Qbot Office (OLE) / .XLS malware analysis — malicious · e9ab22489bd5d3bf

MALICIOUS

Office (OLE) / .XLS

537.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: e56bba7a608666ba627bb97cd84b9c59 SHA-1: e7e0a8f4fc9dad3963eaf7063fb7f5cdb17ffb2f SHA-256: e9ab22489bd5d3bfbdf73ec47d70059db6ea06ae135014f931f1435d803e0ecf

160 Risk Score

Malware Insights

Qbot · confidence 85%

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1204.002 User Execution: Malicious File

The sample is a malicious Excel file with VBA macros. A ClamAV detection specifically identifies it as Xls.Downloader.Qbot. The extracted script contains obfuscated string concatenation to build commands such as 'regsvr32' and '-silent', which is typical of Qbot's delivery mechanism to execute a second-stage payload via a LOLBin. a

Heuristics 4

ClamAV: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `82e1e47d5ead737b15bb2148da65cf727043b2c8a73a6e4133c451f98570a39a`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3700 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.