IcedID — Office (OOXML) / .DOC malware analysis

Static analysis result for SHA-256 cf6b808afcc56fed…

MALICIOUS

Office (OOXML) / .DOC

156.4 KB Created: 2020-10-28 18:55:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: ee4d3ceebd8db129ad9595c36ce1a415 SHA-1: a7802a21738ba9333a10b3d6ea21a506df5fa241 SHA-256: cf6b808afcc56fed6043b9222aede14cc2b9a6e972b0754efcc370eec9d7d89f
208 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is identified as malicious by ClamAV with the signature 'Doc.Dropper.IcedID-9799485-1', strongly suggesting the IcedID family. The presence of an AutoOpen VBA macro that utilizes CreateObject indicates an attempt to execute code upon opening. This macro is likely responsible for downloading and executing a second-stage payload, a common behavior for IcedID droppers. The embedded URLs, though mostly benign schema references, are part of the document's structure, and the primary malicious activity is driven by the VBA macro.

Heuristics 7

  • ClamAV: Doc.Dropper.IcedID-9799485-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.IcedID-9799485-1
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/drawing/2016/ink
    • http://schemas.microsoft.com/office/drawing/2017/model3d
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2018/wordml/cex
    • http://schemas.microsoft.com/office/word/2016/wordml/cid
    • http://schemas.microsoft.com/office/word/2018/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7acfc6d0b678152071295c8fcfd5eaff9109a3cec5f57fd3dce88670c997baec		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 16621 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
549486457fa42591da1645f582bbfb31a680356d39c7863f876d7a363714d530		 vba-project OOXML VBA project: word/vbaProject.bin 55808 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.