{
	"id": "5d89b592-dde8-467b-be94-3b569d0b1295",
	"created_at": "2026-04-06T00:11:52.458501Z",
	"updated_at": "2026-04-10T03:22:13.3527Z",
	"deleted_at": null,
	"sha1_hash": "c86b679be5289a837c704c13072535c45aefa382",
	"title": "Dridex Malicious Document Analysis: Automating the Extraction of Payload URLs | HP Wolf Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1024707,
	"plain_text": "Dridex Malicious Document Analysis: Automating the Extraction\r\nof Payload URLs | HP Wolf Security\r\nBy Patrick Schläpfer\r\nPublished: 2021-01-19 · Archived: 2026-04-05 13:23:07 UTC\r\nIntroduction\r\nThe last three months of 2020 saw a sustained increase in malicious spam distributing Dridex malware. The\r\nnumber of Dridex samples isolated by HP Sure Click more than tripled in Q4 compared to Q3, representing a\r\n239% increase. According to HP Sure Click telemetry, Dridex is currently the second most widely circulating\r\ncrimeware family behind Emotet. Although originating in 2012 as a banking Trojan, since 2017 Dridex’s operators\r\nhave increasingly shifted their tactics to delivering ransomware.\r\nDridex’s distributors commonly propagate the malware using malicious Office documents (maldocs) that\r\ndownload the Trojan from a remote web server. Interestingly, since mid-2020 a variant of these maldocs started\r\ncontaining hundreds of URLs from which to download the malware. This technique makes the loader more\r\nresilient to takedown action by hosting providers and domain registrars. It also increases the likelihood of\r\nsuccessfully downloading the payload. Instead of blocking one URL, network security controls such as web\r\nproxies would need to block hundreds of URLs to prevent the malware from being downloaded.\r\nFollowing this change to Dridex’s first stage loader last year, we collected samples and analyzed them. This article\r\ngives an overview of how the payload URLs are stored and decoded. We also provide a Python script that extracts\r\nthe URLs to assist security teams in their blocklisting efforts.\r\nDridex’s Excel loader\r\nWe focused primarily on the Excel format loader for this analysis because it was by far the most common file type\r\nwe encountered. Dridex also has a Word dropper, which we’ve previously written about. As opposed to a dropper,\r\na malware loader contains at least one network destination which is used to download a payload. This allows the\r\nloader to be small but necessitates communication over a network to install the malware. The Dridex loader\r\ngenerally uses the approach shown in Figure 1 to download its payload.\r\nhttps://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/\r\nPage 1 of 8\n\nFigure 1 – Typical Dridex infection chain.\r\nDridex loader types\r\nWe identified several types of Dridex loader that each uses a different way to download and execute the payload.\r\nSometimes the document used a Visual Basic for Applications (VBA) macro, Excel 4 macro or both to execute\r\ncode. The loader uses either PowerShell or Windows API calls to open a network connection and download the\r\npayload. We can split Dridex’s loaders into two types based on how the code is executed:\r\nCode executed using Excel 4 macros\r\nThe first type of loader uses Excel 4 macros to generate PowerShell code or call Windows API functions to\r\ndownload the malware. In both cases, the loader only downloads the payload from one URL.\r\nCode executed using VBA macros\r\nThe second type of loader uses VBA macros to download Dridex. This type of loader uses different methods to\r\nachieve this. One way is by generating an encoded shell command, which calls PowerShell to download the\r\npayload. The loader also only downloads the payload from one URL.\r\nA second, and more notable, method used by this type of loader stores encoded data in an Excel worksheet. When\r\nrun, the VBA code loads the data from the worksheet and decodes it using one of many routines. The decoded data\r\nis a list of hundreds of URLs, from which one is randomly chosen to download Dridex. The sheer quantity of\r\npayload URLs is unusual for a loader, so we decided to analyze this download mechanism in more detail.\r\nhttps://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/\r\nPage 2 of 8\n\nFigure 2 – Overview of Dridex loader types from September to December 2020.\r\nMaldocs containing multiple URLs\r\nThe first question we asked about this type of loader was how the URLs are stored in the document. To find this\r\nspecific answer we analyzed the document by manually debugging the VBA code. Opening the VBA project from\r\na sample in Excel for the first time, generated a warning that the “Project Is Unviewable”. You can learn about the\r\nreason for this warning and its solution in this article. After resolving this issue, we could read and interact with\r\nthe loader’s VBA code.\r\nhttps://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/\r\nPage 3 of 8\n\nFigure 3 – VBA code of a Dridex loader.\r\nThe code executes when the spreadsheet’s layout changes, which occurs when the file is opened. The main\r\nfunction contains a loop that iterates over the cells of the active worksheet. During each iteration, encoded data is\r\nread from the worksheet, decoded and stored inside a variable. The variable is then split into multiple elements\r\nand used as an argument for the ExecuteExcel4Macro function. This function, as the name indicates, runs a\r\nMicrosoft Excel 4 macro given as an argument. The encoded URLs are read from the content of the worksheet.\r\nYou can see the encoded text by selecting all the cells in the worksheet and changing the text’s color.\r\nFigure 4 – Dridex loader worksheet with encoded data.\r\nSince we are interested in the URLs, we slightly modified the VBA code to run the data decoding function and\r\nprint them out. Figure 5 shows a snippet of these URLs.