IcedID — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 1e2445485c42894a…

MALICIOUS

Office (OOXML) / .XLSM

171.1 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 85ebc7f606033b79c690aa1549158fbe SHA-1: e1cb4d02e568fb35f8598b2dfe8df19ba0418e6b SHA-256: 1e2445485c42894a99be87ece8eaca0ec2751d5b8242ad5f512130b6ecf22790
328 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 Service Execution: Visual Basic T1204.002 Malicious File: Malicious File T1105 Ingress Tool Transfer

The sample is an XLSM file containing Excel 4.0 macros, identified by multiple critical heuristics. These macros utilize dangerous functions like FORMULA and REGISTER, and contain strings for URLDownloadToFileA, indicating a downloader. The macros are likely responsible for fetching and executing a second-stage payload from the provided IP addresses. The ClamAV signature also explicitly names this as IcedID.

Heuristics 8

  • Excel 4.0 macro sheet (4 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, REGISTER, GOTO, EXEC, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 4 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://152.89.218.75/44299,6043609954.dat
    • http://45.144.30.106/44299,6043609954.dat
    • http://195.123.215.110/44299,6043609954.dat
    • http://152.89.218.75/
    • http://45.144.30.106/
    • http://195.123.215.110/
    • http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
1025f85c1e6230f4220fd6977bbc8a34268ca55d8750a5b656898cda3db5c95e		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 3710 bytes
xlm_sheet_01.xml
b98247f5bcf8d0f135bb5498739b20ba12368e95e8f33281c8a6ed0fb5992251		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 1886 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
xlm_sheet_02.xml
cea4f43eb95f488fc0d4285170fbe7c96194229839cd1d0d6b240f117d3aed45		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.xml 1926 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
xlm_sheet_03.xml
5c569de4a4dcb4c148fdb0732c1f72605bdf2963655b6afbbf0b2bf7b2b710b0		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.xml 1903 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.