Qbot Office (OLE) / .XLS malware analysis — malicious · b2faad8a27986b77

MALICIOUS

Office (OLE) / .XLS

542.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: 75b4238c2f85004e081db828b23a5cec SHA-1: 49de5b1aa6a602788242a5e903ec2b55143c0231 SHA-256: b2faad8a27986b771bf08154f5cf8f0557d924f99569243079255da2ef460ba0

160 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.002 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature 'Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0', indicating it belongs to the Qbot family. Static analysis revealed the presence of VBA macros, specifically an 'Auto_Open' macro, which is a common technique for executing malicious code upon opening the document. The macro's intent appears to be the execution of a downloader payload, consistent with Qbot's typical behavior.

Heuristics 4

ClamAV: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `80c3786ad171a99d819f2d48dae2a9438239712d9cb9684f883956f63b63d38c`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.