IcedID — Office (OOXML) malware analysis

Static analysis result for SHA-256 2f29c7a9400e9775…

MALICIOUS

Office (OOXML)

149.1 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: a636478f3279dffde4897c1cb94c0dd9 SHA-1: d0be61b0233033cdc796b151648710cb3f6e7b6f SHA-256: 2f29c7a9400e977569174fec9f290b407cca04dcf0dfeff6e6e68b3e45d12ba3
68 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1105 Ingress Tool Transfer

The critical ClamAV heuristic identifies the file as IcedID, a known downloader. The document body contains VBA code that uses URLDownload and rundll32 to fetch and execute a payload from the listed IP addresses, indicating an attempt to download and execute a second-stage payload.

Heuristics 2

  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 9 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction

Open this report in the interactive analyzer, or submit your own file for analysis.