{
	"id": "ebb2af10-ccea-48ba-be5c-ea47963d1cfa",
	"created_at": "2026-04-06T00:21:52.287385Z",
	"updated_at": "2026-04-10T03:22:12.847827Z",
	"deleted_at": null,
	"sha1_hash": "68139d9ca68e6444cf88f26dd1d761865b46f514",
	"title": "QakBot (QBot) Maldoc Campaign Introduces Two New Techniques into Its Arsenal",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 874666,
	"plain_text": "QakBot (QBot) Maldoc Campaign Introduces Two New\r\nTechniques into Its Arsenal\r\nBy Arnold Osipov\r\nArchived: 2026-04-05 13:09:41 UTC\r\nIntroduction\r\nMorphisec Labs has tracked a massive maldoc campaign delivering the QakBot/QBot banking trojan, starting\r\nearlier this month. Qakbot leverages advanced techniques to evade detection and hamper manual analysis of the\r\nthreat. In this post we will mention two of those interesting techniques.\r\nQakBot attacks typically include a malicious attachment to a phishing email. Often these are bare Microsoft Word\r\ndocuments attached to the spam email. This particular campaign features a ZIP file; within the ZIP attachment is a\r\nWord document that includes macros within the document. These macros execute a PowerShell script that then\r\ndownloads the Qakbot payload from specific URLs.\r\nThis particular QakBot campaign also includes two new techniques: a bypass of the content disarm and\r\nreconstruction (CDR) technology through zipping the Word document, and a bypass of child-parent pattern\r\ndetection because Visual Basic is executed using Explorer.\r\nQakBot Technical Analysis\r\nThe first step in the attack chain is a phishing email sent with a ZIP file attached. As in classic phishing attacks,\r\nthe email is designed to encourage the target to click on the file and download it. Though phishing through ZIP is\r\nvery popular today and you would expect to find executable in the zip, in this case it was just a simple word\r\nphishing document. The question then is why would an attacker send a document through zip and not directly?\r\nThe reason is that many content disarm and reconstruction (CDR) systems will strip a document delivered as an\r\nattachment from all the malicious artifacts. Sending a Word document in a ZIP file, as the attacker does here, is a\r\nperfect way to bypass CDR systems.\r\nhttps://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques\r\nPage 1 of 6\n\nFigure 1: An example of the phishing email the target receives\r\nThe ZIP file contains a Microsoft Word document. The attackers use a common tactic to lure the victim to enable\r\nmacros: when the target downloads the file, it asks for the target to enable editing and then enable content in order\r\nto view the document.\r\nFigure 2: The maldoc asks for the target to enable editing and to enable content\r\nWhen we looked at the macros, we noticed two automatically triggered functions: AutoOpen and AutoClose. As\r\nthe names suggest, these two functions activate when the document is opened and when the document is closed.\r\nhttps://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques\r\nPage 2 of 6\n\nFigure 3: The AutoOpen and AutoClose triggered functions\r\nThe AutoOpen function creates a decoy VBS file filled with some spaces in the ProgramData directory, then\r\ntriggers the AutoClose function by executing the command Application.Quit.\r\nWhen triggered, the AutoClose function dumps all of the form caption into another VBS file in ProgramData,\r\nwhich is then executed using the WScript.Shell Exec method with the command “explorer.exe\r\nC:ProgramDataPortes.vbs” that is stored in the DefaultTargetFrame property. Executing through explorer.exe is\r\nsimple but still very unique and will break many of the existing pattern recognition capabilities of different EDR\r\nproducts. This may reduce the score of the attack just enough to stay under the radar.