Cb Connect 2018 | Power of You | Register Now

Carbon Black TAU Threat Analysis: Emotet Banking Trojan Leverages MS Office Word Docs, PowerShell to Deliver Malware

June 4, 2018 / Jared Myers , Cathy Cramer

Emotet is a family of banking malware, which has been around since at least 2014.  Attackers continue to leverage variants of Emotet and are becoming increasingly shrewd in the techniques they employ to deliver the malware onto an infected system.  In the spring of 2018 Carbon Black’s Threat Analysis Unit (TAU) and other researchers observed the adaptation to existing methods leveraging PowerShell, where attackers were encrypting the URLs of the C2s used to host the second stage payload.

Carbon Black’s ThreatSight recently observed a spike in this type technique being detected across customers’ utilizing their managed hunting services. Carbon Black originally released this analysis in our User  Exchange. After continuing to observe an increase in these variants submitted to online sandboxes, we are releasing the analysis in this blog post as well.  This article is intended to assist other researchers and security practitioners who may be affected by or investigating this type of campaign.

This attack has only been observed as originating from phishing campaigns that are leveraging MS Office Word documents with obfuscated VBScripts additional using PowerShell and the ConvertTo-SecureString cmdlet, which in the later stages is used to decrypt the C2(s) and associated logic.  As previously stated this represents an evolution of current macro attack techniques, where these types of cmdlets are not typically associated with phishing campaigns.  A sample using these techniques was analyzed in this post to describe how the attack works.

The table below contains the metadata for the sample that was analyzed.

File Name       : Shipment.doc

File Size       : 152,064 bytes

MD5             : 967fceb84599e09e09030c0eefbbc9fd

SHA1            : 62098328ea75ca73226cc3765720a4ef6c56364b

SHA256          : 4a4e868ce5db234019bd0dd56c5f9e19e74ffe9b1d3f6ca88a7e06d5982cf3cc

codepage             :1252          

title                :Laequxy          

subject              :Laequxy          

author               :Laequxylae          

keywords             :          

comments             :          

template             :Normal.dotm          

last_saved_by        :          

revision_number      :1          

total_edit_time      :0          

create_time          :2018-04-03 19:44:00          

last_saved_time      :2018-04-03 19:44:00          

num_pages            :1          

num_words            :0          

num_chars            :1          

creating_application :Microsoft Office Word         

security             :0

Table 1: Sample Metadata

Technical Details

First Stage

Oledump was used to extract the four streams in the MS Word document that contains compressed VBScript macros.  The image below shows the different streams.

Figure 1: OleDump output

The functionality of the script is divided among the four different streams, which all contained hundreds of lines of junk code and obfuscation.  The below image is an example of 1 of the decompressed streams.

Figure 2: Excerpt of obfuscated VBScript

The VBScript utilizes a series of functions that will accept a string and two integer values.  The function will first replace characters in the string being passed before using the integers as a starting point and length to extract a subset of characters embedded in the original string.  These extracted sub-strings will then be concatenated together to form the next stage of commands. This is a fairly common tactic to obfuscate strings that are typically associated with malicious macros.  The table below contains a python code excerpt that can be used to extract the sub-strings. It should be noted that this python code is specific to this sample, regarding the characters that are replaced. In the original sample additional characters were substituted (specifically the ^ character) in an attempt to bypass certain detection techniques, these are not added in the code below.  

def parse_string(string, start, size):

  start = start – 1

  string = re.sub(‘MtwBUu’, ”, string)

  return string[start:start + size]

Table 2: Python code excerpt

In this sample the original VBScript contained approximately 4,000 lines of junk and obfuscated code, that could be distilled down to roughly 250 lines of legitimate code.  Of that approximately 100 lines of variables being set as strings were extracted, which when decoded (in the manner detailed above) and concatenated together produced the command visible in the image below.

Figure 3: Decoded first stage command

The above command will use cmd.exe to execute powershell, which is obfuscated (highlighted in the red box).  The same lines, in the highlighted box, are formatted and displayed below, which is a set of variable declarations that are characters.  These variables are concatenated together to form the string powershell.  This is done to obfuscate that cmd.exe is being used to invoke PowerShell.

Figure 4: Forming PowerShell string

Second Stage

The PowerShell command itself (pictured below) will Base64 decode and then zlib decompress (highlighted in red) a secondary command which will then be executed in memory.  It should be noted that the text in the image below was cleaned up, to make it easier to read. The original was obfuscated with invoke-obfuscation.

Figure 5: PowerShell command

The second stage command is listed below and contains an encrypted (and Base64 encoded) object and a series of values, which are converted to a secure string via PowerShell cmdlet converto-securestring.  It should be noted that the code below was truncated for displaying in this post.

Figure 6: PowerShell second stage command

The encrypted object can be converted to plaintext using PowerShell and the appropriate cmdlets.  The table below shows the (truncated) data above being set as the $out variable, and then converted to plaintext.

>$out = NEW-object management.automation.pscredential  ‘ ‘,( ‘76492d111674

…zAGUAMwA=’|convertto-securestring -k  5,219,194,162,160,166,156,44,168,74,58,40,20,167,76,227,39,237,221,



Table 3: PowerShell commands

Third Stage

The result is a third obfuscated layer that is executed in memory, displayed in the image below.

Figure 7: PowerShell third stage command

The command from above, was cleaned up for analysis and is displayed below.  The variable were also renamed. The command will create a random value (between the integers of 10,000 and 282,133.  An array of URLs are then created, however in this sample on 1 C2 is listed (highlighted in red). The full path for the download is then created, the second stage malware is then downloaded and executed (highlighted in green and blue respectively).

Figure 8: Formatted final downloader stage


Yara Signature

rule Word_Emotet_Dropper_2018_Q2 : TAU Word Emotet VBA



author = “Carbon Black TAU”

date = “2018-May-22”

description = “Emotet Word Document Dropper utilizing obfuscated cmd and PS”

yara_version = “3.7.0”

exemplar_hashes = “4a4e868ce5db234019bd0dd56c5f9e19e74ffe9b1d3f6ca88a7e06d5982cf3cc”


$signature = {D0 CF 11 E0}

$s1 = “AutoOpen” wide

$s2 = “io.compression”

$s3 = “Run”

$s4 = “VBA”

$s5 = “On Error”

$s6 = “Case”

$s7 = “autoopen”

$s8 = “Module1”


$signature at 0 and

7 of ($s*)



TAGS: Carbon Black / Emotet / PowerShell / ThreatSight / Word