Dridex — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 ff1052809231d4cb…

MALICIOUS

Office (OLE) / .XLS

783.5 KB Created: 2021-01-13 13:40:10 Authoring application: Microsoft Excel
MD5: 022df39104a3e7e4fdee4ae6a9e4ac5e SHA-1: 8a9581c2f9effa28c56bbab46dca6e112868d441 SHA-256: ff1052809231d4cbdb22a0e0b13a168d8d1c3468fe3256d629ce5407a3b135bd
288 Risk Score

Malware Insights

Dridex · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.002 Spearphishing Attachment

The presence of a Workbook_Open macro, along with heuristics indicating obfuscated VBA code and GetObject calls, strongly suggests malicious intent. The ClamAV detection and the numerous unknown-reputation URLs point towards a downloader or dropper functionality, likely for the Dridex banking trojan. The VBA macros are designed to execute automatically upon opening the workbook, and the embedded URLs are probable staging points for downloading additional malicious components.

Heuristics 9

  • ClamAV: Doc.Dropper.Dridex-9845759-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Dridex-9845759-0
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://GesDoc.fda.com.pe/wp-content/plugins/members/addons/members-acf-integration/XOIFkw1QtbqgkS.php
    • http://univertech.com/wp-includes/js/tinymce/plugins/charmap/huR9GcNBnM6.php
    • https://guides1815.be/admin_bkpe/fckeditor/editor/skins/default/vmLyYWik62.php
    • https://www.dropsitelite.it/wp-content/plugins/woocommerce-services/i18n/json/on0rRPN6iWl5uT.php
    • https://www.blackoutthebox.com/wp-content/plugins/woocommerce/src/Admin/NsWEtEuMIGClJnM.php
    • https://pm.marketingnetwork.it/wp-includes/js/tinymce/skins/lightgray/CcV1lWG3FwB1i.php
    • http://millepharma.com/1/storage/modification/catalog/controller/TuF2Sj1GiNaxO7W.php
    • https://wellnessway.co.za/wp-content/plugins/coming-soon-maintenance-mode-from-acurax/css/fonts/vSoOsa1e.php
    • https://sma.shardanovelty.co.in/vendor/psr/log/Psr/Log/kXNcyAm11boPD0d.php
    • https://www.testsurver.nl/everything/wp-content/uploads/2020/01/zuUDqJvjLWS.php
    • http://www.w3.org/1999/XSL/Transform

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ea7490be7ec6eb87aea04cf3c6070b390cdc7bff2e24bbacccd6852305ed7d54		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 55787 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 125 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.