IcedID — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 3206db53eb586be8…

MALICIOUS

Office (OOXML) / .XLSM

333.6 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: f4a847eacb1c4b4017e0db4ce4fd80f1 SHA-1: c4a192ea857291c6d255d6c42cecd4b9739c818e SHA-256: 3206db53eb586be8ae6a7f96bd286d170271e6bb336b31e411f85166c2103906
250 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File T1059.001 PowerShell T1105 Ingress Tool Transfer

This XLSM file contains Excel 4.0 macros, indicated by multiple critical heuristic firings including the use of dangerous formula APIs like FORMULA, GOTO, and HALT. The ClamAV detection explicitly names this sample as 'Xls.Downloader.IcedID', suggesting a downloader functionality. The macros are likely used to download and execute a second-stage payload, consistent with the IcedID family's typical behavior.

Heuristics 6

  • Excel 4.0 macro sheet (11 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, GOTO, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 11 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
f50d0e58ff4b3bbf8f66fb8c7392258f65ea4187c2a029c0b32b4b4e8af9d5a7		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 1544 bytes
xlm_sheet_01.xml
b86388e68af4df119a85d9a5417f3d1338d06f95af9f23b889b347b685ebf538		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 3338 bytes
xlm_sheet_02.xml
edd56ce6c1aaebd6a961f4f3e21381f159f4e4a5cb9588dee71059686a23fd36		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 1813 bytes
xlm_sheet_03.xml
0bdab39d1e6e240b262fdb455004f95b6e641cefcb55184597b0791e3477830d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 2282 bytes
xlm_sheet_04.xml
1689f80fcd8d29bbe3f6826c85a4540f840aaca57f1dab7118361be453f9c62f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 1457 bytes
xlm_sheet_05.xml
592faf795ef32e9abd34df5439e415f27d5e1c3900f372036296e9849f1da2dc		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.xml 1523 bytes
xlm_sheet_06.xml
21036e671bd96742131b768b836f683650b1b62627606efe875f8c786e301918		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.xml 1461 bytes
xlm_sheet_07.xml
8d2ada19e3ea28284efe269aede03d58a72dd70f04cc971c83273e788cc6af87		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.xml 1457 bytes
xlm_sheet_08.xml
938cc835b7ab4aa3dea37f0e63091f7a34f0b4608d7bd063ec89076fac32ce5c		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.xml 1458 bytes
xlm_sheet_09.xml
3394a1195cc4e485811eb02b87115bd3b5f3f1bfb26f05d95729273c23b5e0a9		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet10.xml 1448 bytes
xlm_sheet_10.xml
769a8916d3134cc00e18e05c8b172dd3ba49607c493e21d1ff7faf8cc2427d28		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1370 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.