Dridex — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 03ceb725e997c085…

MALICIOUS

Office (OOXML) / .XLSM

304.6 KB Created: 2021-02-24 11:53:34 UTC Authoring application: Microsoft Excel 15.0300
MD5: 857c15427dbacfa62f0cbb2d2a78aa71 SHA-1: d5d2faf8d019f0a84ab398663a591c6dd4978c3c SHA-256: 03ceb725e997c085e3cb226c4bdc43114fa9a7dfdbd7fe59a538b8d0206fec61
270 Risk Score

Malware Insights

Dridex · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical ClamAV detection 'Doc.Dropper.Dridex-9845759-0' strongly suggests the Dridex family. The Workbook_Open macro is designed to execute code, and the VBA script attempts to construct a URL and write data to a file, likely to download and execute a second-stage payload. The presence of multiple unknown URLs further supports this dropper functionality.

Heuristics 8

  • ClamAV: Doc.Dropper.Dridex-9845759-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Dridex-9845759-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://hashmiricemills.com.pk/prettyPhoto/images/default/default/OAca11pvIrMc.php
    • https://sideralfachadas.com.br/wp-includes/js/mediaelement/renderers/8T1xaQ5y2.php
    • https://treat.zeenodentals.com/wp-content/uploads/tcb_lp_templates/js/es48S99pyo.php
    • https://webriplex.com/wp-includes-old/SimplePie/Content/Type/iJpEbgsI.php
    • https://gerhard-schwerdtfeger.de/Lychee/Lychee-front/styles/frame/bP9OYSk0lpHpy.php
    • https://kiemtrathe.vn/files/ads/3921/thumb/2O9OeMK3O.php
    • https://demo.gruporoyale.net/_lib/libraries/sys/emogrifier/rKILr5dU3ONzhZ.php
    • https://amlokservicios.com/css/masterslider/skins/black-1/zUitGE0QufRU924.php
    • https://vonamarena.com/wp-content/themes/twentyfifteen/css/u5KqdPfgW.php
    • https://rafeu.com/lhbd/wp-includes/blocks/shortcode/BUleatY4IZ.php
    • http://www.w3.org/1999/XSL/Transform

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d55c52e12692ce5ad30d08234545940a4eacd552a855c86364e24f70c1e4c3d1		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 13171 bytes
vbaProject_00.bin
0b5227262ebaea0e1c44090d9d20906967da594022d43dac3ffd1d40da9b12bc		 vba-project OOXML VBA project: xl/vbaProject.bin 63488 bytes
Detection
ClamAV: Doc.Dropper.Dridex-9845759-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.