Dridex malware dropper -New doc 115.doc

On a pleasant morning I received an email with an doc attachment. The email was not having any text or message. Subject was name of the attachment ‘New Doc 115’. It was my curious mind (place where the cat gets kills inevitably) that I decided to analyse it. The email actually identified it as a spam likely because of the sender or may be the attachment. But why ?

OLE documents with malicious macros are not new and this method is widely used to compromise a host. Once the doc file is accessed the embedded macros are executed (security options always prompts user to enable the macro). Following email is an example of such a social engineering attempted on my mailbox. The analysis conducted to identify indicators of compromise and what was the motive of the document/macros.

Spam email


Email Header Extract:

Looking at the email header we can see the sender is ali73_2008027@yahoo.co.uk with address

Attachment : New Doc 115.doc


The document has multiple macros. MS Word identifies and also shows security warnings. Once the macros are enabled document will drop malware and infect the host.

Below are the details of the doc file:

Filename New Doc 115.doc
Size 69632 bytes – 68 Kb
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251
Author 1, Template: Normal, Last Saved By: 1, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Feb 10 08:02:00 2016, Last Saved Time/Date: Wed Feb 10 08:02:00 2016
Number of Pages 1, Number of Words: 0, Number of Characters: 0, Security: 0
MD5 98803eca69d946c5060316959f5d6eec
SHA1 41772ad8a7e7aec1b72286bf0b02c67a1a1baeb2
SHA256 421dd4156a7fa04da8c8eb9f3322b653d70cdb63bd1acb90b064202a2af2b5f2
SHA512 cd048439a1839bb8d82922684771ca20a01238185b493eedd82380f14ab0afbf210c4caf4c8dbcfb0146b47becfe72dbe5153e44d08dfd3723e0dda766b16a42
External site analysis Virus Total Link


Static Malware Analysis

This section shows methods for static malware analysis using OfficeMalScanner and Oledump.

To extract malicious macros OfficeMalScanner was used.

Using OfficeMalScanner’s info mode, malicious macros can be extracted.

  1. Extracted Macros can be viewed in text editor. The macros will give some idea about what macros are written to do.
  2. Function names within macros are written in Spanish. Further information were identified using Oledump as shown in following screenshot. Macros are stored as streams in the word doc.
  3. Oledump.py can be used to get required information as shown in the screenshot.

oledump macro extractoledump.py pathtofile/New doc 115.doc

embedded objectoledump.py -s 7 pathtofile/New doc 115.doc . Stream 7 is the embedded object

sambof macro
Stream 14 – Interesting Macro named ‘SamboF’

Main Functions with translation:

  1. CIF as String
  2. Fecha as Date – Date as Date
  3. CuentaPropia2 as String – Own account2 as String
  4. cadSQL as String – cad SQL instance
  5. ConceptoTr as String – ConceptTr as String
  6. Tipo as Byte – Kind as Byte
  7. SufijoOEM as String – Suffic OEM

The functions is likely looking for the specific attributes in the SQL database or documents holding financial records.

Dynamic Malware Analysis

  1. Macros were enabled to see how the system behaves and what changes to registry or process are made.
  2. With windows defender enabled, following signatures were triggered when document was downloaded.anti-virus detection
  3. Ran the macros on Windows VM with no anti-virus or anti-malware. Enabling macros, a file label8.exe under the user Temp directory is created.label.exe proc
  4. Process Explorer with Virus Total integration was used to identify changes on the system and process which can be checked against Virus Total in real-time but no new process identified besides label8.exe.
  5. PE explorer and OllyDBG gives error when the file is being accessed syaing its not an EXE

Opening the file in notepad shows HTML response code as shown below :


6. System performance affected drastically where by CPU usage went to 100% as shown in the screenshot below. Ending the exe process, improved the performance and CPU usage went to normal.

cpu usage

7. The interface was being sniffed by the IPS with Emerging Threats Traffic triggered following signatures :

ips signautresSignature ET CURRENT_EVENTS Dridex AlphaNum DL Feb 10 2016 triggered. Interface shown – Snorby installed on Security Onion.

From the triggered signature we can say the communications was related to Dridex Malware. The malware is designed to steal banking credentials and other personal information of the user such as financial records of the user. Following payload shows the host being communicated – g-t-c.co.uk.

Dridex payload


Indicators associated with the malware:

  1. 11.240.14 – g-t-c-co.uk
  2. ali73_2008027@yahoo.co.uk
  3. 122. 52.162.226 –, Phillipines

From the analysis we can say that users are still being targetted with specific type of malware such as Dridex which is used for stealing banking credentials with intent for fianancial gain. The macros were identified suspicious by Windows Defender and Virus Total and therefore we can say the methods that were used to send the malware is known. Also , the email was actually identified by spam as the sender email was yahoo.co.uk.

Understand the exposure level of a user is high and so is the risk. Besides relying on anti-virus or spam gateway we must make sure users are aware of these techniques and educated with regards to spam and phishing.