Dridex — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 9e2e53a384fe4641…

MALICIOUS

Office (OLE) / .XLS

792.0 KB Created: 2021-01-13 16:30:08 Authoring application: Microsoft Excel
MD5: 1591b2551c119472366dbb437c9a12f2 SHA-1: 5e0e2ae88a7c7f70b288392583e0b955ebf0c715 SHA-256: 9e2e53a384fe464132f9a1c4918db48a933558c946fae7ef2aeed6b7ff59caae
142 Risk Score

Malware Insights

Dridex · confidence 95%

MITRE ATT&CK
T1059.001 PowerShell

The ClamAV detection and the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic strongly suggest this file is a Dridex variant. The presence of embedded URLs indicates a likely downloader functionality, aiming to retrieve and execute a secondary payload. Although VBA macros could not be extracted, the heuristic firings are sufficient to assess the file's malicious intent.

Heuristics 5

  • ClamAV: Doc.Dropper.Dridex-9845759-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Dridex-9845759-0
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (AssertionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://findmysounds.com/wp-content/plugins/updraftplus/central/classes/Qexo3HCh.php
    • https://www.blackoutthebox.com/wp-content/plugins/woocommerce/src/Admin/NsWEtEuMIGClJnM.php
    • http://nilfotech.com/wp-content/themes/twentyseventeen/template-parts/footer/5nVJ6aVS88.php
    • https://abm-it.com/wp-content/plugins/wordpress-seo/vendor/composer/RJiulqq6iCYBeO.php
    • https://guides1815.be/admin_bkpe/fckeditor/editor/skins/default/vmLyYWik62.php
    • http://sefinancer.fr/wp-content/themes/twentynineteen/sass/blocks/SlyOzj2S7kfU8q.php
    • http://millepharma.com/1/storage/modification/catalog/controller/TuF2Sj1GiNaxO7W.php
    • https://animalairlines.org/wp-content/plugins/wordpress-seo/inc/options/Tk2xzwhpHuJENF.php
    • https://www.cutandscrew.com/css/images/icons/light/dark/bwvTFSxdRMx8u.php
    • http://multi-chemical.com/Rvlx1evnUjlGIy.php
    • http://www.w3.org/1999/XSL/Transform

Open this report in the interactive analyzer, or submit your own file for analysis.