Dridex — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 38fb2c278f253f55…

MALICIOUS

Office (OOXML) / .XLSM

630.2 KB Created: 2021-05-10 16:23:13 UTC Authoring application: Microsoft Excel 15.0300
MD5: a840b634bf3e082faa0ee20824ca2bdd SHA-1: 562ae1eaeb4cf47da71727d66d39a29f0271ee98 SHA-256: 38fb2c278f253f55227327d21c9919b60e7a8c8407769cd92d79c8ec7c038e3e
248 Risk Score

Malware Insights

Dridex · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The critical ClamAV detection and high-severity heuristics for Workbook_Open macros and CreateObject calls strongly indicate a Dridex downloader. The VBA code likely uses CreateObject to instantiate MSXML2.XMLHTTP and ADODB.Stream objects to download and execute a second-stage payload from one of the numerous embedded URLs. The presence of Environ() calls suggests potential environment variable manipulation for payload staging or execution.

Heuristics 8

  • ClamAV: Xls.Downloader.DridexOffice0521-9863759-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.DridexOffice0521-9863759-0
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://unitopinternational.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/FRFN29hqUueudn.php
    • https://test933.estore.vlinkhosting.com/cIa0BLoA.php
    • https://www.rebelda.com/wp-content/plugins/cm-pop-up-banners/package/css/utCERekg51.php
    • https://tseboprocurement.co.za/inc/phpmailer/test_script/images/_notes/E3KYpyHWeU.php
    • https://flexydeal.com/9cHA3CtT.php
    • https://attendance.ehazira.com/bower_components/ckeditor/plugins/tableselection/styles/wCNDv2F8E.php
    • https://irelandpony.com/index_htm_files/W61khLnS.php
    • https://araitrade.com/dbi1vnDj.php
    • https://radioguadalupanalavozcatolica.com/player/templates/simple/custom/ljMPklt0Jql.php
    • https://kuwaitiurologist.com/beta/vendor/dnoegel/php-xdg-base-dir/src/VVWhvoXcz.php

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
5b5b659346a72bf1e68ee9e0b46d5dc80117cdde6b1d4c3155530ddf2a73d750		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 432321 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
9870db719d6a333ac12414cf519a792122c78f9e39ad7a7562df8e759c7efade		 vba-project OOXML VBA project: xl/vbaProject.bin 900096 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.