IcedID — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 d388c07603f9aa16…

MALICIOUS

Office (OOXML) / .XLSM

331.7 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 4d19f2ab6e249d235d70b3db5b16f99e SHA-1: a098da26ddcbf04c3445704a8070d9cc92bc3591 SHA-256: d388c07603f9aa168c301b7471df1e30f6d5f59e28f4fbcff8b5b3338c17c9cc
250 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 Service Execution: Visual Basic T1204.002 Malicious File: Malicious File

The sample is an XLSM file containing multiple Excel 4.0 macro sheets. Critical heuristics indicate the use of dangerous XLM formula APIs like FORMULA, GOTO, and HALT, which are commonly used to download and execute payloads. ClamAV detection explicitly identifies it as 'Xls.Downloader.IcedID', confirming the family and its downloader functionality.

Heuristics 6

  • Excel 4.0 macro sheet (10 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, GOTO, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 10 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
0fea66c14a758f69219c2a291a7867fd7bdf005a68b88ac63d9198f174ca9e25		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 3274 bytes
xlm_sheet_01.xml
edd56ce6c1aaebd6a961f4f3e21381f159f4e4a5cb9588dee71059686a23fd36		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 1813 bytes
xlm_sheet_02.xml
0bf73014734044b1be473cf60f0bc0956400786157951f1eafa33463db204467		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 2221 bytes
xlm_sheet_03.xml
1689f80fcd8d29bbe3f6826c85a4540f840aaca57f1dab7118361be453f9c62f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 1457 bytes
xlm_sheet_04.xml
592faf795ef32e9abd34df5439e415f27d5e1c3900f372036296e9849f1da2dc		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 1523 bytes
xlm_sheet_05.xml
21036e671bd96742131b768b836f683650b1b62627606efe875f8c786e301918		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.xml 1461 bytes
xlm_sheet_06.xml
8d2ada19e3ea28284efe269aede03d58a72dd70f04cc971c83273e788cc6af87		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.xml 1457 bytes
xlm_sheet_07.xml
938cc835b7ab4aa3dea37f0e63091f7a34f0b4608d7bd063ec89076fac32ce5c		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.xml 1458 bytes
xlm_sheet_08.xml
3394a1195cc4e485811eb02b87115bd3b5f3f1bfb26f05d95729273c23b5e0a9		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.xml 1448 bytes
xlm_sheet_09.xml
3afe788cc0d6b7fdc8627509b129d19739d24c6d621de96f23bc3e25a44fa05e		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1374 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.