{
	"id": "b131f886-5ffa-423f-a28e-d3bc0b9c094a",
	"created_at": "2026-04-06T01:30:48.579366Z",
	"updated_at": "2026-04-10T13:11:39.738525Z",
	"deleted_at": null,
	"sha1_hash": "73ab6baccb068c5f43fc891f74b5727f79b274a7",
	"title": "IcedID Campaign Spotted Being Spiced With Excel 4 Macros",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 759139,
	"plain_text": "IcedID Campaign Spotted Being Spiced With Excel 4 Macros\r\nBy Uptycs Threat Research\r\nPublished: 2021-04-07 · Archived: 2026-04-06 00:56:42 UTC\r\nResearch by Ashwin Vamshi and Abhijit Mohanta\r\nQuick-Look Summary:\r\nIcedID appears to be taking the place of Emotet, based on a significant influx of samples in our threat\r\nintelligence systems\r\nA majority of these IcedID samples are distributed via xlsm files attached to emails\r\nWe’ve identified three ways these Excel 4 Macros are evading detection\r\nUptycs’ threat research team has observed an ongoing IcedID campaign heavily using Microsoft Excel xlsm\r\ndocuments with Excel 4 Macros and techniques to hinder analysis. Xlsm supports the embedding of Excel 4.0\r\nMacros formulas used in Excel spreadsheet cells. Attackers leverage this functionality to embed arbitrary\r\ncommands, which usually download a malicious payload from the URL using the formulas in the document.\r\nIn this piece, we’ll provide an analysis on our discovery of the ongoing campaign via Uptycs’ threat intelligence.\r\nIcedID, also known as BokBot, is a modular banking trojan that targets user financial information and is capable\r\nof acting as a dropper for other malware. In a three month span, we have observed over 15,000 HTTP requests\r\nfrom malicious documents, the majority of which were Microsoft Excel spreadsheets carrying an extension.\r\nBased on this increasing trend, we believe that IcedID will emerge as an incarnation of Emotet after its disruption.\r\nIcedID has also been recently reported to deploy ransomware operations, moving towards a malware-as-a-Service\r\n(MaaS) model to distribute malware.\r\nThreat Intelligence Analysis\r\nOur in-house threat intelligence systems provide us intelligence on the latest threats, threat actors and campaigns\r\nthrough an osquery-based sandbox. The threat research team regularly monitors these systems to ensure robust\r\ncoverage, also ingesting the latest intelligence and indicators into our integrated Threat Intelligence provided in\r\nthe Uptycs Security Analytics Platform.\r\nFrom January 1, 2021 through March 31, 2021, we identified over 15,000 HTTP requests from over 4,000 similar\r\nmalicious documents (see Figure 1).\r\nhttps://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros\r\nPage 1 of 8\n\nFigure 1: Threat Intelligence system HTTP requests cluster. (Click to see larger version.)\r\n93% of these malicious office documents belong to a Microsoft Excel spreadsheet file carrying extensions xls or\r\nxlsm (see Figure 2).\r\nFigure 2: Malicious document types. \r\nThe Microsoft Excel spreadsheet files (.xlsm, xls) were carrying the names:\r\n overdue\r\nclaim\r\ncalculation\r\ninform\r\nrefusal\r\nhttps://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros\r\nPage 2 of 8\n\ncomplaint and compensation claim\r\nThese files appeared with randomly appended names like Claim_331903057_03292021.xlsm.\r\nThe http request of the malicious documents consisted of a second stage executable file (PE - EXE/DLL) with a\r\nfake extension dat, jpg and gif (see Figure 3).\r\nFigure 3: Second stage PE file with fake extensions like dat,gif and jpg. \r\nThe fake extensions were the second stage payload of Qakbot and IcedID malware families. Qakbot and IcedID\r\nare generally distributed via email lures containing malicious office documents as an attachment. The next stage\r\nexecutables (PE - EXE/DLL) are downloaded via compromised websites with fake extensions. \r\nTechnical Analysis: XLSM Files Excel 4.0 Macros\r\nA majority of these Microsoft Excel spreadsheet documents were in xlsm format. One such xlsm document that\r\nrecently hit our in-house osquery-based sandbox was titled, “Claim_331903057_03292021.xlsm” (Hash -\r\n43226874cd34010fa7c8286974174b5e261677ed0b48ed0632903112f68720a8). \r\nUpon execution, the xlsm file presented a message to enable content to view the message. \r\nhttps://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros\r\nPage 3 of 8\n\nFigure 4: Message Upon Execution of Claim_331903057_03292021.xlsm. (Click to see larger version.)\r\nEnabling the content allows the embedded Excel 4 macro formulas to execute. Upon investigation we identified\r\nthree interesting techniques used to hinder analysis: \r\n1. Hiding macro formulas in three different sheets\r\n2. Masking the macro formula using a white font on white background \r\n3. Shrinking the cell contents and making the original content invisible \r\nFigure 5: Hidden macro found in Claim_331903057_03292021.xlsm. (Click to see larger version.) \r\nUpon unmasking the anti-analysis techniques, the Excel 4 macro formula used for downloading the IcedID loader\r\npayloads was revealed.