Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 a00d1d5e58241874…

MALICIOUS

Office (OOXML) / .XLSM

347.7 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: b0f2dcd95efaaff4a848e5e22f9604f1 SHA-1: a586b13a51bc230365043b521c9a17074ad7832f SHA-256: a00d1d5e58241874d09ab383a957562d9f55038656feb477223b1ee08d79af01
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File

This XLSM file contains Excel 4.0 macros, indicated by multiple heuristic firings including the use of dangerous functions like FORMULA, RUN, and GOTO. These functions are commonly used to download and execute arbitrary code. The ClamAV detection as 'Xls.Downloader.IcedID' further supports its malicious nature as a downloader. No specific URLs were extracted, but the mechanism strongly suggests a payload delivery attempt.

Heuristics 6

  • Excel 4.0 macro sheet (10 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, RUN, HALT, GOTO critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 16 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
bfd73345784cbd4b12801aaf913d8b3fc6c2f1febe907c79661534aef36889f1		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 3134 bytes
xlm_sheet_01.xml
7c07ec4feb00a9caf0753d573dcca60ccdbca0e0508331bc6d2646dad1bb2e33		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 1773 bytes
xlm_sheet_02.xml
a065e3b7d289f8c3d55db4c228b49b4806c3a43892aa49fc336d401d0c66228a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 2309 bytes
xlm_sheet_03.xml
e5386217441be9318be875b68c4d2a3c61931493a08b253b17886aa7524008c2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 1420 bytes
xlm_sheet_04.xml
8f5efe33bb7fbe9e6a0021b9fd00a9f20c83cca799d0a6556ab9e3c793858141		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 1485 bytes
xlm_sheet_05.xml
12ccf75d221540d08c66df9c30690d6e80c0a29001dca548947cebda1e4b698f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.xml 1423 bytes
xlm_sheet_06.xml
c679579238a1c7233936755b04ff18098c930f046a14ab1fff60b09748317fb8		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.xml 1422 bytes
xlm_sheet_07.xml
5b459e14f7d6aa8922cba85b05056a0ff5a98a366bcd460248941cdf5c28fb65		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.xml 1424 bytes
xlm_sheet_08.xml
b26c49c44be09583f4fa8e8590fedb6c70209dbc98dc541fb4c3cba0a675ae91		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.xml 1421 bytes
xlm_sheet_09.xml
5325d69ce57334b77e265dd8e650f68c32cee06fb4562c075fa04f98d44e138d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1350 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.