MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c8704fd49a85bec94233219640e3bae68aa4030b3ae6e582d502dbef38b6707. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

IcedID

Vendor detections: 9

Maldoc score: 19

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	0c8704fd49a85bec94233219640e3bae68aa4030b3ae6e582d502dbef38b6707
SHA3-384 hash:	08192501bb3b727be6c019d0c7b0bd100ace448b040b40375bb87e05e7a0841f4e22143221b5f3096d81f155e3c20516
SHA1 hash:	15c9d4ba5557b47dbdde61831296c2d67ede7357
MD5 hash:	0aa86c039d3fbad067749edf8a4ce659
humanhash:	ceiling-india-network-winner
File name:	commerce _03.09.2021.doc
Download:	download sample
Signature	IcedID Create hunting rule
File size:	94'011 bytes
First seen:	2021-03-09 18:01:21 UTC
Last seen:	Never
File type:	doc
MIME type:	application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep	1536:iFCjqhnfR6dfbKx8+cQe7cCIPIPIFlXV9BblZzHotfrRgjFFiLOx57EnABlNs:iFIqhnfRemK+c7j4z9BLIHgRuOjQnABc
TLSH	3C93D0238804AB52D2A417BC5C4389A9BF165E0C95831AEF351F1EDB7F25BBD0D1D24E
Reporter	p5yb34m
Tags:	doc IcedID Shathak TA551

p5yb34m

Installer URL:
http://very-lam2018.com/odfeh/dmIczx3VCKJVxOIM45tzrpZTl8IQ06/aE/1CoWhmFmcJ0nt3S5jbf5srAt6I/Zixfk4BkPnuaJ2bmJoaZ3jpFr8ls4HZZGlLkvUG5/bl8HfIS7kgGQqBicZPU3YxgKSNz7DeyvKUpKa/88718/VbJkW1EuzDNQrIxQDvH/IDcQzbYyMGhWy06DDsSHeUAK3GHQkEbCL8w9/E1xx4lOEKH7E8cHocpfeqr0ZLSG0IPv9dSbLJ7VFg9tdg42g/waf3?81pz=ewugMThHD6HmhhV&YI9gjfu=Rhq&user=Lz&cid=IkWDWI5kGNNPWaOt9Vl6iE64Qsj&user=HTx8tV7HlFYHyY5KNaUVj5pPO74x&id=G7hejSBa3uo8Ybu6HFexi9spmo&cid=zg

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id

Maldoc score: 19

OLE dump

MalwareBazaar was able to identify 18 sections in this file using oledump:

Section ID	Section size	Section name
A1	582 bytes	PROJECT
A2	113 bytes	PROJECTwm
A3	1127 bytes	VBA/ThisDocument
A4	4382 bytes	VBA/_VBA_PROJECT
A5	2402 bytes	VBA/__SRP_0
A6	206 bytes	VBA/__SRP_1
A7	356 bytes	VBA/__SRP_2
A8	106 bytes	VBA/__SRP_3
A9	2586 bytes	VBA/aQv5Wl
A10	869 bytes	VBA/akNhYX
A11	2372 bytes	VBA/apa7E
A12	1050 bytes	VBA/dir
A13	1174 bytes	VBA/frm
A14	97 bytes	frm/CompObj
A15	286 bytes	frm/VBFrame
A16	130 bytes	frm/f
A17	2456 bytes	frm/o

OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

Type	Keyword	Description
AutoExec	AutoOpen	Runs when the Word document is opened
Suspicious	Open	May open a file
Suspicious	Output	May write to a file (if combined with Open)
Suspicious	CopyFile	May copy a file
Suspicious	Shell	May run an executable file or a system command
Suspicious	ShellExecute	May run an executable file or a system command
Suspicious	Shell32	May run an executable file or a system command
Suspicious	CreateObject	May create an OLE object
Suspicious	Chr	May attempt to obfuscate specific strings (use option --deobf to deobfuscate)
Suspicious	Hex Strings	Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin

# of uploads :

# of downloads :

295

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

commerce _03.09.2021.doc

Verdict:

Malicious activity

Analysis date:

2021-03-09 17:48:10 UTC

Tags:

macros macros-on-open generated-doc

Link:

https://app.any.run/tasks/a61c6ff3-7aa4-4881-b937-c21a55b4d11a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

File type:

application/msword

Has a screenshot:

False

Contains macros:

True

Detection(s):

TwinWave.EvilDoc.ShellSlicerMightyWings.20210201.UNOFFICIAL

Sanesecurity.Badmacro.doc_shellao.UNOFFICIAL

TwinWave.EvilDoc.DOCXRSTRGOOD._PTTH.200512B64.3.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file

Using the Windows Management Instrumentation requests

DNS request

Sending an HTTP GET request

Launching a process

Creating a process from a recently created file

Result

Verdict:

Malicious

File Type:

Word File with Macro

Link:

https://app.docguard.net/0c8704fd49a85bec94233219640e3bae68aa4030b3ae6e582d502dbef38b6707/results/dashboard

Document image

Image:

Download PNG

Result

Verdict:

MALICIOUS

Details

Macro with Startup Hook

Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.

Macro with File System Write

Detected macro logic that can write data to the file system.

Macro Execution Coercion

Detected a document that appears to social engineer the user into activating embedded logic.

Macro Contains Suspicious String

Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...

Result

Threat name:

Unknown

Detection:

malicious

Classification:

expl.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/633340

Signature

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Document exploit detected (drops PE files)

Document exploit detected (process start blacklist hit)

Drops PE files with a suspicious file extension

Machine Learning detection for sample

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Office process drops PE file

Renames wmic.exe to bypass HIPS

Sigma detected: Register DLL with spoofed extension

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Document-Office.Dropper.SDrop

Status:

Malicious

First seen:

2021-03-09 18:02:06 UTC

AV detection:

7 of 47 (14.89%)

Threat level:

3/5

Result

Malware family:

n/a

Score:

8/10

Tags:

macro

Link:

https://tria.ge/reports/210309-lw4wfqkzbn/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Office loads VBA resources, possible macro or embedded object present

Drops file in Windows directory

Loads dropped DLL

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0c8704fd49a85bec94233219640e3bae68aa4030b3ae6e582d502dbef38b6707

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

IcedID

doc 0c8704fd49a85bec94233219640e3bae68aa4030b3ae6e582d502dbef38b6707

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample