Qbot Office (OOXML) / .XLSX malware analysis — malicious · 70ec3a471d9558c5

MALICIOUS

Office (OOXML) / .XLSX

26.4 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 14.0300

MD5: 9f67c31f3e726f64d2217676124c1f59 SHA-1: 487954f196da83b2d4f1d424500b9fbd12107b80 SHA-256: 70ec3a471d9558c525c65b130a4e888dedc1bc35b4b5876dd55943ba8a1240c9

120 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file is identified as malicious by ClamAV and contains Excel 4.0 macros, a common technique for delivering Qbot malware. The macros are likely responsible for downloading and executing a secondary payload, indicated by the 'Dropper' classification. The presence of Excel 4.0 macros strongly suggests an attack pattern involving user interaction to enable macros, leading to the execution of malicious code.

Heuristics 2

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
ClamAV: Xls.Dropper.QbotDocu12020-9818439-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.QbotDocu12020-9818439-0

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `d5b7d30c3c571978e18997e65df1b2f2ddb8bda5a24f26ffe7c61cd7906266bf`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	3349 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.