Qbot — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 b1a5dfd74526ea8b…

MALICIOUS

Office (OLE) / .XLS

537.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: 5ea54e7dc38b1f2701cbadcabdb1a5a9 SHA-1: 480fd38bde6f6d6915b7d80db91910bd3a4d7662 SHA-256: b1a5dfd74526ea8b13650811cfd4895b73830415a6cee1f37d88ebe375b105c2
160 Risk Score

Malware Insights

Qbot · confidence 85%

MITRE ATT&CK
T1204.002 User Execution: Malicious File T1059.005 Command and Scripting Interpreter: Visual Basic for Applications T1105 Ingress Tool Transfer

The sample is an Excel file containing VBA macros that use string concatenation to build commands. The ClamAV detection specifically identifies this as Xls.Downloader.Qbot. The script attempts to execute 'regsvr32' with the silent same as 'regsvr32 -silent', and it's attempting to build a various cells in the 'Noieetfdhg' sheet to facilitate the payload delivery mechanism, likely using DDE or DDE-like behavior via custom functions like 'Kopast'.

Heuristics 4

  • ClamAV: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
82e1e47d5ead737b15bb2148da65cf727043b2c8a73a6e4133c451f98570a39a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3700 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.