Dridex Distributed with "Merry Christmas!" Excel File
The downloaded Excel file has information about 'Christmas Bonus', and has hidden sheets that use the Cell Formula method mainly used for Excel macro malware.
The attached file for the 'Termination of employment' email has the name 'TerminationList.xls' but has details about 'Christmas bonus.' As such, it appears that the emails are distributed randomly without any coherency.
Through the Name Manager tool of the Excel file, it can be assumed that Auto_Open macro will have its code operating based on the values from the hidden 'Macro1' and 'Sheet1' sheets.
Column V of the 'Macro1' sheet has a macro code written with Cell Formula.
'Sheet1' has the data saved in decimal, which is changed to text form and then combined.
The following shows a formula for using rows 163 to 4975 of column BH in 'Sheet1' to combine malicious data.
Featured Resources
View More Resources
blog
How to Prioritize Vulnerabilities in 2026: From CVSS to Real Risk
Security teams have more vulnerability data than ever. Scanners find exposures across endpoints, cloud assets, applications, identities and third-party tools. The problem is no
CUSTOMERS
Financial Regulatory Authority Strengthens Security and Gains Continuous Visibility with Cymulate
Limited Visibility and Reliance on Point-in-Time Testing With a lean team of five responsible for securing a complex internal environment,
blog
CVE-2026-35603: One Writable Folder, Every User Compromised: Exploiting Configuration Trust in AI Coding Tools
Ilan Kalendarov, Security Research Team LeadBen Zamir, Security ResearcherElad Beber, Security Researcher The AI coding tools that millions of developers launch every