Qbot — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 73249da46ad32f57…

MALICIOUS

Office (OLE) / .XLS

582.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: 2cca214951cb56d21c5182a55c40c209 SHA-1: f02ba059ce190bba6066244cd574076e7f918ac3 SHA-256: 73249da46ad32f57b75746421ca8d96bc62ce7670a7738bfede3d086826e8a87
120 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as a malicious Excel spreadsheet by ClamAV, specifically as a Qbot downloader. The presence of an Auto_Open VBA macro indicates that malicious code will execute automatically upon opening the document, a common technique for initial execution. This macro is likely responsible for downloading and executing a secondary payload, consistent with Qbot's typical behavior.

Heuristics 3

  • ClamAV: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
5d1184f7d77bd58c13a19286c88a6639a7de7c99b2d47ca67964e471859ab37c		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 6354 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.