Qbot Office (OLE) / .XLS malware analysis — malicious · 69deffe04bd9c7da

MALICIOUS

Office (OLE) / .XLS

542.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: 30336a58105c6b2805d46889e69c23b3 SHA-1: a4f62a08eeb335b7f60ee46f4cf2f52e0ee1bde5 SHA-256: 69deffe04bd9c7dad8eae6589dcf3d0513a32f7aa68ffc066b6f8c943ac1b25d

220 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing VBA macros, including an Auto_Open subroutine, which is a common technique for executing malicious code upon opening. Heuristics indicate obfuscation of dangerous API names, specifically reassembling 'regsvr32'. ClamAV also identifies the file as a Qbot downloader. The Auto_Open macro likely executes the reassembled 'regsvr32' command to download and run a secondary payload.

Heuristics 5

Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
ClamAV: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `f2caf5673dee6fe6ab4985502d62df5284af80016e15acaf6a511a4942c01501`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.