IcedID — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 4e05579ea18b3e02…

MALICIOUS

Office (OOXML) / .XLSM

329.9 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 1ff818459a5c124575b79f10926957c0 SHA-1: b5c5226e7fcbc173d5f0eb6c77a7e586fcb173dd SHA-256: 4e05579ea18b3e0279e96a2638def039d6015f5a54574eaa04dbefef4bd26b94
250 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an XLSM file containing multiple Excel 4.0 macro sheets. Critical heuristics indicate the use of dangerous XLM formula APIs like FORMULA and REGISTER, which are commonly used to download and execute payloads. ClamAV detection explicitly names this as an IcedID downloader. No document body text was available for analysis, but the presence of hidden sheets and the macro execution primitives strongly suggest a downloader role.

Heuristics 6

  • Excel 4.0 macro sheet (10 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, GOTO, REGISTER, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 10 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
080bf0d1913eabdbe68c9f55d92e797adb72f1bc1d886b19764eaaf321e40bcc		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 3139 bytes
xlm_sheet_01.xml
05164b9cb70e0037b39b203885ebd44decd4d50bf6d78fd17a97030d1a30d169		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 1775 bytes
xlm_sheet_02.xml
57964786069256c3cde5b674c74c83e32c7950a5a81fb86406607b9295962e79		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 2200 bytes
xlm_sheet_03.xml
8e54ca9c8231ff6eeb2f34ba5a3783f05811c03293e81c3321c593743fc7d49b		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 1453 bytes
xlm_sheet_04.xml
bc63d00a02951125a391dfed946345cbbd3e47d5e732e1f67ca4c1232e853427		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 1453 bytes
xlm_sheet_05.xml
1da17f060335fdb67c88a8c48e73de301d69d9af4b69c610a8ce665eeb86cad7		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.xml 1452 bytes
xlm_sheet_06.xml
f6b4423280cd454553d841491284df3eff350a07bc739b9add3542ffb6a9432a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.xml 1454 bytes
xlm_sheet_07.xml
bdf4c4c111e091debcc20b38007edacf914de0a9b4c13576faa0148f2eae61a7		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.xml 1455 bytes
xlm_sheet_08.xml
a6ea880b09fb36b15b9b86dc98d863447933c1968cf6c7d3bec7927472189efa		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.xml 1451 bytes
xlm_sheet_09.xml
6b415b149f32e6deb26c4b2856c7977501b27603cf485b4daf15fd4fee7940d5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.