Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 3383043324b755aa…

MALICIOUS

Office (OOXML) / .XLSM

343.3 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 83edd795222d06de2d12b38948d576d0 SHA-1: 4534664db6bb1ed36deb3c984fdd5fd0dc0f5523 SHA-256: 3383043324b755aaec94475fcfe467e9f13ff5b5df14ec88f18c6a0cc0796bbd
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File

This XLSM file contains multiple Excel 4.0 macro sheets, including an Auto_Open macro, which is a common technique for initial execution. The presence of dangerous XLM formula APIs like FORMULA, GOTO, and HALT indicates the macro is designed to call Win32 functions, likely for downloading and executing a payload. The ClamAV detection as 'Xls.Downloader.IcedID' further supports its malicious nature as a downloader.

Heuristics 6

  • Excel 4.0 macro sheet (15 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, GOTO, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 15 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
c8d3cc732c81101776f8b88264884954905ef8697dcd7d362e06e326dbd84474		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 1415 bytes
xlm_sheet_01.xml
27aac2c3e61fd33179f55853dd21cd346c11cfae424bb73b0d9516295cf385a3		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 1616 bytes
xlm_sheet_02.xml
f4d8ff0a5187f8589c35fb237bec84206266a6c52653bf8253b044239518475e		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 2128 bytes
xlm_sheet_03.xml
6eb712fcfc4c156c9bc80649785135e8b5a94b00b0e4fb985c7b4ffd74392be5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 3705 bytes
xlm_sheet_04.xml
dad7d088b62ccbf83dda94ae17d917c3926a6ad4999418b63415984492659627		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 1415 bytes
xlm_sheet_05.xml
9fdae223af787153e5974406306f7d45b8ca0731b44c896ede5a3869a6224a58		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.xml 2408 bytes
xlm_sheet_06.xml
b86ecd75b459c65f21aad3bab569290871c38c2307a1de569f22397bef8d8ace		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.xml 1741 bytes
xlm_sheet_07.xml
8d78432d7c048f346b8510e555249654586ac9841fbc019a50ea4a8bf3bb842d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.xml 1739 bytes
xlm_sheet_08.xml
1b129ec90222ec026725a775ac10f0dce2a0c1e7b427c67ba92d75825446a762		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1587 bytes
xlm_sheet_09.xml
e3663a60506a89ace82046413a4dccde93b6a67b636922c0655790de58364eed		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.xml 1795 bytes
xlm_sheet_10.xml
7108303c9ef989f666ac7b9ead7cc23ff0b639ea8ef82a9e5add6cc8abf0e4d7		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet10.xml 1879 bytes
xlm_sheet_11.xml
e23a4acaf14bd2e6ff5629f08165e8497fdb343d7516d9609ab2169fac110d11		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet11.xml 1926 bytes
xlm_sheet_12.xml
42ccc3ae1ec8c2200c80dfc6dc47b8d7cd36433f48171f4c31e7617c89c6b88e		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet12.xml 1985 bytes
xlm_sheet_13.xml
d414e9d1be7fb6b34a0829a4c81b1a53892e611eefc106b96210ec1060d488c6		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet13.xml 1981 bytes
xlm_sheet_14.xml
ca65bde9b345eb2bcd7c2930fc6b30e6940779986333116f307d55aebe7fed35		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 1442 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.