Dridex — Office (OOXML) malware analysis

Static analysis result for SHA-256 107e29b1f7cdb121…

MALICIOUS

Office (OOXML)

192.6 KB Created: 2021-05-07 10:38:19 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2021-05-29
MD5: 8e02726621bcd4c34435dd0a93f558b4 SHA-1: 8401552570139bb8274cca24b308d599c6c751f8 SHA-256: 107e29b1f7cdb121d9fdc3b5412fa4c04d67a73384d2302be2586ae2684fafae
102 Risk Score

Malware Insights

Dridex · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution

The ClamAV detection and the presence of numerous suspicious URLs strongly indicate a downloader. The document body contains strings like 'rundll32.exe Wscript.Shell ADODB.Stream GET MSXML2.XMLHTTP' which suggest the file is designed to download and execute a second-stage payload from one of the listed URLs. This behavior is consistent with the Dridex malware family, which often uses macro-enabled documents to initiate infection chains.

Heuristics 3

  • ClamAV: Xls.Downloader.TrendMicroDridex0521-9860965-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.TrendMicroDridex0521-9860965-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://adventphilomels.org/wp-includes/sodium_compat/src/Core32/ChaCha20/ecbCQtOlK8wLZzY.php In document text (OOXML body / shared strings)
    • https://multigranos.com.bo/wp-content/plugins/woocommerce/i18n/languages/xRrL7GcQN0.phpIn document text (OOXML body / shared strings)
    • https://kpleads.com/kpleads.ali/wp/wp-includes/js/codemirror/FA0MND35N.phpIn document text (OOXML body / shared strings)
    • https://gulfbeautygt.com/images/byaLcZQlkP5.phpIn document text (OOXML body / shared strings)
    • https://sitonyourassandmakemoney.com/wp-content/plugins/cartflows/theme-support/astra/sOR3qwEjQh3.phpIn document text (OOXML body / shared strings)
    • https://meaamarelmorshedy.com/cpx_admin/plugins/ckeditor/skins/moono/dla4Okf7bQ3.phpIn document text (OOXML body / shared strings)
    • https://lifezhonour.com/backup-11-06-2020/vendor/phpmailer/phpmailer/language/kuVnna5b5FX3Hps.phpIn document text (OOXML body / shared strings)
    • https://wypozyczalnia-dragon.pl/libraries/fof/integration/joomla/filesystem/v566mU4QOL0.phpIn document text (OOXML body / shared strings)
    • https://smarttechbv.com.br/wp-content/plugins/wp-fastest-cache/css/fonts/5kbCoM4jSnAI.phpIn document text (OOXML body / shared strings)

Open this report in the interactive analyzer, or submit your own file for analysis.