A massive maldoc campaign delivering the QakBot/QBot banking trojan is detected. Qakbot leverages advanced techniques to evade detection and hamper manual analysis of the threat. QakBot attacks typically include a malicious attachment to a phishing email. Often these are bare Microsoft Word or excel documents attached to the spam email. This particular campaign features an xls file that includes macros within the document. These macros execute a PowerShell script that then downloads the Qakbot payload from specific URLs. The attackers use a common tactic to lure the victim to enable macros: when the target downloads the file, it asks the target to enable editing and then enable content in order to view the document.