High
QBot, aka QakBot, is financial malware and has been active for some ten years is recently active and targeting different users in different regions. QBot variant which was delivered through a malicious Word document., while the of delivery method of the document is unknown, typically such malicious Word files are delivered using email. If a victim opens the document, they will be asked to enable macros which are required to initiate the infection process. The locations from which the malware is downloaded are located in Base64-encoded strings within the code. Once the download has been completed, the downloaded file will be executed. The payload is packed to help avoid detection and when executed will load QBot into memory. Several checks are then carried out to determine if the malware is running in a virtual machine or sandbox, if certain analysis tools are running, and it also checks CPU information. During analysis, QBot was frequently upgrading its payload file.