IcedID — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 864b48a23e51ac34…

MALICIOUS

Office (OOXML) / .XLSM

329.5 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 17a1b74a1328044d89841137c01ee77d SHA-1: 8f9288f74fca36b32b07c06f5888d1df4f55d943 SHA-256: 864b48a23e51ac3463cb6944495e70298d4505e21ae718e113c0de3b4e362e13
270 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

This XLSM file contains critical Excel 4.0 macros that utilize dangerous APIs like FORMULA and EXEC to download and execute a second-stage payload. The Auto_Open VBA macro also calls a function within a hidden sheet, likely to initiate the malicious execution chain. The ClamAV detection and the presence of multiple suspicious URLs further support the malicious nature of this file, pointing towards the IcedID family.

Heuristics 8

  • Excel 4.0 macro sheet (5 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Dangerous XLM formula APIs: FORMULA, GOTO, REGISTER, EXEC, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 5 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://190.14.37.242/
    • http://185.212.129.89/
    • http://188.127.251.176/44300,5396033565.dat
    • http://190.14.37.242/44300,5396033565.dat
    • http://185.212.129.89/44300,5396033565.dat
    • http://188.127.251.176/
    • http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ed3d173956b71a4a513690e5252554cbf023dc6b4efc261a2bfd9eddfcacdc81		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 768 bytes
vbaProject_00.bin
2c32c0d27fbe2d4cab85896cb6712e972cb3b65485502b654b1ad7fbdaaa04e9		 vba-project OOXML VBA project: xl/vbaProject.bin 10240 bytes
xlm_sheet_00.xml
a0a4750cfa2824c5f435bc5f51cb705b119314c122a77aa94985e2b6b0dc0a32		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 3884 bytes
xlm_sheet_01.xml
7df27b4b2efc95bcdf8c14aed2fa1baef3393698b82a16b50c3bb8a176a7ee94		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 2171 bytes
xlm_sheet_02.xml
f888465e986f98cf214462d1f1bf45299ac36ed943621ffc392ddacaebecd5d3		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.xml 1958 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
xlm_sheet_03.xml
6706f2199b65c1106020a36e537509f1794e3482058d92a7d5e3b5d1a74b6520		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.xml 1931 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
xlm_sheet_04.xml
d4a2ed42d840d46ddfe9caec4600f3c34aee0de8825704d7597ef6335900ee20		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.xml 2000 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.