IcedID — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 0e4d3bacb407e851…

MALICIOUS

Office (OOXML) / .XLSM

342.5 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 3070fd3f7066fe89a3f6e3c6acc21092 SHA-1: 5b3d789d75dd19d156e01a042c80b04e2a22359c SHA-256: 0e4d3bacb407e851590657e2d6c98ac9060fdf7bc5a479119cae71e90c01ca45
250 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The file is an XLSM document containing Excel 4.0 macros, as indicated by multiple critical heuristic firings. These macros utilize dangerous functions like FORMULA and CALL to construct and execute commands. Specifically, the macros appear to construct a command to download and execute a second-stage payload using 'regsvr32 -s .\Post.storg' and similar variations. This behavior is consistent with IcedID, a known downloader and banking trojan.

Heuristics 6

  • Excel 4.0 macro sheet (10 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, RUN, HALT, GOTO critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 14 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
77a2552a35104367f799f4096b3ae4c8171ee2e5ee3a4b5270fe06a86f7bc3fd		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 3661 bytes
xlm_sheet_01.xml
ef4beac33700e9f3fc349170f198acb43da249b168ba90039feac302d6144012		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 1791 bytes
xlm_sheet_02.xml
28f37cd7b934a54360fd11ea13360f01a00631f48eb50671062ca2150546ffe1		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 2323 bytes
xlm_sheet_03.xml
f52a1fe96d1e917dc5a90da756eacb9f414bac9843fbf067523f895adb4624ef		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 1438 bytes
xlm_sheet_04.xml
f4f64564e97e71d44e1503c633738ac0b750b2ac1025ed07c37397cf3fb87238		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 1503 bytes
xlm_sheet_05.xml
6dd2f8642c594514fca348a16d2e9641b3492a2cd0476b30212f180cdabb1f1f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.xml 1441 bytes
xlm_sheet_06.xml
507d7abac4580456d533403d676f5f72786f3c74d36e6ad1bbb4f9f627dea886		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.xml 1440 bytes
xlm_sheet_07.xml
e92dea39619a5dcfdc889538b2980bccadbad3dc9a8c34752db39769a0e204b9		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.xml 1442 bytes
xlm_sheet_08.xml
62fd2f53a7df5bfcdb8649d1defc1852b3e408758e6bca949c6ddee9cc672834		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.xml 1485 bytes
xlm_sheet_09.xml
9f2c348b6277949a52e634dd134eba0fdcf672840d76d752a3cea0b5f52fb2aa		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.