search
    search
      27 Jun, 2017

      Malspam activity was noted on June 26th 2017, delivering Emotet banking trojan. It leverages malicious Word documents with embedded macros.

      Scan results of a delivery document can be found here. An attacker can easily lure the victim to run the embedded macro:

      0007.jpg

      Submitting the delivery document to What's This File service shows its maliciousness:

      emotet-wtf.png

      Upon running the macro launches a powershell script to download and run the malware. Here is the process tree:

      emotet-sandbox.png

      Here is the GET request in NetWitness Logs and Packets, as well as the file checksum using the "View Files" option of the download session:

      emotet-session.png

      emotet-files.png

      The Hunting pack registered the following meta values for the download sessions indicating highly suspicious traffic:

      emotet-navigate.png

      Analysis results on VirusTotal suggest the final payload is an Emotet variant, a banking trojan that has been around since 2014.

      All the IOC from those HTTP sessions were added to FirstWatch Command and Control Domains feed on Live with the following meta values:

      • threadt.source = 'rsa-firstwatch'
      • threat.category = 'malspam'
      • threat.description = 'delivery-domain'

      Further reading:

      1. more invoice malspam with links to download word doc deliver malware – My Online Security 
      2. New Variant of Geodo/Emotet Banking Malware Targets UK | Forcepoint 
      3. https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/ 
      Topic:
      0 Comment
        CATEGORIES
        RECENT POST
        Amazon Cloudwatch Event Source Log Configuration Guide
        3 Dec, 2025
        F5 Source Code Breach: Hunting UNC5221's BRICKSTORM with NetWitness
        31 Oct, 2025
        MSAzureGraph Universal Plugin for Microsoft Graph API
        17 Oct, 2025