Dridex — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 071f3951bd5d9da6…

MALICIOUS

Office (OOXML) / .XLSM

281.8 KB Created: 2021-02-24 13:08:42 UTC Authoring application: Microsoft Excel 15.0300
MD5: dce367235bc385c3d01af98761146bc2 SHA-1: 46cfcd42201ac8c76c2c8524d5edeb4910172d05 SHA-256: 071f3951bd5d9da60ccfa0cb60f250af78bcea76a06cfcfe39e7506761d9dd02
270 Risk Score

Malware Insights

Dridex · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an XLSM file containing a Workbook_Open macro, which is a common technique for executing malicious VBA code. The VBA code is obfuscated but likely uses GetObject to download and execute a second-stage payload from one of the embedded URLs. ClamAV detection confirms this as a Dridex variant, a known banking trojan.

Heuristics 8

  • ClamAV: Doc.Dropper.Dridex-9845759-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Dridex-9845759-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://shoproquo.com/wp-content/plugins/nextend-facebook-connect/NSL/pKe774Ttfx8lK.php
    • https://alapon.pw/wp-content/plugins/classic-editor/js/oZp5DmYq5djUmjR.php
    • https://alneembac.com/wp-content/plugins/sprout-invoices/bin/9ixR07p72y5oC.php
    • https://zuenajoyeria.com.mx/wp-includes/Requests/Exception/HTTP/hMbUCLSD77P.php
    • https://kiemtrathe.vn/files/ads/3921/thumb/2O9OeMK3O.php
    • https://gerhard-schwerdtfeger.de/Lychee/Lychee-front/styles/frame/bP9OYSk0lpHpy.php
    • https://sideralfachadas.com.br/wp-includes/js/mediaelement/renderers/8T1xaQ5y2.php
    • https://phetmantra.nl/img/fotos/aB8EBhAdQ.php
    • https://treat.zeenodentals.com/wp-content/uploads/tcb_lp_templates/js/es48S99pyo.php
    • https://demo.gruporoyale.net/_lib/libraries/sys/emogrifier/rKILr5dU3ONzhZ.php
    • http://www.w3.org/1999/XSL/Transform

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f3f24d681045622aa1a5b5adc12d17cfec6d8e8ae73012eb001ef12f26ce31ea		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 14789 bytes
vbaProject_00.bin
f73726ce0d07be8d2c543e4da74b8b36d81a86ef9698e33b80de86a34f03b6bf		 vba-project OOXML VBA project: xl/vbaProject.bin 61952 bytes
Detection
ClamAV: Doc.Dropper.Dridex-9845759-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.