Qbot — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 bd3d49cfe24868c3…

MALICIOUS

Office (OOXML) / .XLSX

266.6 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-03-02
MD5: 43a3c89415ff0b28c75fefa345541b57 SHA-1: a3352369d30d441aca228a19e6e24c3beb8585f0 SHA-256: bd3d49cfe24868c3e1f6ab5e2cdc919ddbb8fb38209cdfdb92c2ffcdd2521a95
180 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature Xls.Downloader.Qbot02221-9940029-0. It contains multiple Excel 4.0 macro sheets, a known technique for delivering malware. The macros appear to be responsible for downloading a second-stage payload from the reconstructed URLs: '185.106.123.81', '146.70.81.52', and '111.90.151.223'. This indicates a downloader functionality consistent with the Qbot family.

Heuristics 3

  • Excel 4.0 macro sheet (13 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.
  • ClamAV: Xls.Downloader.Qbot02221-9940029-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Qbot02221-9940029-0

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
84204085fe85367e7681df4821c9c4e56098f3d7566d83e84edcd3534c70d68a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 363 bytes
xlm_sheet_01.bin
5b9d6eccf87cd91243b9dd9b96ba0fa47b77daae29fadca7658093960067b6b0		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin 973 bytes
xlm_sheet_02.bin
131c5161199b9c9a47ba439afa368ee1d437822a436aaf10c98fcdc1b51ef3bf		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 2248 bytes
xlm_sheet_03.bin
976d457b33af0a3aac205bc14291ff7eb562393aef95313ada3ad67eabfe71bf		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.bin 1701 bytes
xlm_sheet_04.bin
072348fc131c0e5bee07785715ae0e7a54dc95d3736c1b976a0027f5d8c21e83		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.bin 645 bytes
xlm_sheet_05.bin
2dfe8d2bb4fab745107b42252269ba3ab98c81e0d91873fb2d042d30c5397c0e		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.bin 674 bytes
xlm_sheet_06.bin
94795d25815d5803d636db2a64a1ea6a9b5da2054634958b95b83e9d5c5217c6		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.bin 662 bytes
xlm_sheet_07.bin
61afdf368ea4b074b8c84550aa0abf3bef6a81923a1667a1c73970a51122da04		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.bin 472 bytes
xlm_sheet_08.bin
2f2216a3a6f26b71c57b0253cacf6fcee0232bf8d3e4d84ff32b9f7686bf1b29		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 783 bytes
xlm_sheet_09.bin
1e59e814dd1c224a949286a84d83604c8d6e7b07e626af89ef9dc3325b45e9f9		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.bin 423 bytes
xlm_sheet_10.bin
236b5e769c473d37868940897fb1101fd143ccf3680334512afd22302ed30bf5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 708 bytes
xlm_sheet_11.bin
faed96bcd1f22b6efc8a50fd866a609a46e66f1f3274e931d6a04353ac0f64d2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 708 bytes
xlm_sheet_12.bin
fbd75cdf64faebad45d9a08ba6cd8fc2a92260add16a5db9eba84c9466375801		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.bin 423 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.