IcedID — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 04398f4485e899ed…

MALICIOUS

Office (OOXML) / .XLSM

348.7 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 52e0590f1e46fcbdd452a5bc87932841 SHA-1: cd31e659ee5163efe2d2dc46dd224c28d8ed0a21 SHA-256: 04398f4485e899edb59413af1fb8befe33b8d7666a1ff6088ae67658b7e5a1ed
250 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

This Excel file contains multiple Excel 4.0 macro sheets, which are known to be used for malicious purposes. The macros utilize dangerous functions like FORMULA and REGISTER to download and execute a second-stage payload. Specifically, the macro attempts to execute 'regsvr32 -s .Broy.getio54', 'regsvr32 -s .Broy.getio541', and 'regsvr32 -s .Broy.getio542', indicating a downloader functionality. ClamAV also identified the sample as IcedID, a known downloader.

Heuristics 6

  • Excel 4.0 macro sheet (15 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, GOTO, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 15 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
c8d3cc732c81101776f8b88264884954905ef8697dcd7d362e06e326dbd84474		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 1415 bytes
xlm_sheet_01.xml
27aac2c3e61fd33179f55853dd21cd346c11cfae424bb73b0d9516295cf385a3		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 1616 bytes
xlm_sheet_02.xml
f4d8ff0a5187f8589c35fb237bec84206266a6c52653bf8253b044239518475e		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 2128 bytes
xlm_sheet_03.xml
a30cea7059675dc2dfc27c04f638e7a6b89f031862162fefbdc8ecd699667c16		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 3517 bytes
xlm_sheet_04.xml
dad7d088b62ccbf83dda94ae17d917c3926a6ad4999418b63415984492659627		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 1415 bytes
xlm_sheet_05.xml
9fdae223af787153e5974406306f7d45b8ca0731b44c896ede5a3869a6224a58		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.xml 2408 bytes
xlm_sheet_06.xml
b86ecd75b459c65f21aad3bab569290871c38c2307a1de569f22397bef8d8ace		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.xml 1741 bytes
xlm_sheet_07.xml
8d78432d7c048f346b8510e555249654586ac9841fbc019a50ea4a8bf3bb842d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.xml 1739 bytes
xlm_sheet_08.xml
1b129ec90222ec026725a775ac10f0dce2a0c1e7b427c67ba92d75825446a762		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1587 bytes
xlm_sheet_09.xml
e3663a60506a89ace82046413a4dccde93b6a67b636922c0655790de58364eed		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.xml 1795 bytes
xlm_sheet_10.xml
7108303c9ef989f666ac7b9ead7cc23ff0b639ea8ef82a9e5add6cc8abf0e4d7		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet10.xml 1879 bytes
xlm_sheet_11.xml
e23a4acaf14bd2e6ff5629f08165e8497fdb343d7516d9609ab2169fac110d11		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet11.xml 1926 bytes
xlm_sheet_12.xml
42ccc3ae1ec8c2200c80dfc6dc47b8d7cd36433f48171f4c31e7617c89c6b88e		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet12.xml 1985 bytes
xlm_sheet_13.xml
d414e9d1be7fb6b34a0829a4c81b1a53892e611eefc106b96210ec1060d488c6		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet13.xml 1981 bytes
xlm_sheet_14.xml
ca65bde9b345eb2bcd7c2930fc6b30e6940779986333116f307d55aebe7fed35		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 1442 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.