MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file contains critical heuristic firings indicating the presence of reassembled Excel 4.0 macros designed to download a payload. The embedded script fragments show evidence of URL construction and execution, strongly suggesting a downloader functionality. The ClamAV detection further confirms its malicious nature as a Qbot variant.
Heuristics 3
-
Excel 4.0 macro sheet (12 sheet(s)) critical OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOADAn Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
-
ClamAV: Xls.Downloader.Qbot03220-9942292-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Qbot03220-9942292-0
Extracted artifacts 12
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.bin5c863c8708cd863b6c3d606fe018491a9475a780011629f76b12bdfb3c1e73a6 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin | 1030 bytes |
xlm_sheet_01.bindd0d80766be336f14a9be52519198138340b12f4372fa5860169583b89466289 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet3.bin | 663 bytes |
xlm_sheet_02.bin88517fdfcbc221dc9d1fdf526d450370e111e682360b4d270a074017a778ae53 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 2953 bytes |
xlm_sheet_03.bin87e3dda2194a1875e089454c0b5d024e8be53a4d7ab761ab3984eacd78c55d3d |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin | 1294 bytes |
xlm_sheet_04.bin0e1b33f6f70f9e238d5ebc3535a88c545b9892fcf91f8381ccae216a7921c6bb |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet3.bin | 737 bytes |
xlm_sheet_05.bind67b61270f56f9fddf52c3bf1cc09626ea93c4421c4f85ba2dba889f16a97246 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet4.bin | 663 bytes |
xlm_sheet_06.bin76b9cacfe7ec85ff682023886c65c3ab612539762031ee87278a603dd8de720c |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet4.bin | 712 bytes |
xlm_sheet_07.bin0182068502367798c11e49834b950308a51020c2c587a2116fef41ff3edbfedb |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet5.bin | 562 bytes |
xlm_sheet_08.bina3301b86c18dc34a068d6040226acec573ef341ab9364bdedf77175dd606b6d9 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet8.bin | 393 bytes |
xlm_sheet_09.bin07e6a70973e0665167fdadad52ba8f63ec74c1461674ae68fbccc2342a486b77 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet6.bin | 442 bytes |
xlm_sheet_10.bin5498cec0a19b0fc4bbde10361d30070fba8e6ea5d2ec7eb93d71b04a08f70aeb |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet2.bin | 723 bytes |
xlm_sheet_11.binc62610884ae6505ce0d7103503108436f8a9a4f380c27ac0caa9ceac2b006af3 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet7.bin | 393 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.