Dridex — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 78f52db2da1b4e83…

MALICIOUS

Office (OLE) / .XLS

787.5 KB Created: 2021-01-27 17:52:51 Authoring application: Microsoft Excel
MD5: 819b100525cf774c00cf56b1767bb37b SHA-1: 66249c6abf28f76722ac3463d129282357a8a51f SHA-256: 78f52db2da1b4e83775f0326ecccad1cb9ddd62c7e94953112a973ebed0257d8
142 Risk Score

Malware Insights

Dridex · confidence 95%

MITRE ATT&CK
T1059.001 PowerShell

The file is detected as a Dridex dropper by ClamAV. Heuristics indicate the presence of Windows Script Host references and an auto-execution VBA macro that likely uses GetObject to execute code. Although VBA macros could not be extracted, the combination of these indicators strongly suggests the file's purpose is to download and execute a second-stage payload from one of the embedded URLs.

Heuristics 5

  • ClamAV: Doc.Dropper.Dridex-9845759-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Dridex-9845759-0
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (AssertionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sermujer.club/wp-content/themes/twentynineteen/sass/blocks/ineyFy3N5RAcI.php
    • https://dev.claritycareercounseling.com/wp-content/themes/hexagon/template-parts/footer/IZ07xHMuYU.php
    • http://kardekormimarlik.com.tr/plugins/revolution/revolution/js/extensions/xMChkWxBJWgX.php
    • http://uvgirlshostel.indoornavigationuol.com/streetism/uploads/cq13kxveiCCQA.php
    • http://primesurgicals.in/nc_assets/img/featured/600/KkQX9LhS9Ua.php
    • https://labcorp.localkk.com/storage/HY1qWfUM4q.php
    • http://bircesanart.com/wp-content/plugins/yikes-inc-easy-custom-woocommerce-product-tabs/slider/css/Mg7GDe1OyBI5mS.php
    • http://socialcollabo.com/wp-content/themes/twentyfourteen/genericons/font/iPyhwKMlMNihVVH.php
    • https://taxcorporate.org/website/templates/beez5/html/com_contact/hFBjeHfTRs.php
    • http://kloudbased.com/update_pack/update_2.1/views/frontend/YybSCeQUMBysP.php
    • http://www.w3.org/1999/XSL/Transform

Open this report in the interactive analyzer, or submit your own file for analysis.