Recently, Zscaler's research team, ThreatLabZ, came across malicious Microsoft Office documents delivering Emotet malware via attachments using "Greeting Card" as the document name. The malware author leveraged the popular 4th of July holiday, the USA's Independence Day, to lure users into downloading and opening the malicious documents. We saw over two dozen unique payloads hitting our Cloud Sandbox in the 48-hour span from July 2nd to July 4th earlier this week. The filenames and hashes for these attachments are shown below:
Fig.1: Filenames of the attachments with the hashes
In attempting to open the attachment, the user sees the following social-engineered message asking the user to enable content, which will execute the malicious macro in the background. Microsoft Office by default disables automatic execution of embedded macros until the user specifically selects "enable content."
Fig. 2: Fake Office message that asks user to enable macros
Macro obfuscation and de-obfuscation
There is only one macro in the document named Sub_Autoopen(). It includes a lot of junk code to throw off security researchers attempting to analyze it.
Fig. 3: Embedded obfuscated macro triggering with AutoOpen
The code links the values stored in the variable and then runs the whole command with wscript.exe.
Fig. 4: PowerShell command being de-obfuscated and executed
In the above snapshot, the code is executing Wscript to download a payload using the PowerShell script. The parameters are stored in “OUzoicLZQ.” The PowerShell script is highly obfuscated making it harder to analyze.
Fig. 5: Obfuscated PowerShell command
In the script, we can see it is using: (GV '*Mdr*').nAmE[3,11,2]-jOIN''). This is basically for “iex,” which stands for invoke expression. The Invoke-Expression cmdlet ("command-let") evaluates or runs a specified string as a command and returns the results of the expression or command. Using the for loop, it is taking characters from an array one by one as a string and XORing with “1d,” and, finally, making the full string the full command string using the JOIN method.
De-obfuscation of PowerShell parameters:
Fig. 6: De-obfuscated PowerShell command parameters
The code then connects the user's machine to a remote server, where it will download the Emotet payload, dropping to the temp directory in Windows:
Emotet creates a copy of itself in “C:\windows\system32\” with the filename created by appending two strings from a predetermined set of hard-coded strings. The combination of strings is chosen based on “volume serial number” of the infected system’s volume.
Creates Mutex : PEM<random_integer_and_alphabets>
For a detailed technical analysis of the Emotet payload, please check our previous blog here.
Zscaler Cloud Sandbox report for one of the greeting card payloads is shown below:
Fig. 7: Zscaler Cloud Sandbox report
Download attachment URLs:
Malicious document MD5s:
Emotet executable MD5s: