Qbot Office (OLE) / .XLS malware analysis — malicious · 60124b0a5822debc

MALICIOUS

Office (OLE) / .XLS

542.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: a8bc890acfe5e57cf3d01900aebd544f SHA-1: 4019fbfaffbcb131ec9b2ebeb3701c5ac70b4f38 SHA-256: 60124b0a5822debc0cb0e7c877c74fee1bf50bac82dbdd5dc8e664cf487daed1

220 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing VBA macros, including an Auto_Open subroutine, which is a common technique for initial execution. Heuristics indicate obfuscation of the 'regsvr32' API, a known downloader technique. The ClamAV signature also explicitly identifies it as a Qbot downloader.

Heuristics 5

Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
ClamAV: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `f2caf5673dee6fe6ab4985502d62df5284af80016e15acaf6a511a4942c01501`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.