Dridex — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 9fc3c2fe4ac3e347…

MALICIOUS

Office (OOXML) / .XLSX

320.5 KB Created: 2021-08-09 10:17:00 UTC Authoring application: Microsoft Excel 12.0000
MD5: b0c850817622130e9b8c110489d56a0d SHA-1: 77949c21e1a5337f8ea97e1609973634d3a49de2 SHA-256: 9fc3c2fe4ac3e347251ac9c5680d5f8822623e92897efca843cc154dd5df08ee
298 Risk Score

Malware Insights

Dridex · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1059.003 Windows Command Shell

The sample is identified as a Dridex dropper by ClamAV. The Workbook_Open macro within the VBA project is designed to execute code. Specifically, it constructs the path 'C:\Users\AllUsers\aqNeIPZt.sct' by concatenating the 'allusersprofile' environment variable with a filename, and writes this path to the active workbook. This indicates the macro's intent is to download and execute a second-stage payload, likely a SCT file, from a remote location. The presence of Excel 4.0 macro sheets further supports the malicious nature of the document.

Heuristics 9

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • ClamAV: Xls.Dropper.Dridex-9893342-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Dridex-9893342-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • External hyperlinks (2) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 2 external hyperlinks — clickable URLs are stored as external relationships. First target: http://www.shipco.com/
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.shipco.com/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
415da917da90d316669eae6dbfcf88b337c55f912e7fa8973ebadb8e01273120		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1034 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
ce6f0c563eed9e98ed141a8ecb1a7a37161edee1e467a487138d118bb19f2eec		 vba-project OOXML VBA project: xl/vbaProject.bin 14848 bytes
Detection
ClamAV: Xls.Dropper.Dridex-9893342-1
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
xlm_sheet_00.bin
7a8e742f32137b527ee5e0768e4f7d23309f2c9f3b0b1f90312b8396d7f18d58		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 463372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.