Microsoft Office Macros are back with Dridex Trojan (October 2, 2015)


The Dell Sonicwall Threats team recently observed the return of malicious macros in Microsoft Office documents. These malicious macros are downloading the banking trojan, Dridex.

Infection Cycle:

The spam email spreads this threat with the subjects such as Please print from an email address from UK.

The attachment is an word document (Order-SO00653333-1.doc)(detected as GAV: Downloader.B_7(Trojan) ) which contains the malicious macros. When it is opened, it is a blank document. It states that the macros should be enabled to see the document. By default, these are disabled.

During analysis, the malicious word document had these strings embedded inside:


The document has keywords “AutoOpen” which indicates: “Runs when the Word document is opened” and “AutoClose” which indicates: “Runs when the Word document is closed”.
These are embedded in the VBA macros which auto-execute.

Once the macros are enabled, the user still cannot see any content on the word document. The macros are used to enable the downloading of the Dridex banking malware from domains controlled by the attackers.

It then downloads an executable 1111.exe [detected as GAV: Dridex.B (Trojan)].

This banking trojan tries to steal information from the victim’s machine post it to the remote Command & Control servers.

The Dell SonicWall threats team urges users to not fall for these scams. The SonicWALL customers with “block office files with VBA macros” checkbox enabled are already protected from this threat.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Downloader.B_7 (Trojan)
  • GAV: Dridex.B (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.