dridex — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 c7a5355292d142a1…

MALICIOUS

Office (OOXML) / .XLSX

312.2 KB Created: 2021-08-09 10:17:00 UTC Authoring application: Microsoft Excel 12.0000
MD5: 5667c85d79b7c1635d7537f6ccd1b7e9 SHA-1: 88916cc28ee6610aa160cd77ee8e0a645ed2e6b2 SHA-256: c7a5355292d142a194df03e29b51a2db3bd819653d95615954b2a830bb4eb70d
298 Risk Score

Malware Insights

dridex · confidence 95%

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The sample is an Excel file containing a Workbook_Open macro and Excel 4.0 macros. The Workbook_Open macro writes a script file to the user's profile directory, specifically '%ALLUSERSPROFILE%\uHSRFZoHUCNxQyP.sct'. The presence of Excel 4.0 macros and the ClamAV detection signature 'Xls.Dropper.Dridex-9893342-1' strongly indicate a Dridex dropper. The embedded URL is likely used for further stages of the attack.

Heuristics 9

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • ClamAV: Xls.Dropper.Dridex-9893342-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Dridex-9893342-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • External hyperlinks (2) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 2 external hyperlinks — clickable URLs are stored as external relationships. First target: http://www.shipco.com/
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.shipco.com/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f45c3f8727cb3e61228d96c9fdb0ed4df4de2dd2c6f569eeb4f1e0d4cd52c475		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1041 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
97c169e7de8aba706c263ce30d8d6e0e3d68ee58c4b1e38482c42f13ac49115b		 vba-project OOXML VBA project: xl/vbaProject.bin 14848 bytes
Detection
ClamAV: Xls.Dropper.Dridex-9893342-1
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
xlm_sheet_00.bin
20e7ed4fec49967bad1661d521c3f4bd4739b2d17be7a7d1b82c00ca9971fa59		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 327730 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.