Qbot — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 ce981073f3fc1cac…

MALICIOUS

Office (OLE) / .XLS

537.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2021-10-26
MD5: 1ca4ab3197e203c5ebceff53117c4d38 SHA-1: b9d6de9b3e63b696c633bdf03b7a4aef0bcfbf16 SHA-256: ce981073f3fc1cac863ac0f7c342f61cd2820541710d25dcc31fdd4791550408
160 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The critical ClamAV detection explicitly identifies the sample as 'Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0', strongly suggesting the Qbot family. The presence of Auto_Open and Auto_Close VBA macros indicates that the malicious code executes automatically upon opening the spreadsheet. The VBA script attempts to construct and execute a command involving 'regsvr32 -silent' and a file path that appears to be a downloaded payload, indicating a downloader functionality.

Heuristics 4

  • ClamAV: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
658441cd825df9b7ed7ef6d0867985a34733bc19b34bf42def3906ad3b19244e		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3709 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.