Emotet is back for the holidays

November 22, 2018

Two weeks ago, SonicWall Threat Research Lab had researched and blogged about a large malspam campaign delivering Emotet. Emotet has come back again for holiday season with different tactics and better obfuscation techniques. These spam emails in Thanksgiving theme are sent in very large numbers with malicious XML attachment.

Infection Chain:


On November 20th, the below spam email is sent out with thanksgiving greetings. it pretends to be coming from valid email addresses with valid full names.


The malicious attachment is not a Word document, it’s an XML document. Looks like malicious word document with VB macros and shell code is converted to  XML to evade from signature based detection.

Later the malicious XML document extension has been altered from .xml to .doc in order to launch it in Microsoft word, the  default program for .doc extension

The attachment opens in Microsoft word and requests user to enable macro.

Upon enabling macros, the shell code shown below gets executed

ShellCode Deobfuscation:

Escape character (^), the caret is used in obfuscation by breaking up the command string to evade from signature based detection. By escaping the escape character and ignoring semicolon from the above shown shell code, we shall retrieve the below
Step 1: 
Here obfuscation is done through existing environment variable values.
cmd /c C%PrOgrAMfILES(x86):~  +9, +1%D; /v: /%APPdATA:~ 6,  1% “;

Environment variables:

ProgramFiles(x86)=C:\Program Files (x86)

The Programfiles(x86) environment variable contains the character ‘m’ at the 9th index. so replacing “%PrOgrAMfILES(x86):~  +9, +1%” with ‘m’  and likewise replacing %APPdATA:~ 6,  1% with ‘r’ yields

 cmd /c CmD /v:/r
Step 2:
Set variable “cd1” as shown below.
Step 3:
“fOr /L %E IN ( +1559 -3 +2) do (sET uYi=!uYi!!cd1:~  %E,   1!) && If %E ==2 ((call %uYi:~ -520%))”
Reversal payload obfuscation is being used to encode commands. The reversed command is initially set in the environment variable “cd1” in step 2. The /L  flag instructs the for loop to iterate over a range of values starting from the first value (1559), decrement by the second value (-3) until it reaches the third value (i.e 2).
when it reaches 2, uYi will have the below string.
After applying all the above steps, we get
cmd /v:ON /r “<powershell command>”


PowerShell script uses XMLHTTP object (MSXML2.XMLHTTP) to send an arbitrary HTTP request to download the payload. And it uses the stream object to save the binary contents to a file in the system temporary path. Finally starts running the payload


Upon execution, the initial payload drops the Emotet malware which then connects to the C2C server

Sonicwall Threat Research Lab provides protection against this exploit with the following signatures:

  • GAV: MalAgent.H_13035 (Trojan)
  • GAV: Emotet (Trojan)
  • GAV: MalAgent.H_13037 (Trojan)

Trend Chart:
Find below the hits for the GAV signature “MalAgent.H_13037”