Qbot Office (OLE) / .XLS malware analysis — malicious · 5bbae03b599305ee

MALICIOUS

Office (OLE) / .XLS

537.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: 72cf9e58c1bcde9b299e8f56cc0fbe34 SHA-1: c7b2e6f6129dd7aadab3fe1b5d54fa78b4be5a09 SHA-256: 5bbae03b599305eed0e9ee35477f5604123cfca9894068bac6c3fbc7ca5c7462

220 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1218.010 System Binary Proxy Execution: Regsvr32

The file is identified as malicious by ClamAV and exhibits high-severity heuristics for OLE VBA macros, including Auto_Open and Auto_Close functions. Critical heuristics indicate obfuscation techniques used to reassemble the dangerous API name 'regsvr32'. The VBA script attempts to construct and execute a command involving 'regsvr32' and a URL, strongly suggesting it's a downloader for a secondary stage payload.

Heuristics 5

Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
ClamAV: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `658441cd825df9b7ed7ef6d0867985a34733bc19b34bf42def3906ad3b19244e`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3709 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.