MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The file contains Excel 4.0 macros that are designed to download a payload from the URL 'https://hunggiang.vn/21.psd'. The macros utilize WinAPI functions such as URLDownloadToFileA and ShellExecuteA to achieve this. The ClamAV detection name 'Xls.Dropper.QbotDocu12020-9818439-0' strongly suggests the Qbot family.
Heuristics 6
-
ClamAV: Xls.Dropper.QbotDocu12020-9818439-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.QbotDocu12020-9818439-0
-
Excel 4.0 macro sheet (1 sheet(s)) critical 3 related findings OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGSExcel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
-
XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOADAn Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
-
URL reconstructed from XLM cell array (1 URL) critical OOXML_XLM_CELL_ARRAY_URLExcel 4.0 macro sheet stages its payload URL across individual numeric cells (one ASCII charcode per cell), inside an embedded HTA that uses VBScript Chr()/&-concat obfuscation, or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF12 record stream of every worksheet and macrosheet part and decoding RK/inline-string/shared-string cells in row-major and column-major order plus FORMULA cell-reference concatenation in token order.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://hunggiang.vn/21.psd Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.bin852f8a9074f0a60640376457fa2c0441f9a473e65357dd598131fc2c795c0e21 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 22574 bytes |
Preview scriptFirst 1,000 lines of the extracted script
� � � @ �������� � h 20 � � � � � @ d d � $ � � � � � % �� & � q � < �? q � � % �� & h
$j �B � % �� & j
% $� �D� �B � % �� & *
% �� & :
�F@% �� & ;
�S@% �� & <
@% �� & =
<@% �� & >
@T@% �� & ?
?@% �� & @
Y@% �� & A
W@% �� & B
@V@% �� & C
@% �� & D
N@% �� & E
T@% �� & F
Y@% �� & G
4@% �� & H
Y@% �� & I
�V@% �� & J
�V@% �� & K
D@% �� & Q
\
1@% �� & R
\
@% �� & S
\
% �� & T
\
@ @W O p e n " DU W�DV W� DW W� DX W�B P % �� & U
\
@ *W O DU Y�DU Z� Ao Y @ Z "@% �� & V
\
@ 2W p DV X�DV Y� DV Z� Ao X @ Y 4@ Z @% �� & W
\
2W o DW X�DW Y� DW Z� Ao X �? Y �? Z �? \ % �� & X
\
�? 2W n DX X�DX Y� DX Z� Ao X $@ Y $@ Z $@ \ % �� & Y
\
\ % �� & Z
\
I@ \ % �� & [
\
0@ \ % �� & \
\
�? \ % �� & ]
\
.@ \ % �� & ^
\ \ % �� & _
\ \ % �� & ` \ \ \ % �� & a \ \ \ % �� & b \ \ \ % �� & c \ \ \ % �� & d \ \ \ % �� & e \ \ \ % �� & f \ \ \ % �� & g \ \ \ % �� & h \ \ \ % �� & i \ \ \ % �� & j \ \ \ % �� & k \ \ \ % �� & l \ \ \ % �� & m \ \ \ % �� & n \ \ \ % �� & o \ \ \ % �� & p \ \ \ % �� & q \ \ \ % �� & r \ \ \ % �� & s \ \ \ % �� & t \ \ \ % �� & u \ \ \ % �� & � a a a % �� & � a a a % �� & � a a a % �� & � a a a % �� & �
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.