IcedID — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 2d362c4b0bdfac62…

MALICIOUS

Office (OOXML) / .XLSM

344.3 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: fc4b2ef7abf720d2e55cec08115e052f SHA-1: 35b9a73cbb58bafa5517e4c0c8b04156efa99a59 SHA-256: 2d362c4b0bdfac6266aec727b76a2804072fabec4e108a1186d06c6f06b0c9bf
250 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 Service Execution: Visual Basic T1204.002 Malicious File: User Execution: Malicious File

The sample is an XLSM file containing multiple Excel 4.0 macro sheets, including an Auto_Open defined name. Critical heuristics indicate the use of dangerous XLM formula APIs like FORMULA, GOTO, and HALT, which are commonly used to download and execute payloads. ClamAV detection explicitly identifies the file as 'Xls.Downloader.IcedID', confirming its malicious nature and likely family.

Heuristics 6

  • Excel 4.0 macro sheet (14 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, GOTO, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 14 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 14

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
83dba5bfbe15006ac89e8f80dd7cef1659412a3734905e1c32eb8daf6ea654c1		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 1380 bytes
xlm_sheet_01.xml
c82a3f1a5a07e2c3dfdeeb07a65d6c60c5bde7fafc322a698567c77157ce96d2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 1616 bytes
xlm_sheet_02.xml
2d666c0156d5379ae66f25c08b3a2af99682820e2f3d34113e67d10adba7eb62		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 2222 bytes
xlm_sheet_03.xml
718618d657190573a85de16f29f95f961a6d033973a622ac95381fd8c6bda9d7		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 3859 bytes
xlm_sheet_04.xml
18ffdb2b8fdccdea02e96c749f85a50785a70e432f304017fb5424282e69883f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 2313 bytes
xlm_sheet_05.xml
d426f8d1ffb9f4cae0b3596b59264854211f5a37409aff811f2b6e3d0b4471fc		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.xml 1743 bytes
xlm_sheet_06.xml
7c938a7bb5e1d49c23f50c7382eb8d69094ccdb58d4425ca8ed1a35098f12ad9		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.xml 1740 bytes
xlm_sheet_07.xml
722e5d05ff76efbc613cfc8faf6010a45d36bce5b42c805efd4dad491ab57285		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1585 bytes
xlm_sheet_08.xml
bbabdb72f964374a773f09d55c2ef66fa57494857b47c84f6883880468c3e05f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.xml 1795 bytes
xlm_sheet_09.xml
ee656362086a167f40427380169b904c4e8f6d7223dba3711b5f2ca8ecae3067		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.xml 1879 bytes
xlm_sheet_10.xml
2166c7457651893fa9459576c7b181df82d76c4fcebd021c0c20c24dedc93e62		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet10.xml 1920 bytes
xlm_sheet_11.xml
d336d714c064b1de9e9a56ccd73ade8b1f0edff76c17a7e66d685ef714ea6d20		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet11.xml 1929 bytes
xlm_sheet_12.xml
aac2ffcbbae09ab4b5869d56560bc65d237d62e10fc10d91608ce8e2b370ca9d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet12.xml 2195 bytes
xlm_sheet_13.xml
f132f4041e583271c3d5f2834d2cb24dbe90419bc9d67396179c90ec86cd5770		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 1442 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.