Qbot Office (OLE) / .XLS malware analysis — malicious · 4be64cc9a55dcb5f

MALICIOUS

Office (OLE) / .XLS

537.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: d125d8f8d1ef866df9a0c23ebf48b5be SHA-1: 066e32a9491dec5c8168228db272f724cd319649 SHA-256: 4be64cc9a55dcb5f485af11464f3dac80cd424069eca26408359de7d5b7bc151

160 Risk Score

Malware Insights

Qbot · confidence 85%

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1204.002 User Execution: Malicious File T1059.001 Command and Scripting Interpreter: PowerShell

The sample is an Excel file with VBA macros that use string concatenation to build system commands. The ClamAV detection specifically identifies this as Xls.Downloader.Qbot. The script uses 'regsvr32' and 'silent' parameters to and likely downloads and executes a second-stage payload, as indicated by theset strings reconstructed from the concatenation: 'REGISTER', 'EXEC', 'regsvr32', ' -silent'.

Heuristics 4

ClamAV: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `82e1e47d5ead737b15bb2148da65cf727043b2c8a73a6e4133c451f98570a39a`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3700 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.