IcedID — Office (OOXML) / .DOC malware analysis

Static analysis result for SHA-256 915afcd074d35cb9…

MALICIOUS

Office (OOXML) / .DOC

34.2 KB Created: 2021-10-21 10:26:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: 090d0fbe9a4a6b95835d54f2aed73e04 SHA-1: 41aa3a63fa01e25adaed20a9e013c45ad27c503d SHA-256: 915afcd074d35cb9f074928939a9a7b6752249e1ebfea30f8e1e1591ea98e543
122 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The critical ClamAV detection for 'Doc.Downloader.IcedID' strongly suggests the IcedID family. The AutoOpen VBA macro is designed to execute automatically upon document opening. It reconstructs a filename by reversing the value of the 'Company' document property and saves the document content to this filename. The macro then executes the saved file using 'WshShell.run'. This behavior is consistent with a downloader attempting to execute a second-stage payload.

Heuristics 4

  • ClamAV: Doc.Downloader.IcedID-8ff0f02ff0876072-9950256-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.IcedID-8ff0f02ff0876072-9950256-0
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/drawing/2016/ink
    • http://schemas.microsoft.com/office/drawing/2017/model3d
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2018/wordml/cex
    • http://schemas.microsoft.com/office/word/2016/wordml/cid
    • http://schemas.microsoft.com/office/word/2018/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
52ebf53d3a7e184c255cbb07243fbc1f6553040518d818342a82857c67ebdba4		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 891 bytes
vbaProject_00.bin
ca1e2c72c4155cb7aae185be8c2135942fc515a2302b0724f4c0727986be3126		 vba-project OOXML VBA project: word/vbaProject.bin 15360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.