Qbot Office (OLE) / .XLS malware analysis — malicious · c0168eaf2e409a8d

MALICIOUS

Office (OLE) / .XLS

582.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: 95af3df17817e307678bd7d1c6d8580c SHA-1: 048aab3d2d8a4610d904cc28058caa15e776a427 SHA-256: c0168eaf2e409a8d1a968e388d665b213b1f7ae232c24df90ab8731b5fd1cbbd

140 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.002 Spearphishing Attachment

The critical ClamAV detection explicitly identifies the sample as 'Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0', strongly suggesting the Qbot family. The presence of an Auto_Open macro indicates that malicious VBA code will execute automatically upon opening the document. While the VBA code is truncated, the heuristic firings and the ClamAV signature confirm its malicious downloader functionality.

Heuristics 4

ClamAV: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `5d1184f7d77bd58c13a19286c88a6639a7de7c99b2d47ca67964e471859ab37c`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6354 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.