IcedID — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 84b472c5efa5b991…

MALICIOUS

Office (OOXML) / .XLSM

333.6 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 7d20f424769e0abaec95e1ad8deef0a7 SHA-1: 38380a378096b3bffb2837f942f920ee2a86f333 SHA-256: 84b472c5efa5b9916b5c207ca4260a79ea07169c15b9a0213b8a3dfc44162d98
250 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File T1059.001 PowerShell T1105 Ingress Tool Transfer

The sample is an XLSM file containing multiple Excel 4.0 macro sheets, including an Auto_Open macro. Critical heuristics indicate the use of dangerous XLM formula APIs like FORMULA, GOTO, and HALT, which are commonly used to download and execute payloads. ClamAV detection confirms this as a downloader, specifically identifying it as IcedID. No document body text was available for analysis.

Heuristics 6

  • Excel 4.0 macro sheet (11 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, GOTO, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 11 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
f50d0e58ff4b3bbf8f66fb8c7392258f65ea4187c2a029c0b32b4b4e8af9d5a7		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 1544 bytes
xlm_sheet_01.xml
69bb1586fe51ef1446986f717fd1404e6248a5409450ce12060ebf3e6cf4bfed		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 3610 bytes
xlm_sheet_02.xml
edd56ce6c1aaebd6a961f4f3e21381f159f4e4a5cb9588dee71059686a23fd36		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 1813 bytes
xlm_sheet_03.xml
0bdab39d1e6e240b262fdb455004f95b6e641cefcb55184597b0791e3477830d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 2282 bytes
xlm_sheet_04.xml
1689f80fcd8d29bbe3f6826c85a4540f840aaca57f1dab7118361be453f9c62f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 1457 bytes
xlm_sheet_05.xml
592faf795ef32e9abd34df5439e415f27d5e1c3900f372036296e9849f1da2dc		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.xml 1523 bytes
xlm_sheet_06.xml
21036e671bd96742131b768b836f683650b1b62627606efe875f8c786e301918		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.xml 1461 bytes
xlm_sheet_07.xml
8d2ada19e3ea28284efe269aede03d58a72dd70f04cc971c83273e788cc6af87		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.xml 1457 bytes
xlm_sheet_08.xml
938cc835b7ab4aa3dea37f0e63091f7a34f0b4608d7bd063ec89076fac32ce5c		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.xml 1458 bytes
xlm_sheet_09.xml
3394a1195cc4e485811eb02b87115bd3b5f3f1bfb26f05d95729273c23b5e0a9		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet10.xml 1448 bytes
xlm_sheet_10.xml
769a8916d3134cc00e18e05c8b172dd3ba49607c493e21d1ff7faf8cc2427d28		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1370 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.