\r\nhttps://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/\r\nPage 4 of 8\n\nFigure 5 – Extracted Dridex payload URLs.\r\nLooking at the Excel 4 macro’s execution, it is notable that the return value is not evaluated. This means that if the\r\nURL host is offline, the loader will not download the payload from another URL.\r\nFrom analyzing the decoding functions, we found many were re-used or slightly modified between samples. The\r\ndecoding functions work by iterating over all the values in an active worksheet. In about 60 samples from around\r\n30 Dridex spam waves, we found six types of decoding routines.\r\n1.     Character offset encoding\r\nWhen the worksheet’s data is encoded using character offset encoding, the Dridex loader decreases each letter’s\r\nASCII value in the URL by one, two or three. How much the ASCII value is decreased is randomly chosen. We\r\ncan implement a function in Python to decode the string and return the correct URL, as shown below.\r\nFigure 6 – Code snipped from the character offset encoding algorithm.\r\n2.     Reverse encoding\r\nhttps://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/\r\nPage 5 of 8\n\nA telltale sign of a Dridex loader using reverse encoding is if there are numbers scattered about the worksheet.\r\nThese numbers indicate the index in an array. The corresponding value is the row number as an ASCII value,\r\nwhich the decoder function converts into a character. The sorted array outputs the list of URLs.\r\nFigure 7 – Code snipped from the reverse encoding algorithm implemented in Python.\r\n3.     Scramble encoding\r\nScramble encoding is similar to character offset encoding. The characters are converted from an ASCII value after\r\nadding or subtracting another value. The decision about whether a value is added or subtracted depends on the\r\nposition of the letter.\r\nFigure 8 – Code snipped from the scramble encoding algorithm.\r\n4.     Substring concatenation encoding\r\nDocuments containing URLs encoded with substring concatenation encoding contain many small strings in the\r\nworksheet. The URLs are decoded by iterating over the values. If the value is longer than two characters, then a\r\nsubstring is taken. The substring is appended to a string that contains all the URLs from the document after\r\nfinishing the iteration.\r\nFigure 9 – Code snipped from the substring concatenation algorithm.\r\n5.     Hexadecimal encoding\r\nHere the characters in the URLs are encoded as hexadecimal values then stored in random cells in the active\r\nworksheet. The URLs are decoded by iterating over the values, converting them into characters and appending\r\nhttps://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/\r\nPage 6 of 8\n\nthem to a string containing all the URLs.\r\nFigure 10 – Code snipped from the hexadecimal encoding algorithm.\r\n6.     Format encoding\r\nWhen you open a Dridex loader that uses format encoding, no values are visible in the active worksheet. Instead\r\nof cell values, this type of encoding checks if a cell is formatted to decode the URLs. The decoder iterates over all\r\nthe cells and checks for their format. If a cell is not formatted as “General” then the corresponding column index\r\nis taken as an ASCII value, which corresponds\r\nto a URL character.\r\nFigure 11 – Code snipped from the format encoding algorithm.\r\nAfter decoding the contained URLs with one of the explained routines, the Dridex payload is downloaded and the\r\ndocument is automatically closed.\r\nURL encodings timeline\r\nTracking the usage of the six different encoding mechanisms over time reveals that the distributors of Dridex\r\nmaldocs tend to switch the type of URL encoding after a few spam waves. Between those changes, the encoding\r\nmechanisms largely remained the same with only slight modifications.\r\nFigure 12 – Types of URL encoding used by the Dridex loader from September to December 2020.\r\nAutomatically extracting URLs from Dridex maldocs\r\nWe wrote a Python script that extracts all the URLs from Dridex maldocs that use one of the six encoding\r\nalgorithms. Security teams can use the script’s output to block all potential Dridex payload URLs instead of just\r\none that a typical sandbox would extract through dynamic analysis.\r\nhttps://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/\r\nPage 7 of 8\n\nThe threat actors behind Dridex and its distribution are continually changing their techniques, so we expect the\r\nencoding algorithms to change. Although the automation may not work on future loaders, our analysis should give\r\nsecurity teams a clue about how to implement new decoding functions.\r\nConclusion\r\nSince mid-2020, some Dridex maldocs have contained hundreds of URLs hosting the Trojan. Looking at the\r\ndocuments over this period, we identified six encoding types used to obfuscate the URLs. While the encoding\r\nvaries between spam wave, the documents’ basic structure has not changed significantly. We think it is feasible to\r\nimplement decoders for future encoding types used in Dridex maldocs building on this approach.\r\nIndicators of Compromise (IOCs)\r\nUsing the Python script to automate the URLs’ extraction, we collected 2,082 URLs from 56 documents. You can\r\nfind the IOCs corresponding to this analysis and the URL extraction script in the HP Threat Research GitHub\r\nrepository.\r\nSource: https://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/\r\nhttps://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/"
	],
	"report_names": [
		"dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls"
	],
	"threat_actors": [],
	"ts_created_at": 1775434312,
	"ts_updated_at": 1775791333,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c86b679be5289a837c704c13072535c45aefa382.pdf",
		"text": "https://archive.orkl.eu/c86b679be5289a837c704c13072535c45aefa382.txt",
		"img": "https://archive.orkl.eu/c86b679be5289a837c704c13072535c45aefa382.jpg"
	}
}