Ldridex — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 86945231d2fab231…

MALICIOUS

Office (OLE) / .XLS

57.5 KB Created: 2020-09-30 12:37:26 Authoring application: Microsoft Excel
MD5: 2fd077d77e75c3ff2a72494c277851d1 SHA-1: a0767d559d2e1067397c867e147f100824b594c4 SHA-256: 86945231d2fab231a36cb13f6678744edc3458e02756c3bc4fac70c8edfb91b6
140 Risk Score

Malware Insights

Ldridex · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is identified as malicious by ClamAV and exhibits critical heuristic firings indicating the use of VBA macros to launch decoded Excel 4.0 macros. This suggests a common Ldridex infection chain, where macros are used to download and execute further stages of the malware. The VBA code appears to be obfuscated, but the core functionality points towards a downloader.

Heuristics 3

  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
  • ClamAV: Xls.Malware.Ldridex-9769692-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Ldridex-9769692-0
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
969c6a424b8042e4572c9a2a0c581234098254ab871ff852b3711202213082bb		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2635 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.