TrendMicroDridex — Office (OOXML) malware analysis

Heuristics 3

• ClamAV: Xls.Downloader.TrendMicroDridex0521-9860965-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Xls.Downloader.TrendMicroDridex0521-9860965-0
• LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
  Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://adventphilomels.org/wp-includes/sodium_compat/src/Core32/ChaCha20/ecbCQtOlK8wLZzY.php

  • https://multigranos.com.bo/wp-content/plugins/woocommerce/i18n/languages/xRrL7GcQN0.php
  • https://kpleads.com/kpleads.ali/wp/wp-includes/js/codemirror/FA0MND35N.php
  • https://gulfbeautygt.com/images/byaLcZQlkP5.php
  • https://sitonyourassandmakemoney.com/wp-content/plugins/cartflows/theme-support/astra/sOR3qwEjQh3.php
  • https://meaamarelmorshedy.com/cpx_admin/plugins/ckeditor/skins/moono/dla4Okf7bQ3.php
  • https://lifezhonour.com/backup-11-06-2020/vendor/phpmailer/phpmailer/language/kuVnna5b5FX3Hps.php
  • https://wypozyczalnia-dragon.pl/libraries/fof/integration/joomla/filesystem/v566mU4QOL0.php
  • https://smarttechbv.com.br/wp-content/plugins/wp-fastest-cache/css/fonts/5kbCoM4jSnAI.php

Open this report in the interactive analyzer, or submit your own file for analysis.