Ldridex Office (OOXML) / .XLSM malware analysis — malicious · 06300fe884cdb51d

MALICIOUS

Office (OOXML) / .XLSM

27.5 KB Created: 2020-09-28 12:54:55 UTC Authoring application: Microsoft Excel 16.0300

MD5: 0b720481849b29e18526c0484ec1b973 SHA-1: bc60a84ba4ae31c86c3b25c52e858d9b05e0ad00 SHA-256: 06300fe884cdb51d9687c523aa9088a37185e7e9f45d54d9dc396e72cd0285a3

200 Risk Score

Malware Insights

Ldridex · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is an XLSM document containing VBA macros, which is a common delivery mechanism for malware. Heuristics indicate the use of ActiveX events to launch decoded Excel4 macros, a known technique for Ldridex. The VBA script itself is heavily obfuscated but appears to construct and execute commands, likely for downloading and executing a second-stage payload. ClamAV detections further confirm its malicious nature and identify it as Ldridex.

Heuristics 4

VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
ClamAV: Xls.Malware.Ldridex-9768648-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Ldridex-9768648-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `1a9bd445cd7cefbed97d3a0eb09c886f9a867b6103960d0cbf944527e5a2bf89`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2453 bytes
`vbaProject_00.bin` `9444d6bb391d3444fdee95fbb9e7c466ffeeaaff2c289a0f76ce1f2d00e4aebf`	vba-project	OOXML VBA project: xl/vbaProject.bin	22528 bytes
Detection ClamAV: Xls.Malware.Ldridex-9768648-0 Obfuscation or payload: unlikely
`emf_00.emf` `53a88b00b3c0368a97f07e5705cf02259ed019efd03221a3f484b750c1f9742f`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	1408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.