Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 5655a3980b2a78f8…

MALICIOUS

Office (OOXML) / .XLSM

347.7 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 50fe611568c162c22b9f090ce7ca57f7 SHA-1: edd55574e8e5262f91104f59c21cdcde7e410a81 SHA-256: 5655a3980b2a78f802e41cfbcd41d0b608b51c4ac165c590911bd835d6469159
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File

The sample is an XLSM file containing multiple Excel 4.0 macro sheets. Critical heuristics indicate the use of dangerous XLM formula APIs like FORMULA, RUN, and GOTO, which are commonly used to download and execute payloads. The ClamAV detection as 'Xls.Downloader.IcedID' further supports this. No document body text was available for analysis, and no scripts were extracted.

Heuristics 6

  • Excel 4.0 macro sheet (10 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, RUN, HALT, GOTO critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 16 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
573abe2fe35b83cc816d5d113e03910c2cf04454401aa87f11b633f232a192e4		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 3130 bytes
xlm_sheet_01.xml
7c07ec4feb00a9caf0753d573dcca60ccdbca0e0508331bc6d2646dad1bb2e33		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 1773 bytes
xlm_sheet_02.xml
a065e3b7d289f8c3d55db4c228b49b4806c3a43892aa49fc336d401d0c66228a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 2309 bytes
xlm_sheet_03.xml
e5386217441be9318be875b68c4d2a3c61931493a08b253b17886aa7524008c2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 1420 bytes
xlm_sheet_04.xml
8f5efe33bb7fbe9e6a0021b9fd00a9f20c83cca799d0a6556ab9e3c793858141		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 1485 bytes
xlm_sheet_05.xml
12ccf75d221540d08c66df9c30690d6e80c0a29001dca548947cebda1e4b698f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.xml 1423 bytes
xlm_sheet_06.xml
c679579238a1c7233936755b04ff18098c930f046a14ab1fff60b09748317fb8		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.xml 1422 bytes
xlm_sheet_07.xml
5b459e14f7d6aa8922cba85b05056a0ff5a98a366bcd460248941cdf5c28fb65		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.xml 1424 bytes
xlm_sheet_08.xml
b26c49c44be09583f4fa8e8590fedb6c70209dbc98dc541fb4c3cba0a675ae91		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.xml 1421 bytes
xlm_sheet_09.xml
5325d69ce57334b77e265dd8e650f68c32cee06fb4562c075fa04f98d44e138d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1350 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.