IcedID — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 e3bfd9c976e5c082…

MALICIOUS

Office (OOXML) / .XLSM

338.7 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 7f6b83f2777b6d1446cb94b7302e4a42 SHA-1: 7354dd4710a35a18bd928f225c260da2b9656c34 SHA-256: e3bfd9c976e5c082bed028397be1cea892e33fcd5cad1fbdea82305f6fce788a
250 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File T1059.001 PowerShell

This XLSM file contains Excel 4.0 macros, including the use of dangerous functions like FORMULA, GOTO, and HALT, which are often used to download and execute malicious payloads. The ClamAV detection explicitly identifies it as an IcedID downloader. No document body text was available for analysis, but the presence of hidden sheets and the macro structure strongly indicate a downloader's functionality.

Heuristics 6

  • Excel 4.0 macro sheet (12 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, GOTO, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 12 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
86c0f2552a624745457bb637a97127676f1e054c3bb2502498ac232ff269004d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 1681 bytes
xlm_sheet_01.xml
561f95d832a1683473e51e0aa00fbed56e304e487c689ed25427d788cac3f41b		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 1792 bytes
xlm_sheet_02.xml
9d7145fc17238193b2b24d4b34eba56af8d578acf660d7f6fbc9884716a1fddb		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 3351 bytes
xlm_sheet_03.xml
26de9143f6cf5fe0f788d73021ad73f1b27c24005dbc236118e777f8b0506730		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 1453 bytes
xlm_sheet_04.xml
642478462247db462458c25a649e2ef4d4af939fde7671ef0314eb05631b656e		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 2316 bytes
xlm_sheet_05.xml
834cc4ef6a3c6af06615c8aa6d949afa517651ede1eeec21b53e4f5de11176b2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.xml 1701 bytes
xlm_sheet_06.xml
e2e22adbcd323409c23460c8491ea932ccfc479e66a0fd43b3cbf016637deee2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.xml 1769 bytes
xlm_sheet_07.xml
9507c9bf64f0fa04c0d91326c17f3b386e15711c5312be27a337514cf0b6963d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.xml 1615 bytes
xlm_sheet_08.xml
a16b352f19b762bc089f321940370e5aa88de10cc425f46c48ac731ed7304e51		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.xml 1707 bytes
xlm_sheet_09.xml
3410dc6b12447c4830c016503e43b45ab5cff38e0d670614371cb8b322ad335a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet10.xml 1655 bytes
xlm_sheet_10.xml
680c8c40818c9c3a7607267f1be6ac99c5cb1a8387571cb89d7009df7fb84386		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet11.xml 1760 bytes
xlm_sheet_11.xml
e1262acede2d280bc5b759e7ce68181c1f89ca447048e2f784ee5363df57d312		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1402 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.