IcedID — Office (OOXML) / .DOC malware analysis

Static analysis result for SHA-256 d603287b7a814d45…

MALICIOUS

Office (OOXML) / .DOC

34.4 KB Created: 2021-10-20 10:29:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: 2d0a8469be691e1b42a193e2f90d16d6 SHA-1: 0c9136e27894aad887ec6cbf6c106995647e03bb SHA-256: d603287b7a814d459a0c169925aeba24fe4b89ea0a2c02a06586588ed567cb32
122 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample contains a VBA macro that is triggered by the AutoOpen event. This macro reconstructs a filename by reversing the value of the 'Manager' built-in document property and then saves the document content to this filename. The macro then executes the saved file using WshShell.run. The ClamAV detection name 'Doc.Downloader.IcedID' strongly suggests the IcedID family. The reconstructed filename is likely a payload downloader.

Heuristics 4

  • ClamAV: Doc.Downloader.IcedID-8ff0f02ff0876072-9950256-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.IcedID-8ff0f02ff0876072-9950256-0
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/drawing/2016/ink
    • http://schemas.microsoft.com/office/drawing/2017/model3d
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2018/wordml/cex
    • http://schemas.microsoft.com/office/word/2016/wordml/cid
    • http://schemas.microsoft.com/office/word/2018/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ea9fd270f23c7365caaafdfc590e107f2988d52ccd750e89a76cb32b4518b4ca		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 904 bytes
vbaProject_00.bin
cb1285339becc238cb23c0c027ebd3fb68f6315fb1e8ce85034811ce8b0bffbd		 vba-project OOXML VBA project: word/vbaProject.bin 15360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.