Ldridex Office (OOXML) / .XLSM malware analysis — malicious · 5fb89556a960d00b

MALICIOUS

Office (OOXML) / .XLSM

26.1 KB Created: 2020-09-23 09:24:27 UTC Authoring application: 16.0300

MD5: 1d38c53b6a342d860201088e4baa7076 SHA-1: b528dad6a44989aee0d3f65ebaa6fde5410c1be9 SHA-256: 5fb89556a960d00b2c7f6258a6357bd12f815f0fcaef7c1c8cdec44184f84216

200 Risk Score

Malware Insights

Ldridex · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is an XLSM document containing VBA macros, which are known to be used for malicious purposes. Heuristics indicate the use of ActiveX events to launch decoded Excel 4.0 macros, a technique associated with the Ldridex family. The VBA code appears to obfuscate strings and execute commands, likely to download and run a second-stage payload.

Heuristics 4

VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

VBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.
ClamAV: Xls.Malware.Ldridex-9768648-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Ldridex-9768648-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `168b7854f73277a6361cccad8928ced48942711225d7313e59d623ab09805d35`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2186 bytes
`vbaProject_00.bin` `37ae15f2871f070db920c254f11e5a7232ec782c5588e622515898a74b8b8a36`	vba-project	OOXML VBA project: xl/vbaProject.bin	20480 bytes
Detection ClamAV: Xls.Malware.Ldridex-9768648-0 Obfuscation or payload: unlikely
`emf_00.emf` `289f5a4af0055ab9abbe8cf110fe4e3827407560145dba39aa21028b266662a2`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	1976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.