Dridex — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 fc5a17121ad0516c…

MALICIOUS

Office (OOXML) / .XLSM

302.6 KB Created: 2021-02-22 13:15:14 UTC Authoring application: Microsoft Excel 15.0300
MD5: 1300c689660c97228a19c55931d43ad7 SHA-1: 7296cb7264e090a464b0ba25a6cd7aefb116abe8 SHA-256: fc5a17121ad0516ced4bcc4e375f2052a3a542846469c824f17566f170e95e9a
268 Risk Score

Malware Insights

Dridex · confidence 95%

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.005 Visual Basic T1059.001 PowerShell

The critical ClamAV detections for 'Doc.Dropper.Dridex-9845759-0' strongly indicate the Dridex family. The presence of a Workbook_Open macro (OLE_VBA_WBOPEN) suggests that the VBA code executes automatically upon opening the document. The GetObject call (OLE_VBA_GETOBJ) is often used by malware to load and execute external components. The extracted artifact's ClamAV signature further corroborates the malware family and its dropper functionality. The VBA macros likely download and execute a second-stage payload.

Heuristics 7

  • ClamAV: Doc.Dropper.Dridex-9845759-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Dridex-9845759-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
13b528aa0cc150d7d3fc5f403baa02e54407911e2df94246254748d15fd23dba		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 12425 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 109 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
0ff9587646c2c4ace1186f7fa1792ea82f3938b49c1d5ce5ba25889ba1d1fd8b		 vba-project OOXML VBA project: xl/vbaProject.bin 53248 bytes
Detection
ClamAV: Doc.Dropper.Dridex-9845759-0
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.