IcedID — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 4310b1061fe1ad6c…

MALICIOUS

Office (OOXML) / .XLSM

170.5 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 12892658ff3135b9b4ad7abeb83f50f5 SHA-1: 3cb8ec9535d524f0cfab7b1e49c52e4e63c2ba12 SHA-256: 4310b1061fe1ad6c9521b8ef67a6f2fff1abfd9ba1fc1e34641072cb2ebec22d
240 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 Service Execution: Visual Basic T1204.002 Malicious File: User Execution: Malicious File T1059.001 Command and Scripting Interpreter: PowerShell T1059.003 Command and Scripting Interpreter: Windows Command Shell

This XLSM file contains Excel 4.0 macros, specifically utilizing dangerous functions like FORMULA.FILL, GOTO, RETURN, and EXEC. The presence of an Auto_Open defined name indicates an attempt to automatically execute these macros upon opening. The embedded document body text contains IP addresses that are likely related to the download of a second-stage payload, consistent with the ClamAV detection of Xls.Downloader.IcedID. The macros are designed to leverage these dangerous functions to initiate the download and execution process.

Heuristics 5

  • Excel 4.0 macro sheet (2 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA.FILL, GOTO, RETURN, EXEC critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
f7a7d858a289c655913c511b5f5d8782821a8118c456bccdca038cd83fd83627		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 4787 bytes
xlm_sheet_01.xml
ec666c9d225befa7b355659a9f4b1be9fc09d89a108ceccff5430c2c3d528ed9		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 2475 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.