Threat description




Trojan-Downloader:W97M/Dridex is a document file containing maliciously crafted macro code that, when allowed to run on a user's machine, drops a file onto the system. The dropped file attempts to contact a remote server.


Automatic action

F-Secure security products detect the dropped files. Once detected, the F-Secure security product will automatically disinfect the suspect file by either blocking it, deleting it or renaming it. The malicious URL the malware attempts to contact is also automatically blocked.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more assistance.

Technical Details

Trojan-Downloader:W97M/Dridex is distributed in a Word document that is sent out as a file attachment to fraudulent e-mails that appear to be invoice-related. These e-mails have reportedly misused the names and/or branding of various legitimate companies to appear above-board.

The attached document may use an innocuous file name such as 'Invoice.doc', or by randomly named. In the sample analyzed (SHA1: 8c77475defd5ee97d60727e8faec69b8eafa64fc), the attachment was simply named 'Attachment.doc':

Dridex's booby-trapped Word document

On downloading and opening the attached Word document, the document appears to be a blank page; a security warning appears saying that 'Macros have been disabled' and providing a button for the user to click and 'Enable Content'.

Dridex tricks users into enabling malicious code

If the user does so, Dridex's malicious macro code is allowed to run and a file is immediately and silently dropped in the user's temp folder. In the sample analyzed, the dropped file used the name 'pilorghpt.exe':

Dridex drops a file to the user's temp folder

The dropped file then attempts to contact a remote server and retrieve an executable file to download the infected machine. Note: if DeepGuard is enabled, this file is automatically blocked from accessing the malicious remote site.

Theft of online banking credentials

Since the middle of 2014, Dridex malware have been reported attempting to steal users online banking credentials. The malware monitors the user's web browsing activity for visits to selected banking sites, then tries to capture the login details entered into web forms on these sites. The list of banks targeted are mainly focused on the United Kingdom, the United States and Australia, though activity in other countries have also been noted.

More information about Dridex's online banking phishing e-mail campaigns can be found at:

About macro malware

Macro-based malware used to be far more common in the early 2000s, when macro codes in business-related documents (primarily Microsoft Office documents, due to their overwhelming prevalence) were automatically allowed to run when a document was opened. In response, changes were made to the document programs to disable this functionality and prevent automatic execution of macro code; users now must actively allow such code to run.

Since then, the volume of macro malware has reduced significantly, and currently such malware relies heavily on deceiving the user into unwittingly running the malicious code.

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Scan & Clean Your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

More Info