IcedID — Office (OOXML) / .DOC malware analysis

Static analysis result for SHA-256 cc721111b5924cfe…

MALICIOUS

Office (OOXML) / .DOC

43.3 KB Created: 2021-06-02 10:36:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2022-07-11
MD5: f08771b9fdfe82caaa089641e2348c8e SHA-1: b02c121597c9d56d7fab76b54834d5f3bd961e8c SHA-256: cc721111b5924cfeb91440ecaccc60ecc30d10fffbdab262f7c0a17027f527d1
222 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen subroutine that executes the Shell() function. This function is used to launch an HTA file named 'collectionBoxConst.hta'. The ClamAV detection also points to the IcedID family, which commonly uses this technique for initial execution.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Doc.Downloader.IcedID-87f0ff24f8876052-9955146-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.IcedID-87f0ff24f8876052-9955146-0
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/exif/1.0/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
da00df7233265300664464c9760531cd6431ba86e358e844c2009feaa5d60b8e		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 586 bytes
vbaProject_00.bin
e78529f1e6377fae2e8429a848e5b606ee99a80dd2482f8397bb096e437160f3		 vba-project OOXML VBA project: word/vbaProject.bin 13824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.