IcedID — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 41789485e52611c3…

MALICIOUS

Office (OOXML) / .XLSM

331.7 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 48bcfa67f2c5ed3ce6930a9ac5a39699 SHA-1: 3f97db5ba6f41310217282e06df954b97a457422 SHA-256: 41789485e52611c3e7a9e24c21757bf49df5b7133b58a53aaec8b1e3994575d2
250 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File T1059.001 PowerShell

This XLSM file contains Excel 4.0 macros, including the Auto_Open function, which is a common technique for executing malicious code upon opening. The macros utilize dangerous XLM formula APIs like FORMULA, GOTO, and HALT, which can be used to download and execute arbitrary code. ClamAV detection confirms this as a downloader variant of IcedID. No specific URLs or hashes were extracted, but the technique strongly suggests a downloader.

Heuristics 6

  • Excel 4.0 macro sheet (10 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, GOTO, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 10 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
0fea66c14a758f69219c2a291a7867fd7bdf005a68b88ac63d9198f174ca9e25		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 3274 bytes
xlm_sheet_01.xml
edd56ce6c1aaebd6a961f4f3e21381f159f4e4a5cb9588dee71059686a23fd36		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 1813 bytes
xlm_sheet_02.xml
0bf73014734044b1be473cf60f0bc0956400786157951f1eafa33463db204467		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 2221 bytes
xlm_sheet_03.xml
1689f80fcd8d29bbe3f6826c85a4540f840aaca57f1dab7118361be453f9c62f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 1457 bytes
xlm_sheet_04.xml
592faf795ef32e9abd34df5439e415f27d5e1c3900f372036296e9849f1da2dc		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 1523 bytes
xlm_sheet_05.xml
21036e671bd96742131b768b836f683650b1b62627606efe875f8c786e301918		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.xml 1461 bytes
xlm_sheet_06.xml
8d2ada19e3ea28284efe269aede03d58a72dd70f04cc971c83273e788cc6af87		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.xml 1457 bytes
xlm_sheet_07.xml
938cc835b7ab4aa3dea37f0e63091f7a34f0b4608d7bd063ec89076fac32ce5c		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.xml 1458 bytes
xlm_sheet_08.xml
3394a1195cc4e485811eb02b87115bd3b5f3f1bfb26f05d95729273c23b5e0a9		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.xml 1448 bytes
xlm_sheet_09.xml
3afe788cc0d6b7fdc8627509b129d19739d24c6d621de96f23bc3e25a44fa05e		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1374 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.