{
	"id": "e378ed6e-e0ad-4e4f-9607-f5a5e069b6e4",
	"created_at": "2026-04-06T00:07:49.185841Z",
	"updated_at": "2026-04-10T13:12:10.276815Z",
	"deleted_at": null,
	"sha1_hash": "b88c893d45520db3492e5b5f85a8635c28412265",
	"title": "Weaponization of Excel Add-Ins Part 2: Dridex Infection Chain Case Studies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2240118,
	"plain_text": "Weaponization of Excel Add-Ins Part 2: Dridex Infection Chain\r\nCase Studies\r\nBy Saqib Khanzada\r\nPublished: 2022-05-19 · Archived: 2026-04-05 18:23:59 UTC\r\nExecutive Summary\r\nIn Part 1 of this two-part blog series, we discussed briefly how XLL files are exploited to deploy Agent Tesla.\r\nDuring December 2021, we continued to observe Dridex and Agent Tesla exploiting XLL in different ways for\r\ninitial payload delivery. A more in-depth look at the Dridex infection chain follows.\r\nThreat actors behind Dridex have been using various delivery mechanisms over the years. In early 2017, we\r\nobserved plain VBScript and JavaScript were being used. In later years, we observed many variations, including\r\nMicrosoft Office files (DOC, XLS) compressed in zip. In 2020, we found the malware using Discord and other\r\nlegitimate services to download the final payload. More recently, during December 2021, we received various\r\nDridex samples, which were exploiting XLL and XLM 4.0 in combination with Discord and OneDrive to\r\ndownload the final payload.\r\nIn our previous blog focused on XLL files and Agent Tesla, we saw the abuse of the legitimate Excel-DNA\r\nframework. In this blog post, we will look into other infection chains. We will discuss different stages of the XLL\r\nand Excel 4 (XLM) droppers that deliver Dridex samples. We will also briefly look at the Dridex Loader.\r\nPalo Alto Networks customers receive protections against the attacks discussed here through Cortex XDR or the\r\nWildFire cloud-delivered security subscription for the Next-Generation Firewall.\r\nXLM Dropper\r\nWhile XLM 4.0 is not new, there has been a lot of evolution in how malware has abused it since early 2020 Threat\r\nactors have gone from using simple, non-obfuscated macro formulas to creating complex hidden variants which\r\nfinally utilize native services such as rundll32 to run a payload.\r\nAs the malicious usage of XLM 4.0 macros is quite new, vendors are striving hard to provide coverage in such\r\ncases.\r\nThe XLM document in this case comprises two spreadsheets – one contains formulae and the other simply\r\ncontains some random data. See Figures 1-2 below.\r\nhttps://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain\r\nPage 1 of 13\n\nFigure 1. The red “1” in the right side of the screenshot shows the macro 4.0 responsible for\r\ndumping an HTML application file (HTA). The red “2” at the top shows the output of highlighted\r\nformulae.\r\nFigure 2. The red box indicated by the number 1 shows an HTA script stored in ASCII values.\r\nIt can be seen that one of the formulae in the spreadsheet shown in Figure 1 tries to run with Mshta, so we can\r\nassume it is not really an RTF. Upon further analysis, we found that indeed it is an HTA. XLM 4.0 code in Sheet1\r\nis responsible for reading ASCII values from Sheet2 (Figure 2) and generating the HTA file that downloads\r\nDridex from Discord.\r\nhttps://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain\r\nPage 2 of 13\n\nFigure 3. VBScript to download Dridex from Discord.\r\nFigure 4. Encoded Discord URL in HTA file.\r\nIt is difficult to say anything about the XLS itself until it finally downloads a malicious payload. Furthermore, the\r\nHTA is being dropped as RTF. This might confuse some security products because they could analyze the HTA as\r\nan RTF file and might lose detection. Additionally, the usage of Discord URLs makes the samples more evasive.\r\n(Though the examples given here involve Discord URLs, we have also observed similar usage of OneDrive\r\nURLs. See the GitHub link in the Indicators of Compromise section for specific examples of OneDrive URLs.)