\r\nhttps://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques\r\nPage 3 of 6\n\nFigure 4: WScript.Shell\r\nWhen the script is executed, it dumps a couple of commands to a separate batch script and executes it. The batch\r\nscript kills the WINWORD.exe process, and then runs a PowerShell command that iterates over several URLs. If\r\nactive, it will download and execute the payload, which is QakBot(QBot). Last, the batch script deletes all of the\r\nartifacts from the infected machine.\r\nConclusions\r\nMorphisec identified an increase in QakBot/QBot delivery during the last several months. EDRs / AVs have a hard\r\ntime detecting distributed behaviour in which not a single process does something malicious but all the processes\r\ncombined act in a malicious way. We identified a similar execution in the delivery of other malwares such as\r\nEmotet, Tesla and more.\r\nA proactive, prevention-first approach to cybersecurity is key to protecting your enterprise against these evasive\r\nthreats. This approach includes hardening your environment or deploying advanced preventive technology in your\r\nenterprise. Morphisec’s Automated Moving Target Defense technology immunizes your enterprise and protects\r\nyou against advanced evasive threats such as QakBot.\r\nhttps://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques\r\nPage 4 of 6\n\nIOCs(SHA-1):\r\nDocs:\r\n8253ed3b08ab8996d471af5d25a7223d8c259f45\r\nbe852364d22d508f8ef601bb3bc9eac6bd98713b\r\nd772f78169d9ba175d22c8ecf1a0c3f0328ff6eb\r\n2bd118bb81b709b1013d7ffd8789f05d4e1f734f\r\n78f498003afb55d18207ab7bb22170c6c8c7ef98\r\n39d29aa254c55a5222ea0ec63dc22da67e3b483d\r\n295e604af22f8ced8fe5349765d345507fd3c079\r\nQakbot(QBot):\r\n791179b20d936cf76d885d1949d4a50a295b4918\r\ne36af99c29a474f82cd57f2736b9d1b5ecadfdfd\r\nb841a34ec95bd1c3d1afe6d578aadef9439f3c38\r\ne7480e6adb6af1c992bc91605e4bba682d76c43d\r\n952917654b5c0328a31c3bbd8c7bf7a70a4a82e7\r\n58b023e339a9557adbdbf0de63c0584500438b9b\r\n147101a88cc1fe91bac9161425986a1c1e15bc16\r\nURLs:\r\nhxxp://akindustrieschair.com/smuvtnrgvmd/55555.png\r\nhxxp://nashsbornik.com/rqzvoxtjyhw/555555.png\r\nhxxp://maplewoodstore.com/rmwclxnbeput/555555.png\r\nhxxp://akersblog.top/kipql/555555.png\r\nhxxp://all-instal.eu/mgpui/555555.png\r\nhxxp://ankaramekanlari.net/vmnzwr/555555.png\r\nhxxp://optovik.store/bkatah/555555.png\r\nhxxp://store.anniebags.com/qyvbyjaiu/555555.png\r\nhxxp://atsepetine.com/evuyrurweyib/555555.png\r\nhxxp://duvarsaatcisi.com/gbmac/555555.png\r\nhxxp://rijschoolfastandserious.nl/rprmloaw/111111.png\r\nhxxp://nanfeiqiaowang.com/tsxwe/111111.png\r\nhttps://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques\r\nPage 5 of 6\n\nhxxp://forum.insteon.com/suowb/111111.png\r\nhxxp://webtest.pp.ua/yksrpucvx/111111.png\r\nhxxp://quoraforum.com/btmlxjxmyxb/111111.png\r\nhxxp://quickinsolutions.com/wfqggeott/111111.png\r\nhxxp://bronco.is/pdniovzkgwwt/111111.png\r\nhxxp://studiomascellaro.it/wnzzsbzbd/111111.png\r\nhxxp://craniotylla.ch/vzufnt/111111.png\r\nhxxp://marineworks.eu/dwaunrsamlbq/111111.png\r\nAbout the author\r\nArnold Osipov\r\nMalware Researcher\r\nArnold Osipov is a Malware Researcher at Morphisec, who has spoken at BlackHat and and been recognized by\r\nMicrosoft Security for his contributions to malware research related to Microsoft Office. Prior to his arrival at\r\nMorphisec 6 years ago, Arnold was a Malware Analyst at Check Point.\r\nSource: https://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques\r\nhttps://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques"
	],
	"report_names": [
		"qakbot-qbot-maldoc-two-new-techniques"
	],
	"threat_actors": [],
	"ts_created_at": 1775434912,
	"ts_updated_at": 1775791332,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/68139d9ca68e6444cf88f26dd1d761865b46f514.pdf",
		"text": "https://archive.orkl.eu/68139d9ca68e6444cf88f26dd1d761865b46f514.txt",
		"img": "https://archive.orkl.eu/68139d9ca68e6444cf88f26dd1d761865b46f514.jpg"
	}
}