IcedID — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 3786f30bd73fdd01…

MALICIOUS

Office (OOXML) / .XLSM

349.7 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 53f563d17135ccce3cc945bab947a49b SHA-1: bb38d2034f285651008c053919e9ce46b0c92fe5 SHA-256: 3786f30bd73fdd01bbdabecad82886bc21133ef9ab0cd4f50c217cb8761e1f05
250 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 Service Execution: Visual Basic T1204.002 Malicious File: User Execution: Malicious File T1105 Ingress Tool Transfer

This XLSM file contains multiple Excel 4.0 macro sheets, including hidden ones, which is a common technique for malware delivery. The critical heuristic firings indicate the use of dangerous XLM formula APIs like FORMULA, GOTO, and HALT, which are used to download and execute payloads. The ClamAV detection explicitly names the IcedID family, confirming its malicious nature and likely function as a downloader.

Heuristics 6

  • Excel 4.0 macro sheet (14 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, GOTO, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 14 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 14

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
c6147ff1756152612e015f11f7e76a298540d74ec9f27d60e9424ceeba013de4		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 1378 bytes
xlm_sheet_01.xml
c82a3f1a5a07e2c3dfdeeb07a65d6c60c5bde7fafc322a698567c77157ce96d2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 1616 bytes
xlm_sheet_02.xml
2d666c0156d5379ae66f25c08b3a2af99682820e2f3d34113e67d10adba7eb62		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 2222 bytes
xlm_sheet_03.xml
20e6290160bfadd25f3737fb9a4c7de8d9795c3ac07efa3dfdae5b83fdab33ca		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 3416 bytes
xlm_sheet_04.xml
0fa907f0718ae60f98439b6a09d6cf4f7408c685c3ab42cf2e66dd6c8f5eca42		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 2313 bytes
xlm_sheet_05.xml
d426f8d1ffb9f4cae0b3596b59264854211f5a37409aff811f2b6e3d0b4471fc		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.xml 1743 bytes
xlm_sheet_06.xml
7c938a7bb5e1d49c23f50c7382eb8d69094ccdb58d4425ca8ed1a35098f12ad9		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.xml 1740 bytes
xlm_sheet_07.xml
722e5d05ff76efbc613cfc8faf6010a45d36bce5b42c805efd4dad491ab57285		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1585 bytes
xlm_sheet_08.xml
bbabdb72f964374a773f09d55c2ef66fa57494857b47c84f6883880468c3e05f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.xml 1795 bytes
xlm_sheet_09.xml
ac778404697adf8cbceb8a1b633b36eb8c3fda9b46e00508508936ce6239b05a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.xml 1993 bytes
xlm_sheet_10.xml
613d62be3275fa90c8df8e3f1e1f8caeb9243ce5936b8c9f3471552d7ebb532a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet10.xml 1972 bytes
xlm_sheet_11.xml
d3102bf6b88d9e01a5dbc52a16f13df3a504db274cc3a3cd2ab29863d465b4d0		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet11.xml 1914 bytes
xlm_sheet_12.xml
d99e10e24d53b02909de21dd754f15976c7c796354e67cdb1257e34ad2556597		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet12.xml 2194 bytes
xlm_sheet_13.xml
f132f4041e583271c3d5f2834d2cb24dbe90419bc9d67396179c90ec86cd5770		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 1442 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.