{ "id": "f16ca242-9da1-45b7-ab2a-f699c75d7738", "created_at": "2026-04-06T02:12:00.530247Z", "updated_at": "2026-04-10T03:37:37.053339Z", "deleted_at": null, "sha1_hash": "132a9b76419ad38d83957f11e24b3f31115852e9", "title": "More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 222549, "plain_text": "More Than Meets the Eye: Exposing a Polyglot File That Delivers\r\nIcedID\r\nBy Mark Lim\r\nPublished: 2022-09-27 · Archived: 2026-04-06 01:51:15 UTC\r\nExecutive Summary\r\nUnit 42 recently observed a polyglot Microsoft Compiled HTML Help (CHM) file being employed in the\r\ninfection process used by the information stealer IcedID. We will show how to analyze the polyglot CHM file and\r\nthe final payload so you can understand how the sample evades detection.\r\nMultiple attack groups such as Starchy Taurus (aka APT41) and Evasive Serpens (formerly tracked as OilRig, also\r\nknown as Europium) have abused CHM files to conceal payloads written using PowerShell or JavaScript. Here,\r\nwe describe an interesting attack that allows attackers to avoid the need for long lines of code, which can make it\r\neasier for malicious files to evade detection by security products. Polyglot files can be abused by attackers to hide\r\nfrom anti-malware systems that rely on file format identification. The technique involves executing the same\r\nCHM file twice in the infection process. The first execution exhibits benign activities, while the second execution\r\nstealthily carries out malicious behaviors.\r\nThis particular attack chain was discovered in early August 2022 and delivered IcedID, also known as Bokbot, as\r\nthe final payload. This information stealer, IcedID, is well-known malware that has been attacking users since\r\n2019.\r\nPalo Alto Networks customers receive protections from malware families using similar anti-analysis techniques\r\nwith Cortex XDR or the Next-Generation Firewall with cloud-delivered security services including WildFire,\r\nAdvanced Threat Prevention, Advanced URL Filtering and DNS Security.\r\nMalicious Polyglot CHM File\r\nPolyglot files are binaries that have multiple different file format types. The file would have a different behavior\r\ndepending on the application that was used to execute it.\r\nThe attack that was discovered in early August 2022 starts with a phishing email that includes an attached zip file\r\nnamed erosstrucking-file-08.08.2022.zip. The zip file decompresses into an ISO image file named order-130722.28554.iso. Inside the ISO file is a CHM file called pss10r.chm (SHA256:\r\n3d279aa8f56e468a014a916362540975958b9e9172d658eb57065a8a230632fa). The polyglot CHM file is used to\r\ndisplay help documentation. When the user launches the CHM file (pss10r.chm), a harmless help window is\r\ndisplayed.\r\nhttps://unit42.paloaltonetworks.com/polyglot-file-icedid-payload\r\nPage 1 of 6\n\nFigure 1. Decoy HTML help window.\r\nTo dump the contents of the CHM file, we used 7zip. The file of interest is\r\nPSSXMicrosoftSupportServices_HP05221271.htm.\r\nhttps://unit42.paloaltonetworks.com/polyglot-file-icedid-payload\r\nPage 2 of 6\n\nFigure 2. Contents of the decoy HTML help window.\r\nMost of the code in the HTML file is used for generating the decoy window. However, concealed within the\r\nHTML code is a single-line command to execute the same CHM file again. The command calls Mshta.exe to\r\nexecute itself (pss10r.chm) a second time. Mshta.exe is a utility that executes Microsoft HTML Application (HTA)\r\nfiles. HTAs are full-fledged applications created using HTML.\r\nFigure 3. A line of HTML code in PSSXMicrosoftSupportServices_HP05221271.htm that calls\r\nMshta.exe to execute the CHM file a second time.\r\nThe code of the HTA is buried within the binary of the CHM file and configured to be invisible to the victim\r\nduring execution. The HTA is used to execute the binary app.dll. \r\nFigure 4. HTA code buried in pss10r.chm.\r\nhttps://unit42.paloaltonetworks.com/polyglot-file-icedid-payload\r\nPage 3 of 6\n\nThe binary app.dll is actually hidden within the ISO image. The hidden binary can be revealed using the attrib\r\ncommand.\r\nFigure 5. Revealing the hidden binary.\r\nThe app.dll binary is a 64-bit IcedID DLL. (SHA256:\r\nd240bd25a0516bf1a6f6b3f080b8d649ed2b116c145dd919f65c05d20fc73131)\r\nIcedID DLL’s Configuration Extraction\r\nTo retrieve the indicators of compromise (IoCs) from the IcedID DLL, we looked at its configuration. The IcedID\r\nDLL’s configuration is encoded and stored in the data section of the binary. The encoded configuration has the\r\nformat shown in Figure 6.\r\nFigure 6. Structure of encoded configuration blob.\r\nThe following function would decode the IcedID DLL’s configuration at runtime. The address of the encoded\r\nconfiguration (enc_config) is in the function.\r\nhttps://unit42.paloaltonetworks.com/polyglot-file-icedid-payload\r\nPage 4 of 6\n\nFigure 7. IcedID DLL’s configuration decoder function.\r\nThe decoded IcedID DLL’s configuration has the following format.\r\nFigure 8. Structure of decoded IcedID configuration.\r\nFrom the decoded configuration, we can extract the following IoCs:\r\nCommand and Control URL abegelkunic[.]com\r\nCampaign ID 4157420015\r\nIndicators of Compromise\r\nhttps://unit42.paloaltonetworks.com/polyglot-file-icedid-payload\r\nPage 5 of 6\n\nFile name: erosstrucking-file-08.08.2022.zip\r\nSHA256: fb6d23f69d14d474ce096da4dcfea27a84c93f42c96f6dd8295d33ef2845b6c7\r\nFile name: order-130722.28554.iso\r\nSHA256: d403df3fb181560d6ebf4885b538c5af86e718fecfabc73219b64924d74dd0eb\r\nFile name: pss10r.chm\r\nSHA256: 3d279aa8f56e468a014a916362540975958b9e9172d658eb57065a8a230632fa\r\nFile name: app.dll\r\nSHA256: d240bd25a0516bf1a6f6b3f080b8d649ed2b116c145dd919f65c05d20fc73131\r\nCommand and Control URL: abegelkunic[.]com\r\nSource: https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload\r\nhttps://unit42.paloaltonetworks.com/polyglot-file-icedid-payload\r\nPage 6 of 6\n\n https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload \nFigure 7. IcedID DLL’s configuration decoder function. \nThe decoded IcedID DLL’s configuration has the following format.\nFigure 8. Structure of decoded IcedID configuration. \nFrom the decoded configuration, we can extract the following IoCs:\nCommand and Control URL abegelkunic[.]com\nCampaign ID 4157420015\nIndicators of Compromise \n Page 5 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload" ], "report_names": [ "polyglot-file-icedid-payload" ], "threat_actors": [ { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441520, "ts_updated_at": 1775792257, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/132a9b76419ad38d83957f11e24b3f31115852e9.pdf", "text": "https://archive.orkl.eu/132a9b76419ad38d83957f11e24b3f31115852e9.txt", "img": "https://archive.orkl.eu/132a9b76419ad38d83957f11e24b3f31115852e9.jpg" } }