TrendMicroDridex — Office (OOXML) malware analysis

Static analysis result for SHA-256 e8e0507984ad601d…

MALICIOUS

Office (OOXML)

192.6 KB Authoring application: Microsoft Excel 15.0300 First seen: 2021-05-23
MD5: a67d220f33a706ce932252aeeaa41b06 SHA-1: ce7c2fc7d9b81540123f91a34192274797d0294c SHA-256: e8e0507984ad601d94c9e93f79bdcbec84273a0b473b301e792ae2491708ded4
102 Risk Score

Malware Insights

TrendMicroDridex · confidence 95%

MITRE ATT&CK
T1218.011 System Binary Proxy Execution: Rundll32 T1566.001 Spearphishing Attachment

The file is detected as Xls.Downloader.TrendMicroDridex by ClamAV, indicating a downloader functionality. The document body contains strings like 'Wscript.Shell' and 'rundll32.exe' which, combined with the embedded URLs, suggest an attempt to execute a malicious payload downloaded from one of the listed URLs. This pattern is consistent with a spearphishing attachment delivering a secondary stage malware.

Heuristics 3

  • ClamAV: Xls.Downloader.TrendMicroDridex0521-9860965-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.TrendMicroDridex0521-9860965-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cartoonist.me.uk/wp-content/plugins/jetpack/scss/_utilities/us1svv7BFHAuE.php In macro / runtime command snippet
    • https://repvoice.com/ltYn1z6L3M0Dr4.phpIn macro / runtime command snippet
    • https://protetoestufas.com.br/plugins/rainbow/js/language/hnejZqaw.phpIn document text (OOXML body / shared strings)
    • https://co-deporte.com/wp-content/plugins/revslider/includes/InstagramScraper/DR34CZJP1juKE.phpIn document text (OOXML body / shared strings)
    • https://chefalle.com/wp-includes/sodium_compat/namespaced/Core/ChaCha20/4Uf6CSbEGj3.phpIn document text (OOXML body / shared strings)
    • https://a14.fiveghosting.com/fBSkQClRc.phpIn document text (OOXML body / shared strings)
    • https://ncc-services.com/ncc_hr/js/tinymce/plugins/advlist/Qw3HExfj.phpIn document text (OOXML body / shared strings)
    • https://ctfiladelfia.projetosestruturais.com/LR7u0G1zGjUJ.phpIn document text (OOXML body / shared strings)
    • https://ramdevagroindustries.com/images/blog/WZVRzcoUaXZ.phpIn document text (OOXML body / shared strings)