Ldridex — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 0cd93048071d46a1…

MALICIOUS

Office (OOXML) / .XLSM

31.1 KB Created: 2020-09-28 12:16:26 UTC Authoring application: Microsoft Excel 16.0300
MD5: a11c28222f89774c310eb6a0096339f3 SHA-1: 342f5f56b046fb9a85b0e89f3f9c0806210d3c8c SHA-256: 0cd93048071d46a1cb75de8902f20033caf1279f09caea9b8a8447023695208b
200 Risk Score

Malware Insights

Ldridex · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is an XLSM document containing VBA macros. Heuristics indicate that an ActiveX event triggers a decoded Excel4 macro, a common technique for Ldridex. ClamAV detections confirm the presence of Ldridex malware. The VBA script appears to be responsible for executing the Excel4 macro, which likely downloads and executes a secondary payload.

Heuristics 4

  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
  • ClamAV: Xls.Malware.Ldridex-9768648-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Ldridex-9768648-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
95924c5c6e84821dce292e9b5c2aaef173340bfe74e1561c031c3d40788ff06e		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2446 bytes
vbaProject_00.bin
19f794666dcbaab6d21ec8e03e988699cde0aa4a0dff6c56ffa488264b20d3cf		 vba-project OOXML VBA project: xl/vbaProject.bin 21504 bytes
Detection
ClamAV: Xls.Malware.Ldridex-9768648-0
Obfuscation or payload: unlikely
emf_00.emf
0fc6a160858b578c6b0a5f57be14fbacaf7c6ba9dd2abc8496a3e483eaa84295		 ooxml-emf OOXML EMF part: xl/media/image1.emf 9596 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.