\r\nhttps://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros\r\nPage 4 of 8\n\nFigure 6: Unhidden XLM 4 macros - the IcedID payload URL’s. (Click to see larger version.) \r\nThe macros which are distributed across various cells download three DLL files with the .dat extension from the\r\ncommand-and-control (C2) servers to “C:\\Users\\Admin” - Hodas.vyur, Hodas.vyur1 and Hodas.vyur2. These\r\nDLL files are executed using - \"rundll32 DllName, DllRegisterServer\".\r\nThe IcedID loader then retrieves information about the victim PC and sends it over the C2 server in an encoded\r\nform, as shown in Figures 7 and 8.\r\nFigure 7: IcedID loader encoding routine. \r\nhttps://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros\r\nPage 5 of 8\n\nFigure 8: IcedID loader http request headers. (Click to see larger version.) \r\nThe http headers translate to the following:\r\n_gat= NativeSystemInfo\r\n_u= UserName\r\n_gid= AdaptersInfo\r\n__io=AccountName\r\nUptycs’ EDR capabilities detected this attack with a threat score of 10/10 as shown in the figure below.\r\nFigure 9: Uptycs EDR detection of the IcedID xlsm file. (Click to see larger version.) \r\nhttps://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros\r\nPage 6 of 8\n\nGiven our recent observations, we believe that IcedID will emerge as an incarnation of Emotet, moving towards a\r\nMalware-as-a-Service (MaaS) model to distribute malware. We recommend the following measures for enterprise\r\nusers and administrators to identify and protect against such attacks:\r\nDeploy a multi-layered and real-time detection solution to label, classify, score and prioritizes incidents.\r\nRegularly monitor the suspicious processes, events, and network traffic spawned on the execution of any\r\nsuspicious documents arriving from untrusted sources.\r\nAlways be cautious in opening documents from unknown or untrusted sources.\r\nKeep systems updated with the latest releases and patches.\r\nCredits: Thanks to our Uptycs Team members Rohit Bhagat for making enhancements with clustering in our threat\r\nintelligence portal and Siddharth Sharma for the analysis.\r\nIOCs\r\nHashes\r\n7152b279e52e2c6fc0f1cfdafcdccfb45285805de1600d47b28cddac9a1c2bb1 \r\n57494b5bbe886b1fa00dc81f3f835be03769ed2d7eddd7833991ef57d2c45a2d\r\n072c80376261caa87677abfb9dfc268ef0ef49e1611c1c554368a3501231ad6e\r\nf13f315f4c463e582676a253e6b1a3f487e4f98c2bc6bb40f072dae005020d9b\r\n0bcf2c56c5d3a2c17d1789ac4f3e22b43279957864f30170183e235fa555b4fc\r\nf151ec5b824c7c7eef1e2178c2701353cdf349ac32db5ba09d17474093f77abf\r\nc29b93cf7a5134d0569d325fce06472e511c9f244781e05f9ec1efab261faa64\r\n7a9f6247087a03c17273a1d44dc996d93035220d8fa01b7c7d6f29e73481397b\r\nac7ffe03290d646f0d6b2b70d72bdf5ddec6ea68518a46a43f6cadb8405d55c1\r\n6962c82ca95e3804e022e42c91f1708f8912a7d798d9baccaaa13bc4a04065d3\r\n62db4784c54b77efaacdc85bd6ef2eabb45dcd5f8eec6b3495047b74304fa004\r\ncc804b05d5af7ba2fb752fee78584d8961261900645cc3ceecadd81c3408914b\r\n27f39954ae5f9a1be4a456ed55dbd4b56194729ebb1f23f66c0bdb08ecdf3a20\r\ncf3bff21932f3b9b0a615aa768b6458880b5bee596567b88fd9bc62949dd9ce1\r\na76722baf26a2d18dcee08a70df303b8cc330cddb3acc94719b57dd8c12f02cd\r\nf561cc1cc2e6284a37479f53771fff1bab0af7fcf3257a6900489807d896d00f\r\nhttps://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros\r\nPage 7 of 8\n\n51d5f805abac585c1cb686c3b87d1597a8ae66c0a3a83f15a5f3143a1197b8e4\r\n249c42bf328ab7cc321da48fcc9d2ba3ffb8afb160776f961554adf8605f894e\r\nd62bff7ef25d08b4d57333e3b7afd9ef8aba7ecdd5e5c2ccdb6351d3808e3e32\r\n14b50bfa149def72f5dc08d27dfff8bd0204d8b8e28c0757327ea1189414c130\r\n4531a5ed6fb4a6ff8bb556305f2a85dd8e3b6f5100c1188223725d50a75ba61d\r\na1c74b07693b5c505edf3682a1c0703229eff8e71b3d61718b59c06e993df226\r\nURLs\r\nmissimokotov[.]space\r\nmetaflip[.]io\r\npartsapp[.]com[.]br\r\nusaaforced[.]fun\r\nagenbolatermurah[.]com\r\ntajushariya[.]com\r\ncolumbia[.]aula-web[.]net\r\nSource: https://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros\r\nhttps://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros"
	],
	"report_names": [
		"icedid-campaign-spotted-being-spiced-with-excel-4-macros"
	],
	"threat_actors": [],
	"ts_created_at": 1775439048,
	"ts_updated_at": 1775826699,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/73ab6baccb068c5f43fc891f74b5727f79b274a7.pdf",
		"text": "https://archive.orkl.eu/73ab6baccb068c5f43fc891f74b5727f79b274a7.txt",
		"img": "https://archive.orkl.eu/73ab6baccb068c5f43fc891f74b5727f79b274a7.jpg"
	}
}