IcedID — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 77996e15c4943bb2…

MALICIOUS

Office (OOXML) / .XLSM

329.9 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 914cd41e0828cb1fd618063110524af5 SHA-1: da7eec4cb7821386594aee09ea16a3da891028e6 SHA-256: 77996e15c4943bb27dce0c859f911546d1649602a83d565f6b310fd99575563e
250 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution T1105 Ingress Tool Transfer

The file is an XLSM document containing multiple Excel 4.0 macro sheets. Critical heuristics indicate the use of dangerous XLM functions like FORMULA, GOTO, REGISTER, and HALT, which are used to download and execute payloads. The macros appear to construct a command to download a file from a list of IP addresses and execute it using 'rundll32'. The ClamAV detection explicitly names 'Xls.Downloader.IcedID'.

Heuristics 6

  • Excel 4.0 macro sheet (10 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, GOTO, REGISTER, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 10 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
080bf0d1913eabdbe68c9f55d92e797adb72f1bc1d886b19764eaaf321e40bcc		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 3139 bytes
xlm_sheet_01.xml
05164b9cb70e0037b39b203885ebd44decd4d50bf6d78fd17a97030d1a30d169		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 1775 bytes
xlm_sheet_02.xml
57964786069256c3cde5b674c74c83e32c7950a5a81fb86406607b9295962e79		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 2200 bytes
xlm_sheet_03.xml
8e54ca9c8231ff6eeb2f34ba5a3783f05811c03293e81c3321c593743fc7d49b		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 1453 bytes
xlm_sheet_04.xml
bc63d00a02951125a391dfed946345cbbd3e47d5e732e1f67ca4c1232e853427		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 1453 bytes
xlm_sheet_05.xml
1da17f060335fdb67c88a8c48e73de301d69d9af4b69c610a8ce665eeb86cad7		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.xml 1452 bytes
xlm_sheet_06.xml
f6b4423280cd454553d841491284df3eff350a07bc739b9add3542ffb6a9432a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.xml 1454 bytes
xlm_sheet_07.xml
bdf4c4c111e091debcc20b38007edacf914de0a9b4c13576faa0148f2eae61a7		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.xml 1455 bytes
xlm_sheet_08.xml
a6ea880b09fb36b15b9b86dc98d863447933c1968cf6c7d3bec7927472189efa		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.xml 1451 bytes
xlm_sheet_09.xml
6b415b149f32e6deb26c4b2856c7977501b27603cf485b4daf15fd4fee7940d5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.