b88bb124a024cf4181495210e853042b5805b040d16b7fb925c75		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.bin 679 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.