Emotet Malware spreading via IRS theme based spam email
SonicWall RTDMI engine detected an archive attachment consisting of malicious word documents inside of spam email appearing to be from the IRS department. Similar spams were observed during the month of July this year as well. But at that time the spam email contains a malicious word document as an attachment whereas this time the attachment is an archive with malicious word document inside the archive. Information about these fresh attacks was not available in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs.
Fig-1: Virustotal results of the malicious file
The email attachment is named as one of the following:
- Tax Return Transcript.doc.zip
- Wage and Income Transcript.doc.zip
- Verification of Non-filing Letter.doc.zip
Upon extracting the archive, one can observe two Microsoft Word documents which are same but with different names. One file name will be in IRS_[8-10 random digits]_[mmddyyyy].doc format and another file will have the name of the archive as shown in the below image.
Fig-2: Archive contents
On opening the document, it will ask the user to Enable Editing and Enable content, in order to execute the macro code which downloads the payload by launching PowerShell command.
Fig-3: Word document
The payload belonging to Emotet family is being delivered at the time of analysis.
Indicators of Compromise (IOC):
- fbed00352b18a633f6da8a6fc255905bdccee62d1b3731206bf73bf01c2388a2 : Archive
- 149da2a8074796bc5f3c9dcfe139082df1b60d5ac5e18095a10d5b5359664157 : Word document
- 23974dc955970ae56fd21b938ed1937fe52790313eee12ed8d30203e8d9efb58 : Emotet Malware
Hashes of similar malicious attachments:
Capture ATP report for this file: