MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 f604ca55de802f334064610d65e23890ab81906cdac3f8a5c7c25126176289c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
IcedID
Vendor detections: 9
Maldoc score: 9
| SHA256 hash: | f604ca55de802f334064610d65e23890ab81906cdac3f8a5c7c25126176289c8 |
|---|---|
| SHA3-384 hash: | ed33f09fdedeb9918b31ff43ae489d143b5089247e7ee3f1327cb1e6508d8f0c1bc8bdf3acf6e0498860771251c6d610 |
| SHA1 hash: | 4bd0151fa9520c9886f7d7a250596687b52bfa81 |
| MD5 hash: | 5743e3edb2bf64fe08e5e9a6ea24cd7e |
| humanhash: | dakota-island-montana-fish |
| File name: | deed contract 12.15.2021.doc |
| Download: | download sample |
| Signature | IcedID |
| File size: | 43'457 bytes |
| First seen: | 2021-12-15 13:29:43 UTC |
| Last seen: | Never |
| File type: | |
| MIME type: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| ssdeep | 768:+csHZauGn0BKW2rq/eEflhRSfwdDQWk/HQFcEKTrLfxl1Ik1K:6HvGn8KWG0lhRSfwd8WgdrLfxzY |
| TLSH | T1FD13D008D4229E05C7CE5A3C21FD11F06FB342C793D096265D92AE6F4C602FECA5F69A |
| Reporter | |
| Tags: | doc IcedID |
Office OLE Information
This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.
OLE id
| Maldoc score: 9 |
OLE dump
MalwareBazaar was able to identify 11 sections in this file using oledump:
| Section ID | Section size | Section name |
|---|---|---|
| A1 | 402 bytes | PROJECT |
| A2 | 56 bytes | PROJECTwm |
| A3 | 2266 bytes | VBA/ThisDocument |
| A4 | 2881 bytes | VBA/_VBA_PROJECT |
| A5 | 1664 bytes | VBA/__SRP_0 |
| A6 | 263 bytes | VBA/__SRP_1 |
| A7 | 800 bytes | VBA/__SRP_2 |
| A8 | 328 bytes | VBA/__SRP_3 |
| A9 | 552 bytes | VBA/dir |
| A10 | 1082 bytes | VBA/main |
OLE vba
MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:
| Type | Keyword | Description |
|---|---|---|
| AutoExec | autoopen | Runs when the Word document is opened |
| Suspicious | GetObject | May get an OLE object with a running instance |
| Suspicious | StrReverse | May attempt to obfuscate specific strings (use option --deobf to deobfuscate) |
| Suspicious | exec | May run an executable file or a system |
| Suspicious | Base64 Strings | Base64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all) |
Intelligence
File Origin
Vendor Threat Intelligence
TwinWave.EvilDoc.TalkShowHost.20210426.UNOFFICIAL
TwinWave.EvilDoc.DOCXSTRGOOD.\WINDOWS\.REV.210420.UNOFFICIAL
TwinWave.EvilDoc.FoolsHighwayM1.20210617.UNOFFICIAL
TwinWave.EvilDoc.FoolsHighwayM1.20210826.UNOFFICIAL
Doc.Downloader.BlueWord12210-9915312-0
TwinWave.EvilDoc.MiscreantMetaSmugglersGreatGigInTheSky.M2.202100505.UNOFFICIAL
Result
Behaviour
Result
Document image
Result
Signature
Behaviour
Result
Behaviour
Malware Config
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.