Qbot Office (OLE) / .XLS malware analysis — malicious · 1f4b87cc80519caf

MALICIOUS

Office (OLE) / .XLS

537.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: b58fcf70f41af8f972b5228fe41ac8c7 SHA-1: b0e5006f91a7f70d8bb8afb283f15fe2a9cce890 SHA-256: 1f4b87cc80519caf258fe16cd29db7cf578c8a15deb157292de01ea803914f18

160 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file is detected as malicious by ClamAV as Xls.Downloader.Qbot. It contains VBA macros, including an Auto_Open macro, which is a common delivery mechanism for Qbot. The script attempts to establish persistence by writing to the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy and uses the function URLDOWNLOADTOFILEA, indicating it downloads and executes a second-stage payload.

Heuristics 4

ClamAV: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `658441cd825df9b7ed7ef6d0867985a34733bc19b34bf42def3906ad3b19244e`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3709 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.