IcedID — Office (OLE) / .XLSX malware analysis

Static analysis result for SHA-256 196e1cd140808b28…

MALICIOUS

Office (OLE) / .XLSX

233.5 KB Created: 2015-06-05 18:19:34 Authoring application: Microsoft Excel
MD5: 6f2293f8412b0321860df515c79ae447 SHA-1: f46a8288e20702e749578fe6f6b4d935a15872df SHA-256: 196e1cd140808b282f46375d3cb6e037dc747d28c7e7f3329dffe2a935e545ed
222 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains Excel 4.0 macros with an Auto_Open defined name, indicating an attempt to automatically execute code upon opening. Heuristics indicate the use of dangerous API functions like RUN, suggesting the macro is designed to download and execute a second-stage payload. The presence of multiple suspicious URLs in the document body further supports this, pointing to potential C2 infrastructure.

Heuristics 6

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/photoshop/1.0/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
0b4fb8bf1dd43b792174bd74fb73ae2bcce495ce59d58c5d350fe6db8ffb1ac9		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 8269 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.