Qbot — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 e9e549ab59dd8e85…

MALICIOUS

Office (OOXML) / .XLSX

1.40 MB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-04-19
MD5: 40e8b2405a3fc3f2c3131c57e513ef45 SHA-1: 9409f49d82842c21a404315220d861d0eaccb413 SHA-256: e9e549ab59dd8e852100b707713688b1e62681782717f784a70b4ff9e39c1298
200 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains Excel 4.0 macros that utilize the URLDownloadToFileA WinAPI function to download files. The macros attempt to save these files to C:\ProgramData\Dis.ooocxx, C:\ProgramData\Disa.ooocxx, and C:\ProgramData\Disb.ooocxx, and then execute them using regsvr32. The ClamAV signature 'Xls.Downloader.Qbot04225-9946523-0' strongly suggests the Qbot family.

Heuristics 4

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
  • ClamAV: Xls.Downloader.Qbot04225-9946523-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Qbot04225-9946523-0
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
eb40d89a980ed8f3cd3be193555cc6d3c7a584d87092dbbb7c88622cfce53f9d		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject2.bin 2263040 bytes
ooxml_oleobject_00_ole10native_00.bin
45f228642570d6f2de779122b0cdd1d811accdd0ae229de173fb524415b59b67		 ole-package OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 2243012 bytes
emf_00.emf
28a2af9cf0dcacb9693939904f250d2c6bc1017fd36bb28b549de84468d7f1ad		 ooxml-emf OOXML EMF part: xl/media/image1.emf 4486440 bytes
xlm_sheet_00.bin
9a1cd25eed4eda135238a1482f8e0100471e4e84fc0622b689b2004e42852a68		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 2052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.