Dridex — Office (OOXML) malware analysis

Static analysis result for SHA-256 08d10ef7748120d6…

MALICIOUS

Office (OOXML)

27.6 KB Authoring application: Microsoft Excel 15.0300 First seen: 2021-05-23
MD5: eee2476648b4913a722a34300cc4a7c8 SHA-1: 59b7759aa77033d496baf075de228bbfc2f03a9c SHA-256: 08d10ef7748120d66b6b1c67052250b494026144b8ec40c168b81e6a7b95489b
102 Risk Score

Malware Insights

Dridex · confidence 95%

MITRE ATT&CK
T1218.011 System Binary Proxy Execution: Rundll32

The ClamAV detection and heuristic firings strongly indicate this is a Dridex downloader. The embedded document body contains strings like 'Wscript.Shell', 'rundll32.exe', and multiple URLs, suggesting it attempts to download and execute a second-stage payload. The presence of these elements, combined with the numerous suspicious URLs, supports a high confidence assessment.

Heuristics 3

  • ClamAV: Xls.Downloader.DridexOffice0521-9863759-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.DridexOffice0521-9863759-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://unitopinternational.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/FRFN29hqUueudn.php In macro / runtime command snippet
    • https://test933.estore.vlinkhosting.com/cIa0BLoA.phpIn document text (OOXML body / shared strings)
    • https://www.rebelda.com/wp-content/plugins/cm-pop-up-banners/package/css/utCERekg51.phpIn document text (OOXML body / shared strings)
    • https://tseboprocurement.co.za/inc/phpmailer/test_script/images/_notes/E3KYpyHWeU.phpIn document text (OOXML body / shared strings)
    • https://flexydeal.com/9cHA3CtT.phpIn document text (OOXML body / shared strings)
    • https://attendance.ehazira.com/bower_components/ckeditor/plugins/tableselection/styles/wCNDv2F8E.phpIn document text (OOXML body / shared strings)
    • https://irelandpony.com/index_htm_files/W61khLnS.phpIn document text (OOXML body / shared strings)
    • https://araitrade.com/dbi1vnDj.phpIn document text (OOXML body / shared strings)
    • https://radioguadalupanalavozcatolica.com/player/templates/simple/custom/ljMPklt0Jql.phpIn document text (OOXML body / shared strings)
    • https://kuwaitiurologist.com/beta/vendor/dnoegel/php-xdg-base-dir/src/VVWhvoXcz.phpIn document text (OOXML body / shared strings)