Qbot Office (OLE) / .XLS malware analysis — malicious · cddfd7fb7be9d04a

MALICIOUS

Office (OLE) / .XLS

582.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: b495928b10e7433ae3a0a4e32b2b0f1f SHA-1: 33885022616be5f91db9f55e3e47035f844351f8 SHA-256: cddfd7fb7be9d04af57c79a513ce449c0fb30f545d94233f35b360b05cc025a0

140 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic for Applications

The file is identified as malicious by ClamAV as Xls.Downloader.Qbot. The presence of an Auto_Open macro in the VBA script indicates that malicious code will execute automatically upon opening the spreadsheet. While the VBA script itself is truncated, the heuristic firings and ClamAV detection strongly suggest a downloader functionality, likely for the Qbot banking trojan. The extracted artifact 'macros.bas' is also noted as suspicious.

Heuristics 4

ClamAV: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `44ce8de16df26234abe008370d6052886255e8593ab511fcea07f165f11d76f7`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6348 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.