Trojan-Downloader:W97M/Dridex is a document file containing maliciously crafted macro code that, when allowed to run on a user's machine, drops a file onto the system. The dropped file attempts to contact a remote server.
F-Secure security products detect the dropped files. Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action. The malicious URL the malware attempts to contact is also automatically blocked.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
Trojan-Downloader:W97M/Dridex is distributed in a Word document that is sent out as a file attachment to fraudulent emails that appear to be invoice-related. These emails have reportedly misused the names and/or branding of various legitimate companies to appear above-board.
The attached document may use an innocuous file name such as 'Invoice.doc', or by randomly named. In the sample analyzed (SHA1: 8c77475defd5ee97d60727e8faec69b8eafa64fc), the attachment was simply named 'Attachment.doc':
Dridex's booby-trapped Word document
On downloading and opening the attached Word document, the document appears to be a blank page; a security warning appears saying that 'Macros have been disabled' and providing a button for the user to click and 'Enable Content'.
Dridex tricks users into enabling malicious code
If the user does so, Dridex's malicious macro code is allowed to run and a file is immediately and silently dropped in the user's temp folder. In the sample analyzed, the dropped file used the name 'pilorghpt.exe':
Dridex drops a file to the user's temp folder
The dropped file then attempts to contact a remote server and retrieve an executable file to download the infected machine. Note: if DeepGuard is enabled, this file is automatically blocked from accessing the malicious remote site.
Since the middle of 2014, Dridex malware have been reported attempting to steal users online banking credentials. The malware monitors the user's web browsing activity for visits to selected banking sites, then tries to capture the login details entered into web forms on these sites. The list of banks targeted are mainly focused on the United Kingdom, the United States and Australia, though activity in other countries have also been noted.
More information about Dridex's online banking phishing email campaigns can be found at:
Macro-based malware used to be far more common in the early 2000s, when macro codes in business-related documents (primarily Microsoft Office documents, due to their overwhelming prevalence) were automatically allowed to run when a document was opened. In response, changes were made to the document programs to disable this functionality and prevent automatic execution of macro code; users now must actively allow such code to run.
Since then, the volume of macro malware has reduced significantly, and currently such malware relies heavily on deceiving the user into unwittingly running the malicious code.