Dridex — Office (OOXML) malware analysis

Static analysis result for SHA-256 1bb83c99ecc393cc…

MALICIOUS

Office (OOXML)

27.4 KB Authoring application: Microsoft Excel 15.0300 First seen: 2021-05-23
MD5: 038e632992abfd53850f025af592114b SHA-1: dde35bcccb9d32c27dae482530c592216df8e2cf SHA-256: 1bb83c99ecc393ccce5d4bdaea2b0a036d4747574d72134671124f55d6f081ab
102 Risk Score

Malware Insights

Dridex · confidence 95%

MITRE ATT&CK
T1218.011 System Binary Proxy Execution: Rundll32

The file is detected as a Dridex downloader variant. The document body contains strings indicative of macro execution, including 'Wscript.Shell', 'rundll32.exe', and 'ADODB.Stream', suggesting it attempts to download and execute a second-stage payload. Multiple suspicious URLs were extracted, likely serving as the distribution points for this payload.

Heuristics 3

  • ClamAV: Xls.Downloader.DridexOffice0521-9863759-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.DridexOffice0521-9863759-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://2nub.es/lib/js/prettyphoto/images/prettyPhoto/DDndV1TI5lvC3M7.php In macro / runtime command snippet
    • https://jajainfo.net/zm/wp-content/uploads/2013/06/b4KjNHHVq5p.phpIn macro / runtime command snippet
    • https://radiotupa.multsis.com.br/4uGJ27Vj5.phpIn document text (OOXML body / shared strings)
    • https://a14.fiveghosting.com/fBSkQClRc.phpIn document text (OOXML body / shared strings)
    • https://trenerwpoznaniu.pl/classes/tinymce/themes/inlite/config/WjCKp9Cb.phpIn document text (OOXML body / shared strings)
    • https://e-commerce.sulmanrasheed.com/jNCNxrN8iGkYNh.phpIn document text (OOXML body / shared strings)
    • https://malsign.com/ICkPFoHIaO.phpIn document text (OOXML body / shared strings)