MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains Excel 4.0 macros, identified by the OOXML_XLM_MACROSHEET heuristic. These macros are designed to reassemble a payload, as indicated by OOXML_XLM_REASSEMBLED_PAYLOAD, and download it from a URL. The ClamAV detection name 'Xls.Downloader.Qbot-aa2a2a3fd5f4342a-9950245-0' strongly suggests the Qbot family. The script explicitly constructs URLs such as 'http://a' and IP addresses like '146.19.170.74/' which are likely C2 servers for downloading the next stage.
Heuristics 3
-
Excel 4.0 macro sheet (13 sheet(s)) critical OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOADAn Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
-
ClamAV: Xls.Downloader.Qbot-aa2a2a3fd5f4342a-9950245-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Qbot-aa2a2a3fd5f4342a-9950245-0
Extracted artifacts 13
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.bin5fb5a9e6ec1dacc189efcc6a68093d9b5c376b223dcb27f862984427d2aac0e2 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin | 363 bytes |
xlm_sheet_01.bin9240857c038d474bda71d25a9bdc03e9bd845927780c5c30c8ad2d215fc30299 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin | 918 bytes |
xlm_sheet_02.bin37305deb6977106275d104f5826c9a1ae694574dcf133bc8f0a88e69659fa5d9 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 2263 bytes |
xlm_sheet_03.bind795a42e7dfb9f3b384d1e5d47d879eee778b9da4bf4a945b3272471187b3422 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet3.bin | 1703 bytes |
xlm_sheet_04.bin93c463343ef7f1e9e791647d561f007c38659ae4a327b3ebb864f048f16a58f6 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet4.bin | 659 bytes |
xlm_sheet_05.bin4d4dd95373ceffcdeae0a74dfa09b90bd3ce229ab64dd70c7fe0f05e5b469bbd |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet5.bin | 648 bytes |
xlm_sheet_06.bin8d957f41705fc5da60f409cd3c460bdb601935e6214bf78485f23a85cb252024 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet6.bin | 622 bytes |
xlm_sheet_07.bin000bc8d70715fdc1e9f90bbf8ea8d827eb7d942c3f16b2c5b6d16539d6622ba7 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet7.bin | 446 bytes |
xlm_sheet_08.bin104ea4dd6393a2e7568a3476bef8861dc03f02ff70847c1579759679f5b37241 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet2.bin | 843 bytes |
xlm_sheet_09.bin617d9277b8cae5e22b22f75d36f1c1410a208c497dfd9b1fc50732ce8b8e39ba |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet8.bin | 423 bytes |
xlm_sheet_10.binfe57f943858a8919ed6e91709a3b6f572e0ddbcba21b32c8fbf3c96821baa7a0 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet3.bin | 748 bytes |
xlm_sheet_11.bin93ba72b98161dad073a1ddc9f87bed6380b6a369d49aed308df35146fe953084 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet4.bin | 748 bytes |
xlm_sheet_12.bin2bd138650fa507a83c5a96a8b7ece29759f24ed721eaf50eae3ada328413aacb |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet9.bin | 423 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.