Word Macro Drops IcedID Trojan – Malware Analysis


HASH

MD5: 4A88E83B325AA23DA1E4BFA90B4F7C34

File type: Office Open XML Document

VT Score: 45/62

While I was going through Any.run report tracker, I came across this word document, I downloaded it for analysis.

Word document screenshot

OleTools:

I used OLETools to analyse the document macros.

Olevba.py -a <file name>

Indicators:

  • Auto execute on opening document.
  • May write a file to the system.
  • Base64 obfuscated strings.

I deobfuscated the file using olevba.py

Olevba.py --deobf <file name>

Indicator of Compromise:

  • PFSDNKDF.exe executable file name.

Above code shows the PE file PFSDNKDF.exe will be dropped at location C:\1\Whole\

Next I started debugging macro in VBA development tool. VBA development tool can be opened by pressing Alt + F11 keys that will bring it up.

I can see the variable hextostr has stored a hex code that will be converted into PE file.

Then it creates a process and execute PFSDNKDF.exe file.

After that it closes the document or will prompt to save the changes if any changes has done to document.

Process monitor captured when exe is written to localtion C:\1\Whole path

Dropped File:

MD5: 4C9C6B5B6DAA25B8DC274DD78FBC1AAA

File Name: psisdecd.dll

File Type: Win32 EXE

Signature: Microsoft Visual C++ 8

Family: IcedID

VT score: 56/72

IcedID is a banking Trojan type malware that allows attackers to utilize it to steal banking credentials of the victims. IcedID aka BokBot mainly targets businesses and steals payment information, it also acts as a loader and can deliver other viruses or download additional modules.

Using wireshak, I have seen this executable created network connection to below IPs and DNS resolved to:

SNIP
140.90.189.152
2125.252.219.233
3104.84.156.5
4104.116.46.155
5104.244.42.131
6184.29.89.6
723.50.81.26
8104.116.25.27
9184.29.89.6
1023.54.56.6
11104.244.42.42
12104.244.42.195
IP address contacted and sent and received data by malicious executable.
SNDNS Link
1connuwedro.xyzVT Score
Urls contacted by malicious executable.

Summary:

  • Word document drops executable PFSDNKDF.exe on opening document.
  • The dropped file is IceID trojan.

Download sample: Any.Run

Read more about IcedID

One thought on “Word Macro Drops IcedID Trojan – Malware Analysis

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.