IcedID — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 5f0f4944a1dd5297…

MALICIOUS

Office (OOXML) / .XLSM

335.6 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 614f38c13170932b0bad21025a8ebe93 SHA-1: 7a233fe4b10f7935696ad9da55c39aa768b6ee15 SHA-256: 5f0f4944a1dd52977b34863fcac57544a7059d12fb45c5659216717fd3248769
310 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

This Excel 4.0 macro-enabled document (XLSM) utilizes dangerous functions like FORMULA and REGISTER to call Win32 APIs. Specifically, it reconstructs the string 'URLDownloadToFileA' and 'DownloadToFileA' to download and save files, likely a second-stage payload, to the local system using commands such as 'regsvr32 -s ..\Post.storg'. The ClamAV detection of 'Xls.Downloader.IcedID' further supports this assessment.

Heuristics 7

  • Excel 4.0 macro sheet (10 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, RUN, REGISTER, HALT, GOTO critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 10 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
4f1edd71b92214425488be0ab5609598e8b1470ca46787c53a8ccd9c656ce3cc		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 3610 bytes
xlm_sheet_01.xml
5cf8edaadb02d80149cfaa37d2d47e8e8d2e017abafe206d2a60b0d66bf8618b		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 2017 bytes
xlm_sheet_02.xml
7af916d3cd1c444b8c385b0d6b2752f132cf41445f6e98c2e7e5043d97fa2e76		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 2705 bytes
xlm_sheet_03.xml
155f5ac46329f831e0bdd8c74d550d8a483e55e8697b6c1dc40c300350a39396		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 1523 bytes
xlm_sheet_04.xml
9c0fa6a676553381a9c400e8fbd6d41aa5d57545dd1c4abfe88077673ac22466		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 1796 bytes
xlm_sheet_05.xml
28e5eeaee4b4cd3daeca5d926f2670f953ca6120c7e677489ad69c214d0381ca		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.xml 1672 bytes
xlm_sheet_06.xml
fabdfcceeeae33f9398f720cb6160f93f2d9ae877765437d49414c7c62870108		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.xml 1740 bytes
xlm_sheet_07.xml
0765d26155c59c4df23ede3ff5621a26130db10c070b77ca40bf11501b9ab66c		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.xml 1684 bytes
xlm_sheet_08.xml
62a99322640a8d1b0f77799a63f2d9e3fa66f6fbced3622546d1c337da0e10bd		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.xml 1617 bytes
xlm_sheet_09.xml
537288100e849aad4323c1395023b8c064ba448cd71161173beafea135e8c0a2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1667 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.