\r\nXLL Dropper\r\nIn comparison to the malicious XLL files that we discussed in Part 1 of this blog series, this dropper is rather\r\nsimple. An XLL file is just a DLL, but it must be executed using Excel. The proper detonation is important for\r\ndetection.\r\nhttps://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain\r\nPage 3 of 13\n\nFigure 5. Discord URLs found in XLL.\r\nFigure 6. XLL running Dridex Loader.\r\nActive Directory Check\r\nWe think that both the XLL and VBScript downloaders are associated with the same actor because, as we can see,\r\nboth perform a check to see whether the LOGONSERVER and USERDOMAIN environment variables are set.\r\nThis would mean a system is on Active Directory.\r\nhttps://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain\r\nPage 4 of 13\n\nFigure 7. HTA dropper checking for the environment variables LOGONSERVER and\r\nUSERDOMAIN.\r\nFigure 8. XLL dropper checking for the environment variables LOGONSERVER and\r\nUSERDOMAIN.\r\nDiscord URLs\r\nWe extracted around 1,400 URLs (see Indicators of Compromise section at the end of this post) from XLM and\r\nXLL files, however, at the time of analysis, only a few of them were still up and were found downloading only\r\nDridex. An interesting thing to note is that DLL files are being downloaded as MKV. We saw that at the start of\r\nthe infection chain that HTA was being dropped as RTF.\r\nBrief Loader Analysis\r\nAs can be seen in Figure 6, the downloaded payload is being run with the command\r\nrundll32.exe * DirSyncScheduleDialog. However, as we opened the file for further analysis, the method\r\nDirSyncScheduleDialog is not found in the export directory. It is interesting to note that that function name\r\nbelongs to a legitimate Windows DLL.\r\nhttps://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain\r\nPage 5 of 13\n\nFigure 9. The missing method(left) is shown, compared to the legitimate Windows loghours.dll with\r\nexported function DirSyncScheduleDialog (right).\r\nUnpacking Stages\r\n1. Decrypt and Load second-stage DLL from rdata section.\r\n2. Second DLL further unpacks the final Dridex Loader.\r\n3. Jumps to DirSyncScheduleDialog.\r\nFirst Stage\r\nThe first stage is fairly simple in terms of functionality; its only job is to decrypt a small DLL from the rdata\r\nsection and move it to allocated memory and run it.\r\nHowever, there are a few anti-analysis tricks.\r\n1. Usage of junk code.\r\n2. A Large Loop with INT3 instructions.\r\n3. Usage of undocumented functions such as ldrgetprocedureaddress and LdrLoadDll to avoid common\r\nhooks.\r\nWhile junk code might hinder manual analysis, large loops containing INT3 breakpoints might delay the\r\nexecution in some cases.\r\nThe first stage has a handful of functions. We renamed them to reflect trivial loader behavior.\r\nhttps://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain\r\nPage 6 of 13\n\nFigure 10. Renamed functions (left); jump to allocated memory (center); anti-VM function, CC\r\nbytes replaced with NOP (right).\r\nSecond Stage\r\nOnce the first stage passes control to the in-memory DLL (Figure 8), it further unpacks the final payload and\r\ntransfers control to it. The second stage is also trivial. However, the stage does include a few interesting anti-analysis tricks to note.\r\n1. Calls Disablethreadlibrarycalls to increase invisibility of final DLL.\r\n2. Checks LdrLoadDll for hooks.\r\nFigure 11. Renamed functions (left), check for LdrLoadDll hook (center),\r\ndisableThreadLibraryCalls in imports (right).\r\nFinal Dridex Loader\r\nFinally, we are able to see a call to DirSyncScheduleDialog. It is interesting to note that Dridex Loader is not\r\nperforming DLL side loading. However, the final payload is loaded as loghours.dll, a legitimate windows DLL.\r\nhttps://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain\r\nPage 7 of 13\n\nFigure 12. A side-by-side comparison of the Export table from the Dridex Loader (left) and the\r\nlegitimate loghours.dll (right).\r\nFigure 13. Dridex Loader EP; anti-VM loop can be noticed in start.\r\nMicro VM\r\nDridex implements a micro VM, which adds an exception handler using AddVectoredExceptionHandler to\r\nemulate the call eax instruction.