Qbot — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 d91a7c07bec1136e…

MALICIOUS

Office (OOXML) / .XLSX

263.8 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-02-15
MD5: 8759fc7692ec7716642f6d871ab096a7 SHA-1: 929f1adad990aa9ea0f6f34f963a2fd69bd10a7b SHA-256: d91a7c07bec1136e7117642acd349bdbc7e21cdb4abf1eda8914dac94d5eb0f9
180 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature Xls.Downloader.Qbot02221-9940029-0, indicating a Qbot variant. Heuristics confirm the presence of Excel 4.0 macro sheets within an XLSX file, a common delivery method for Qbot. The embedded XLM macrosheets, though partially obfuscated, are indicative of a downloader designed to fetch and execute additional malicious content.

Heuristics 3

  • Excel 4.0 macro sheet (13 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.
  • ClamAV: Xls.Downloader.Qbot02221-9940029-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Qbot02221-9940029-0

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
71394a07c8189acff427ae8f8da7fd128d160657a1b7a6707b56f30c6085ff28		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 363 bytes
xlm_sheet_01.bin
01a12c6c12fa22d4cfc4bf1d217bd340c26deff45c1c752f40d175b2e448e9e7		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin 632 bytes
xlm_sheet_02.bin
c4997671dcf76dee2d7e1772bf4503a7540726aa7fd76e1669d0fd941ab790e1		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 2637 bytes
xlm_sheet_03.bin
cc0cfefd72fec7efc138ea8f0dde0539eb5a4ec85bb2c1537a2f1096bf883cd8		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.bin 1699 bytes
xlm_sheet_04.bin
1c22a1ce163e2240e8c62d5dd8ca5a727c3a45c0832c9c9ba6fa18633b7906de		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.bin 673 bytes
xlm_sheet_05.bin
ea32a04f4cec6a4b499fc6dd2677e84a55746af8b3d6a511ea9f1bf7f59edcb9		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.bin 707 bytes
xlm_sheet_06.bin
e40dfef507602c0f11d9e7858b44b3034d00163d0da55e09861950fe07e098cc		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.bin 826 bytes
xlm_sheet_07.bin
8ff569252732a19a0c2bed07c5ad0f50b228927f44f7dfa7f2828b85d007d2e6		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.bin 552 bytes
xlm_sheet_08.bin
936cf5e026c8c314e7c5a6d141513f7e98659c44c66c1d6b538a1aa6031abdfa		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.bin 483 bytes
xlm_sheet_09.bin
f4da8f5cbc778080b22fc02dd5f5f6de76ee087969d6d32380d70e06282f191c		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 854 bytes
xlm_sheet_10.bin
702b4ecbc014db115a35b4adb60f78da78d2e63fe882e7dc411859f9926c6af6		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 808 bytes
xlm_sheet_11.bin
01b738df69558832e27370208f44fc8d57a66dc63f4aa5465b347aa8572f0680		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 859 bytes
xlm_sheet_12.bin
61533168a82ce0e3a71d1dcbd2d66d47565459acbeb07b5e69e04d6d2b3cddff		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.bin 679 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.