Qbot Office (OLE) / .XLS malware analysis — malicious · 347d3328410171ef

MALICIOUS

Office (OLE) / .XLS

534.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: e362edbed7e66850ad493866a230a31f SHA-1: 777e120c1993598c834f838deea927cc8bc94f6e SHA-256: 347d3328410171efd58c5b0245664ed0f680a2407a003f3db0878e961a899c98

160 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file is an XLS document containing VBA macros, including Auto_Open and Auto_Close functions, which are commonly used for malicious execution. The macros attempt to reconstruct a registry command to add a persistence mechanism via `REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy /v "" /t REG_SZ /d "..\celod.wac" /f`. This indicates the macro's intent is to download and execute a second-stage payload, consistent with Qbot downloader behavior. The ClamAV detection also explicitly names this family.

Heuristics 4

ClamAV: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `6e975c057e590861c6128ab401ae21bf378c17c629fd38de134b190793c442d7`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3465 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.