IcedID — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 a3531db118df0cbc…

MALICIOUS

Office (OOXML) / .XLSM

338.6 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 8e00b19c5b385f5eca67899ea5a40147 SHA-1: 162dae69ed15d3e44fbaf4fe7f3dcab410cda413 SHA-256: a3531db118df0cbc5396d5cfb7ea56c07b2b5faebdb7d3cabc50efc6851b9e2c
250 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an XLSM file containing multiple Excel 4.0 macro sheets, including an Auto_Open macro. Critical heuristics indicate the use of dangerous XLM formula APIs like FORMULA, GOTO, and HALT, which are commonly used to download and execute payloads. ClamAV detection explicitly identifies the file as 'Xls.Downloader.IcedID', confirming its malicious nature and family. No document body text was available for analysis, but the script-based execution is clear.

Heuristics 6

  • Excel 4.0 macro sheet (12 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, GOTO, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 13 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
fc193fe050abacb880485b5f38bdab4ecaff147a3f3c5d98d30819adf85ad6bc		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 1530 bytes
xlm_sheet_01.xml
87a6d8985da42cc676636380616a82a7140d5129d4edb0e256a775f3c0778fd8		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 1749 bytes
xlm_sheet_02.xml
91b559e9a886c1182f31f272cc9b84a2781f1c4f15eaf9d6b041ed99cc7fe5fe		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 3667 bytes
xlm_sheet_03.xml
e289be27df48583cb954f911940f6e3d7a5be456a4ad3df4bcb82338ae9ed155		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 1467 bytes
xlm_sheet_04.xml
201fbba0db9ac4962b4c0b4ea8c26f6be8771118f4dac58acb9638dd80f6f7a1		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 2410 bytes
xlm_sheet_05.xml
96da058d75ae1cc6552b0708de01a38668efc28f8a6460e2c68e340c09907487		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.xml 1795 bytes
xlm_sheet_06.xml
917da5acb1bfc35854f30827ffa35a83b6c26c2227c0890b933169a86e93394b		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.xml 1864 bytes
xlm_sheet_07.xml
a245b6e3786685cfced608c3e674730ff0d2cebee20970e6244967e1b369bc9d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.xml 1853 bytes
xlm_sheet_08.xml
642b7689928f041978c812f5bb3cc9224bf9f61c5f6030a314ece1f910c899f4		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.xml 1801 bytes
xlm_sheet_09.xml
244e5408a6c1492e9555dedab50bed6666518db12352d3523be0e820e009390a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet10.xml 1749 bytes
xlm_sheet_10.xml
e3af7de1bd35fb0d348f26f5d3069265aaeb3371cb20cc5cc65adcea3f3da515		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet11.xml 1856 bytes
xlm_sheet_11.xml
c864e46dd2993cb0c35598f439eafb273f10f51735f3c7b483f181003f59a4e7		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1444 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.