MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1218.011 System Binary Proxy Execution: Rundll32
The sample contains VBA macros that are designed to execute commands via `rundll32.exe` and `Wscript.Shell`. The macro likely downloads and executes a second-stage payload from one of the embedded URLs. The ClamAV detection name 'Xls.Downloader.TrendMicroDridex0521-9860965-0' strongly suggests the Dridex malware family.
Heuristics 4
-
ClamAV: Xls.Downloader.TrendMicroDridex0521-9860965-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.TrendMicroDridex0521-9860965-0
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://adventphilomels.org/wp-includes/sodium_compat/src/Core32/ChaCha20/ecbCQtOlK8wLZzY.php In document text (OOXML body / shared strings)
- https://multigranos.com.bo/wp-content/plugins/woocommerce/i18n/languages/xRrL7GcQN0.phpIn document text (OOXML body / shared strings)
- https://kpleads.com/kpleads.ali/wp/wp-includes/js/codemirror/FA0MND35N.phpIn document text (OOXML body / shared strings)
- https://gulfbeautygt.com/images/byaLcZQlkP5.phpIn document text (OOXML body / shared strings)
- https://sitonyourassandmakemoney.com/wp-content/plugins/cartflows/theme-support/astra/sOR3qwEjQh3.phpIn document text (OOXML body / shared strings)
- https://meaamarelmorshedy.com/cpx_admin/plugins/ckeditor/skins/moono/dla4Okf7bQ3.phpIn document text (OOXML body / shared strings)
- https://lifezhonour.com/backup-11-06-2020/vendor/phpmailer/phpmailer/language/kuVnna5b5FX3Hps.phpIn document text (OOXML body / shared strings)
- https://wypozyczalnia-dragon.pl/libraries/fof/integration/joomla/filesystem/v566mU4QOL0.phpIn document text (OOXML body / shared strings)
- https://smarttechbv.com.br/wp-content/plugins/wp-fastest-cache/css/fonts/5kbCoM4jSnAI.phpIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 674 bytes |
SHA-256: 5e4b19e4e9de09c462ab65f16c272f5f34734be07861863f881268efc4517720 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "현재_통합_문서"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub function1()
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 10240 bytes |
SHA-256: 8681dc474ff6de43490ca1c907f015666ceffbde9ec6e11c8ef8fc8aa23809cd |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.