\r\nhttps://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain\r\nPage 8 of 13\n\nFigure 14. Call to get_proc_address_by_hash function and CC CC bytes (call eax).\r\nFigure 15. Exception handler emulating call eax.\r\nAs can be seen in Figure 15, in the case of EXCEPTION_BREAKPOINT, the call eax instruction is being\r\nemulated. For the sandbox, this should not be a problem; however, it can hinder manual analysis. As can be seen,\r\nthe exception handler only emulates one instruction. Patching these two INT3 instructions with call eax should not\r\nbe a big deal. A simple IDA script to patch all CC CC instructions with FF D0 should do the trick.\r\nhttps://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain\r\nPage 9 of 13\n\nFigure 16. Patched INT3 instruction with “call eax”.\r\nAPI Hashing\r\nAPI Hashing is trivial, however, we observed a few obfuscations and variations in this Dridex Loader.\r\n1. Multiple hashing functions.\r\n2. Masqueraded Prolog for hashing function.\r\nWe observed that, in order to hinder analysis further, this Dridex Loader is using multiple hashing functions. We\r\nobserved at least two hashing functions and one masqueraded Prolog function, as can be seen below.\r\nhttps://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain\r\nPage 10 of 13\n\nFigure 17. API hashing function sub_744102D4\r\nFigure 18. Masqueraded Prolog function.\r\nhttps://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain\r\nPage 11 of 13\n\nIt can be seen that the Prolog of the get_proc_address_1 function is not normal. The registers eax and edx are\r\nbeing used to pass module hash and API hash to the get_proc_address_1_mas function. It is possible to call\r\nget_proc_address_1 to set eax and edx. Alternatively, they can be set before calling get_proc_address_1_mas. If a\r\nresearcher is writing an automation for resolving APIs – such as using AppCall – it is important to watch out for\r\nthis trick.\r\nWe used the IDA AppCall feature to extract all APIs used in the loader. Based on extracted APIs, this Dridex\r\nLoader is not different from the Dridex Loader that was observed in early 2021.\r\nKey functions of the Dridex Loader:\r\n1. Check process privileges.\r\n2. AdjustToken privileges.\r\n3. GetSystemInfo\r\n4. Uses the “Atomic Bombing” injection technique to load core payload downloaded from command and\r\ncontrol server.\r\nThe Dridex Loader has been extensively analyzed. Here, we focused mainly on small tricks used across the\r\ninfection chain to avoid detection and slow down analysis.\r\nConclusion\r\nWe observed a continued evolution of the infection chain. We saw how malware authors can evade detection\r\nengines using legitimate services such as Discord and OneDrive. We analyzed how malware authors continue to\r\nadd more stages in the infection chain.\r\nLastly, we briefly looked into the Dridex payload. Although the final payload was similar to the previous Dridex\r\nversion in terms of behaviour, we noticed an additional unpacking stage and a couple of new changes in the API\r\nhashing function. These simple yet powerful tricks that can be challenging for malware analysts, helping the\r\nmalware avoid detection and slow down analysis.\r\nPalo Alto Networks customers receive protections against the attacks discussed here through Cortex XDR or the\r\nWildFire cloud-delivered security subscription for the Next-Generation Firewall.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nIndicators of Compromise\r\nIndicators of compromise related to the malware discussed here can be found on GitHub.\r\nhttps://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain\r\nPage 12 of 13\n\nSource: https://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain\r\nhttps://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain"
	],
	"report_names": [
		"excel-add-ins-dridex-infection-chain"
	],
	"threat_actors": [],
	"ts_created_at": 1775434069,
	"ts_updated_at": 1775826730,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b88c893d45520db3492e5b5f85a8635c28412265.pdf",
		"text": "https://archive.orkl.eu/b88c893d45520db3492e5b5f85a8635c28412265.txt",
		"img": "https://archive.orkl.eu/b88c893d45520db3492e5b5f85a8635c28412265.jpg"
	}
}