Qbot Office (OOXML) / .XLSM malware analysis — malicious · 6d75c503baa6b2f5

MALICIOUS

Office (OOXML) / .XLSM

166.6 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 14.0300

MD5: b97d2599db58adfa64a9c7d1de52aa2d SHA-1: 36f7e6ab585501c3b3fee46c1c620d14225fd0bb SHA-256: 6d75c503baa6b2f58dea79c694a0a9256fb9a74bc2bd344ef294a2ded0477d90

262 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

This Excel file contains Excel 4.0 macros, indicated by the 'OOXML_XLM_MACROSHEET' and 'OOXML_XLM_DANGEROUS_FN' heuristics. The macros utilize the 'EXEC' function to call external code, likely downloading a second-stage payload from the URLs found in the document body and embedded scripts. The ClamAV detection as 'Xls.Downloader.Qbot0421-9856653-0' strongly suggests the Qbot family.

Heuristics 6

Excel 4.0 macro sheet (4 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME

Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
Dangerous XLM formula APIs: EXEC, FORMULA, CALL, HALT critical OOXML_XLM_DANGEROUS_FN

Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
ClamAV: Xls.Downloader.Qbot0421-9856653-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Qbot0421-9856653-0
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://yohsinsolutions.com/0QeH3HFbNyY/kk.html
- https://gtec24.com/0mqp0yN6/kk.html
- http://ns.adobe.com/xap/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/photoshop/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#
- http://schemas.openxmlformats.org/spreadsheetml/2006/main
- http://schemas.microsoft.com/office/excel/2006/main
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.xml` `3053dafa2d3f987ce513cbeee21a23bb155656d1a3bacf27e3c9fd23a98df2cd`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml	1245 bytes
`xlm_sheet_01.xml` `7c70a733295093fa9be986f7921d4989b1ff5b1c9e7d7c0416a4b8d6aa837808`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml	204903 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 shell/COM execution token(s).
`xlm_sheet_02.xml` `6cb3ab47226c206f666f8830fc35f10e422712c9d53bd66c647d57a05f0b41bc`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml	4485 bytes
`xlm_sheet_03.xml` `95eb9ac669583f7114c029725ae2ac1b158fd43ff181b1370db5057cd2dc1558`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml	1082 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.