Dridex Office (OOXML) / .XLSX malware analysis — malicious · c2ae6cca4bde527b

MALICIOUS

Office (OOXML) / .XLSX

410.4 KB Created: 2020-10-14 02:17:39 UTC Authoring application: Microsoft Excel 16.0300

MD5: b6a151b822b29e787bb9a0b27b8b8587 SHA-1: 915c2e2729031ab960036154b8698567719a2a8b SHA-256: c2ae6cca4bde527b4a77d84d609083f3607e0a13d73880fef50f3d32a15a4874

220 Risk Score

Malware Insights

Dridex · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an Excel spreadsheet containing a Workbook_Open macro that executes a shell command. This command downloads a file from 'http://globaltechhealthy.com/xt/osno-cryptec.exe' and saves it to the temporary directory as '%TEMP%\gJMSk.exe', which is then executed. The ClamAV detection name 'Xls.Downloader.DridexGreen09213-9890103-0' strongly suggests the Dridex family.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
ClamAV: Xls.Downloader.DridexGreen09213-9890103-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.DridexGreen09213-9890103-0
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `45cb8791381bddad5c8e73a36b8202a358ca18834b0af4167dd7d52ea310b63f`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1993 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 4 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.
`vbaProject_00.bin` `cff247fc87891d3da978bd6f0a364d3b4414b83f0c1cff46c6457eb3d3ae711a`	vba-project	OOXML VBA project: xl/vbaProject.bin	16384 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 4 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.