MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The critical heuristic OOXML_XLM_MACROSHEET indicates the presence of Excel 4.0 macros. The ClamAV detection explicitly names this as Qbot. The extracted macro sheet content reveals paths like C:\Testes\Fretedsf\Vertu.OCX and C:\Testes\Fretedsf\Vertua.OCX, suggesting the macros are designed to drop and execute these malicious OLE objects. This is consistent with Qbot's typical delivery mechanism.
Heuristics 3
-
Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
ClamAV: Xls.Downloader.Qbot04223-9946522-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Qbot04223-9946522-0
-
Embedded OLE object medium OOXML_OLE_OBJECTDocument contains an embedded OLE object
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
ooxml_oleobject_00.bin24683ff192d5ff2bf2f841df675e1bec8a46ae42de534fcdbc64fb77dd4f33a5 |
ooxml-ole-object | OOXML embedded OLE part: xl/embeddings/oleObject2.bin | 4465152 bytes |
emf_00.emf481999fdbcc1fde5a4e3a4e9970e4bbf3c8dbeb2e2a366cc840aa848993159f4 |
ooxml-emf | OOXML EMF part: xl/media/image2.emf | 2159428 bytes |
xlm_sheet_00.bin4af5c769dc22fdfcc989d5f012ef0e152bb7e5f589f2554a664246d8fd30f6a4 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 2317 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.