IcedID — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 f088c15fc1489c47…

MALICIOUS

Office (OOXML) / .XLSM

342.5 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 0bc65953a1eda8d0db5e336b239e75e5 SHA-1: fca7dd15d7efe011705307318b8c63ac43237542 SHA-256: f088c15fc1489c47aab9441c2967de9d13fc0496e7660a9cfd270260b7da35c7
250 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File T1059.001 PowerShell

The sample is an XLSM file containing multiple Excel 4.0 macro sheets. Critical heuristics indicate the use of dangerous XLM formula APIs like FORMULA, RUN, and HALT, which are commonly used to download and execute payloads. ClamAV detection explicitly identifies the family as IcedID, a known downloader. No document body text was available for analysis, but the presence of these macro capabilities strongly suggests a malicious downloader function.

Heuristics 6

  • Excel 4.0 macro sheet (10 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, RUN, HALT, GOTO critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 14 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
77a2552a35104367f799f4096b3ae4c8171ee2e5ee3a4b5270fe06a86f7bc3fd		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 3661 bytes
xlm_sheet_01.xml
ef4beac33700e9f3fc349170f198acb43da249b168ba90039feac302d6144012		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 1791 bytes
xlm_sheet_02.xml
28f37cd7b934a54360fd11ea13360f01a00631f48eb50671062ca2150546ffe1		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 2323 bytes
xlm_sheet_03.xml
f52a1fe96d1e917dc5a90da756eacb9f414bac9843fbf067523f895adb4624ef		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 1438 bytes
xlm_sheet_04.xml
f4f64564e97e71d44e1503c633738ac0b750b2ac1025ed07c37397cf3fb87238		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 1503 bytes
xlm_sheet_05.xml
6dd2f8642c594514fca348a16d2e9641b3492a2cd0476b30212f180cdabb1f1f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.xml 1441 bytes
xlm_sheet_06.xml
507d7abac4580456d533403d676f5f72786f3c74d36e6ad1bbb4f9f627dea886		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.xml 1440 bytes
xlm_sheet_07.xml
e92dea39619a5dcfdc889538b2980bccadbad3dc9a8c34752db39769a0e204b9		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.xml 1442 bytes
xlm_sheet_08.xml
62fd2f53a7df5bfcdb8649d1defc1852b3e408758e6bca949c6ddee9cc672834		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.xml 1485 bytes
xlm_sheet_09.xml
9f2c348b6277949a52e634dd134eba0fdcf672840d76d752a3cea0b5f52fb2aa		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.