Qbot — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 b302d90cd1826079…

MALICIOUS

Office (OOXML) / .XLSX

1.13 MB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-05-25
MD5: be9d68c0137d3ab377d0520800fede3f SHA-1: e8755a3defcd137673dbc3186341d8c90f011cf4 SHA-256: b302d90cd1826079b8f1fdf77af7825c12fe6314ea220b5bcae672e926ae44d4
120 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File T1105 Ingress Tool Transfer

The file contains critical heuristic firings indicating Excel 4.0 macro sheets, and ClamAV detection points to the Qbot family. The extracted Excel 4.0 macros contain strings that reconstruct to DLL filenames such as 'C:\Users\Public\Documents\Tfujist\Eghajdor.dll', 'C:\Users\Public\Documents\Tfujist\Eghajdor1.dll', and 'C:\Users\Public\Documents\Tfujist\Eghajdor2.dll', and also reference 'regsvr32.exe'. This suggests the macro's intent is to download and execute a malicious DLL payload using regsvr32.

Heuristics 2

  • Excel 4.0 macro sheet (4 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • ClamAV: Xls.Downloader.Qbot-b760f03262b6e23b-9950440-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Qbot-b760f03262b6e23b-9950440-0

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
a537b74caa9aff2d58a5c283562e9193cbcee1ec1598a20149d3292fc4d5c8ec		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 2286 bytes
xlm_sheet_01.bin
ea5fcee142a9af13fb8eeb8f9fc87ad7791a0f0faa22efda136eabd54cf1631f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 1906 bytes
xlm_sheet_02.bin
0961a82d4316cbd6c555ae6dfc0dbbc481b52f45cbb53ea43fe3a0dc752cd34b		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 337 bytes
xlm_sheet_03.bin
f906ee3df91cbc1fd7e0b20c2278d8825b4db29c6770cef788049f6d22f94413		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 1002 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.