IcedID — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 1806416f4f2b5735…

MALICIOUS

Office (OOXML) / .XLSX

329.9 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 49079a0f50cb59f7be7daceceadc531a SHA-1: f34e6c356b0ab0f3d3df6a3cd7ef78e8fbf1088b SHA-256: 1806416f4f2b573598c5eb243a036be673e98d57e8eef9d6f050ec19e87a8728
250 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains Excel 4.0 macros, identified by multiple critical heuristics, including the use of dangerous API functions like FORMULA, GOTO, REGISTER, and HALT. These macros are designed to download a payload from IP addresses such as 217.147.172.65 and execute it using rundll32. The ClamAV detection explicitly names the family as IcedID.

Heuristics 6

  • Excel 4.0 macro sheet (10 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, GOTO, REGISTER, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 10 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
080bf0d1913eabdbe68c9f55d92e797adb72f1bc1d886b19764eaaf321e40bcc		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 3139 bytes
xlm_sheet_01.xml
05164b9cb70e0037b39b203885ebd44decd4d50bf6d78fd17a97030d1a30d169		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 1775 bytes
xlm_sheet_02.xml
57964786069256c3cde5b674c74c83e32c7950a5a81fb86406607b9295962e79		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 2200 bytes
xlm_sheet_03.xml
8e54ca9c8231ff6eeb2f34ba5a3783f05811c03293e81c3321c593743fc7d49b		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 1453 bytes
xlm_sheet_04.xml
bc63d00a02951125a391dfed946345cbbd3e47d5e732e1f67ca4c1232e853427		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 1453 bytes
xlm_sheet_05.xml
1da17f060335fdb67c88a8c48e73de301d69d9af4b69c610a8ce665eeb86cad7		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.xml 1452 bytes
xlm_sheet_06.xml
f6b4423280cd454553d841491284df3eff350a07bc739b9add3542ffb6a9432a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.xml 1454 bytes
xlm_sheet_07.xml
bdf4c4c111e091debcc20b38007edacf914de0a9b4c13576faa0148f2eae61a7		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.xml 1455 bytes
xlm_sheet_08.xml
a6ea880b09fb36b15b9b86dc98d863447933c1968cf6c7d3bec7927472189efa		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.xml 1451 bytes
xlm_sheet_09.xml
6b415b149f32e6deb26c4b2856c7977501b27603cf485b4daf15fd4fee7940d5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.