Malspam pushing Emotet malware, (Wed, Jul 26th)


On Tuesday 2017-07-25, we were contacted by a reader through our contact page. He sent us a Microsoft Word document, and he included the following message:

Received a typical phishing email pointing to the site:

This links downloads a doc with an open document macro. Interestingly, the macro was not encrypted. Understanding the payload however is outside my skill set...

I examined the Word document and found its a downloader for Emotet malware. We never obtained a copy of the associated email. Emotet is generally known as a banking Trojan, although its also been described as a downloader with worm-like propagation. border-width:2px" />
Shown above: Chain of events for malspam pushing Emotet.

The Word document

The Word document is a typical macro-based downloader. You enable Word macros after opening the document, and the macro code attempts to download and run malware. border-width:2px" />
Shown above: border-width:2px" />
Shown above: border-width:2px" />
Shown above: The macro name is Document_Open. Click Edit border-width:2px" />
Shown above: The highly-obfuscated macro code is shown in Microsofts Visual Basic editor.

Enabling macros caused the code to download a Windows executable (an Emotet binary) to the users AppData\Local\Temp directory with a file name of 5 random digits and an .exe file extension. This file executed and promptly deleted itself from the AppData\Local\Temp directory. Before that, the malware copied itself to the user border-width:2px" />
Shown above: border-width:2px" />
Shown above: Emotet binary made persistent on an infected Windows host.

Infection traffic

At this point, I didnt know what the malware was, so I reviewed the network traffic. The URL to download the malicious document was still active, so I retrieved the Word document from and infected a Windows host. I wasnt familiar with the traffic, but I had monitored the infection with a Security Onion host running Suricata and the EmergingThreats Pro ruleset. border-width:2px" />
Shown above: border-width:2px" />
Shown above: border-width:2px" />
Shown above: Escalate the Emotet events, and youll see all the destination IPs.

Indicators of Compromise (IOCs)

Payload Securitys sandbox analysis (same as of the Word document shows 5 other URLs from the macro that download the same Emotet malware binary. Payload Security border-width:2px" />
Shown above: border-width:2px" />
Shown above: Some additional URLs leading to the Word document.

The following are IOCs associated with malspam pushing Emotet malware on 2017-07-25:

Word document from links in the emails:

  • SHA256 hash: 6cad070bd1a37291b207895bbb51b975fa07b4ad2f05fb9a1ee15fb7441d600e
  • File size: 120,320 bytes
  • Links: VirusTotal , ,

Emotet binary downloaded by the Word macro:

  • SHA256 hash: 48f3c89ea2f1e3190ae00f7ac7243ddb752364c076b40afc049424c6a0f75443
  • File size: 176,128 bytes
  • Links: VirusTotal , ,

Links from the malspam to download the word document:

  • - GET /XXGX911533/
  • - GET /RHKA318298/
  • - GET /ECPT315356/
  • - GET /joomla/language/MZQO136516/
  • - GET /ICHY890603/
  • - GET /ENOD612941/
  • - GET /office/custom/SIPQ546465/
  • - GET /UKSV614228/
  • - GET /TZEX247131/
  • - GET /UOOP149434/
  • - GET /MCGF919307/
  • - GET /YQCB092598/
  • - GET /ICOT371647/
  • - GET /RIOC718921/
  • - GET /QBUP530634
  • - GET /VYXG951483
  • - GET /JZST874751/
  • - GET /ALLS580885/
  • - GET /FDED220303/
  • - GET /ssfm/ESIF185658/
  • - GET /images/articles/EYQD907375/
  • - GET /YJPW400437/
  • - GET /PZFY613518/
  • - GET /jcgestio/report/XIND162748/
  • - GET /XOON622261/
  • - GET /BCCC068652/
  • - GET /DFKR972152/
  • - GET /XLJF149270/
  • - GET /POXE116744/
  • - GET /YFUF766014
  • - GET /CVQP360485/
  • - GET /MPKL050560/
  • - GET /RPJI648495/
  • - GET /GDOG943694/
  • - GET /TGVY210050/

Macros from the Word document downloading the Emotet binary:

  • - GET /kukajweln/
  • - GET /ckgawd/
  • - GET /awhwgra/
  • - GET /ev/
  • - GET /rwibpm/

HTTP post-infection traffic:

  • port 8080 - - POST /
  • port 8080 - - POST /
  • port 443 - - POST /

Post-infection attempted TCP connections, but no response (or RST) from the server:

  • port 443
  • port 8080
  • port 8080
  • port 443
  • port 443

Final words

As mentioned earlier, we didnt obtain a copy of the email with a link to the Word document. Last month, a similar report on Emotet was published on, but it was also without an example of the associated emails. If anyone has an example of these emails, feel free to share a copy through our contact page.

If your organization follows best security practices, your risk of infection is minimal. However, we continue to see reports on this type of malspam on a near-daily basis. That implies the criminals behind it are at least somewhat successful.

Pcap and malware samples for todays diary can be found here.

Brad Duncan
brad [at]

© SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Article Link: