Ldridex Office (OOXML) / .XLSM malware analysis — malicious · 3259221b5378b9c9

MALICIOUS

Office (OOXML) / .XLSM

27.9 KB Created: 2020-09-21 10:44:36 UTC Authoring application: Microsoft Excel 16.0300

MD5: 3df66d4122cd8692da6422fd16d0c1a4 SHA-1: 281211783851fcc2323ac8d1fa66a09789289bb7 SHA-256: 3259221b5378b9c9a983ae265527662c0c7856f6664a9a734754f549ee4d7a33

140 Risk Score

Malware Insights

Ldridex · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic

The file is an XLSM document, and static analysis detected the presence of VBA macros. ClamAV signatures identify the file as Xls.Malware.Ldridex-9768648-0, strongly suggesting it belongs to the Ldridex family. The embedded VBA macros are the primary mechanism for malicious activity, likely serving as a downloader for further stages.

Heuristics 3

ClamAV: Xls.Malware.Ldridex-9768648-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Ldridex-9768648-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `6dd09fcae616c588dcab782470b37344caca40942aff346ce73c53cf82b9424f`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2339 bytes
`vbaProject_00.bin` `aa7cf32d92e5b304607209b50cc4d244e67500e9354922f0d451c8b5d37ddf61`	vba-project	OOXML VBA project: xl/vbaProject.bin	20480 bytes
Detection ClamAV: Xls.Malware.Ldridex-9768648-0 Obfuscation or payload: unlikely
`emf_00.emf` `6ede5771a00081ce3710fec341a7c3a85896f0edeea5a7d1b6b39b15a833897d`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	1976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.