IcedID — Office (OOXML) malware analysis

Static analysis result for SHA-256 635b2357e9416d96…

MALICIOUS

Office (OOXML)

147.2 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: f46b03e80c12300d904472947a8b631c SHA-1: 3202e336b81128ee12c0ef5262e17b7f9dc8ed4a SHA-256: 635b2357e9416d96eb320dcf65329c033a999b07184b978f2e659d039272add9
68 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1105 Ingress Tool Transfer

The file is detected as IcedID by ClamAV, a known banking trojan and information stealer. Heuristics indicate the use of hidden worksheets, a common technique for obfuscating malicious content within Excel files. The document body contains commands that appear to construct a URLDownload call and execute rundll32, suggesting the file's primary purpose is to download and run a second-stage payload from the provided IP addresses.

Heuristics 2

  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 9 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction

Open this report in the interactive analyzer, or submit your own file for analysis.