Dridex Office (OOXML) / .XLSM malware analysis — malicious · 11fafc693d218dc0

MALICIOUS

Office (OOXML) / .XLSM

174.5 KB Created: 2021-03-10 12:57:14 UTC Authoring application: Microsoft Excel 15.0300

MD5: 9e7bcabca8db4c9a17f371bdabf420dc SHA-1: efe180ce185bc598ea7a9bfd816f215ed474814b SHA-256: 11fafc693d218dc0d3d71182109670f6f4ec245a720869c0854795eabbc3e1af

330 Risk Score

Malware Insights

Dridex · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an XLSM file containing obfuscated VBA macros, specifically a Workbook_Open auto-execution routine. Heuristics indicate it uses GetObject and Environ calls, typical of loaders. ClamAV detection as 'Doc.Dropper.Dridex-9845759-0' strongly suggests a Dridex variant. The VBA script likely decodes and executes a second-stage payload, potentially using PowerShell, from one of the embedded URLs.

Heuristics 9

Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
ClamAV: Doc.Dropper.Dridex-9845759-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Dridex-9845759-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://events.mayein.org.ng/wp-includes/js/tinymce/themes/inlite/GZh9IlFfjwVU.php
- https://richarddesautels.com/wp-content/cache/busting/17/wp-content/OUJmUfSD1zVbZ3.php
- https://titan-no1.com/files/ck/_thumb/file/quick-folder/jXhrTKCM6wEoy.php
- https://vivianenadeau.com/wp-content/cache/object/24/9a2/icywrWArgw.php
- https://missions.tfnemag.com/libs/tinymce/plugins/visualblocks/css/NM00nao1znw3.php
- http://tecnosystem2000.net/js/jquery/plugins/validate/localization/unKo2pfEUOvrvC8.php
- https://greatismoney.com/wp-includes/js/tinymce/skins/lightgray/t2u7ycRQ1.php
- http://almarhoon.com.sa/form/wp-includes/SimplePie/Decode/HTML/LhkK9QjDc8.php
- https://avantgadget.com/ebayinfo/JspCxvFdqrAwxv.php
- https://rdebd.com/plugins/revolution/js/extensions/source/hWTXlpz1gFm9b.php
- http://www.w3.org/1999/XSL/Transform

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `491ad453fdf2861ea804fe526b5564c666dc5cfefcfd451237f9d3f2dd5c9150`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	16955 bytes
`vbaProject_00.bin` `520bf56c3fa8258f686fb90d88af7a98de7e5b1d932514a490e40dab53cb8629`	vba-project	OOXML VBA project: xl/vbaProject.bin	70656 bytes
Detection ClamAV: Doc.Dropper.Dridex-9845759-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.