IcedID — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 1da4972fe41e89b1…

MALICIOUS

Office (OOXML) / .XLSM

329.5 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 4b6b48f545adb525da440f0bef4a54a7 SHA-1: 3d5893135fb3532f8bfe9ed4aabdb532d2a06884 SHA-256: 1da4972fe41e89b10f9414008151ab53c2b0585e47676aa8f4211e3b1f89f98f
268 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1059.001 PowerShell T1105 Ingress Tool Transfer

The file is an XLSM document containing Excel 4.0 macros, specifically utilizing dangerous functions like FORMULA, GOTO, REGISTER, and EXEC. These functions are capable of directly calling Win32 APIs to download and execute payloads. The presence of an Auto_Open macro further indicates malicious intent. The ClamAV detection as 'Xls.Downloader.IcedID' strongly suggests the IcedID family. The extracted URLs are highly suspicious and likely serve as the download source for the second-stage payload.

Heuristics 8

  • Excel 4.0 macro sheet (5 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Dangerous XLM formula APIs: FORMULA, GOTO, REGISTER, EXEC, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 5 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://188.127.251.176/44300,5396033565.dat
    • http://190.14.37.242/44300,5396033565.dat
    • http://185.212.129.89/44300,5396033565.dat
    • http://188.127.251.176/
    • http://190.14.37.242/
    • http://185.212.129.89/
    • http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ed3d173956b71a4a513690e5252554cbf023dc6b4efc261a2bfd9eddfcacdc81		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 768 bytes
vbaProject_00.bin
2c32c0d27fbe2d4cab85896cb6712e972cb3b65485502b654b1ad7fbdaaa04e9		 vba-project OOXML VBA project: xl/vbaProject.bin 10240 bytes
xlm_sheet_00.xml
a0a4750cfa2824c5f435bc5f51cb705b119314c122a77aa94985e2b6b0dc0a32		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 3884 bytes
xlm_sheet_01.xml
7df27b4b2efc95bcdf8c14aed2fa1baef3393698b82a16b50c3bb8a176a7ee94		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 2171 bytes
xlm_sheet_02.xml
f888465e986f98cf214462d1f1bf45299ac36ed943621ffc392ddacaebecd5d3		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.xml 1958 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
xlm_sheet_03.xml
6706f2199b65c1106020a36e537509f1794e3482058d92a7d5e3b5d1a74b6520		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.xml 1931 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
xlm_sheet_04.xml
d4a2ed42d840d46ddfe9caec4600f3c34aee0de8825704d7597ef6335900ee20		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.xml 2000 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.