March 21, 2023 HAWKEYE

Emotet Epoch 5

Malware Adapts to New Tactics, Using OneNote Files to Evade Security Measures

The notorious Emotet malware has returned with a new tactic to evade macro-based security restrictions and infect systems. This time, it’s using Microsoft OneNote email attachments, as well as its previous modus operandi of distributing booby-trapped documents containing macros.


To bypass Microsoft’s macro-blocking measures, the Emotet malware now distributes malicious payloads via OneNote attachments. According to Malwarebytes, the OneNote file is convincing and effective, with a fake notification stating that the document is protected, and double-clicking the “View” button inadvertently executes an embedded script file that retrieves and executes the Emotet binary payload from a remote server.

However, Emotet continues to use booby-trapped documents containing macros to deliver the malicious payload, employing social engineering lures to encourage users to enable macros and activate the attack chain. To avoid detection, these documents leverage a technique called decompression bomb to conceal a large file within ZIP archive attachments.

Emotet’s flexibility and agility in switching attachment types for initial delivery is a cause for concern. Threat actors are increasingly using OneNote documents to distribute various malware, such as AsyncRAT, Icedid, RedLine Stealer, Qakbot, and XWorm. The U.S., South Korea, Germany, Saudi Arabia, Poland, India, the U.K., Italy, Japan, and Croatia are the top targeted countries, with manufacturing, high-tech, telecom, finance, and energy sectors the most at risk.

Attack Scenario:

  1. Attacker hijacks an email thread and sends an attached OneNote file.
  2. The OneNote file contains an embedded .wsf script.
  3. The user double clicks on the OneNote image, which runs the embedded .wsf script.
  4. The .wsf script initiates the Emotet DLL.
  5. The Emotet DLL communicates with the attacker’s command and control (C2) server, sending information about the infected system and receiving commands from the attacker.
  6. The attacker can then use the infected system to carry out further attacks or steal sensitive information.

As always, it’s essential to remain vigilant and exercise caution when opening email attachments. The following are the indicators of compromise (IoCs) from the latest Emotet infections:

OneNote File Sizes from 6 Samples:

  • ECLL
  • report

OneNote SHA256 Hashes:

  • f24259e65a935722c36ab36f6e4429a1d0f04c0ac3600e4286cc717acc5b03d7
  • 823cb940b33f1d14576de6ab9bf747b3a1632accb0104ba1bdbbb62ae5054f3c ECLL
  • 2d2a9278a7ee9c29e8a09d31b217a3ae7e88f2ae48eb44e1a1a4a879653dd126
  • ecba257a646789c31d971efc233267495ac532109e92b064bac0c8e231a27a38
  • 5d65ab3b6748ba7034dc0588f2d61fa43e7fce7ed5ee6ab533e2f08274bc5d22
  • 7c4591fd03b73ba6d0ec71a3cf89a04bfb4bd240d359117d96834a83727bdcc2 report

.WSF in the above .ONE files:

  • SHA256 hash: af0c7d355bb6a495d038fd05217209054107d31aa6199c491b74ae3d24b11c7e
  • File size: 63,088 bytes
  • File name: click.wsf
  • Example of saved file location: C:\Users\user1\AppData\Local\Temp\OneNote\16.0\Exported\{56D2BD78-EBDE-44C6-87B3-A47B99EFE0E4}\NT\0\click.wsf

12 URLs generated by the above .WSF:

  • hxxp://1it[.]fit/site_vp/4PwK3s6Bf9K7TEA/
  • hxxps://4fly[.]su/search/OfGA/
  • hxxp://efirma.sglwebs[.]com/img/2mmLuv7SxhhYFRVn/
  • hxxp://hypernite.5v[.]pl/vendor/hvlVMsI9jGafBBTa/
  • hxxps://kts[.]group/35ccbf2003/jKgk8/
  • hxxp://malli[.]su/img/PXN5J/
  • hxxps://olgaperezporro[.]com/js/ExGBiCZdkkw0GBAuHNZ/
  • hxxp://[.]br/ava/ahhz/
  • hxxp://staging-demo[.]com/public_html/wTG/
  • hxxps://thailandcan[.]org/assets/ulRa/
  • hxxp://uk-eurodom[.]com/bitrix/9HrzPY66D1F/
  • hxxp://www.polarkh-crewing[.]com/aboutus/EUzMzX7yXpP/

Example of an Emotet DLL:

[File size and hash were different when downloaded from same URL at a later time]
SHA256 hash: aa57889a91be96c5b5cae185792f5ad76eb5248abb66344a740266a1c297cfd7
File size: 307,712 bytes
File location: hxxp://malli[.]su/img/PXN5J/
Saved file location: same temp directory as above click.wsf file
Saved file name: rad00A25.tmp.dll
File description: 64-bit DLL for Emotet
Run method: regsvr32.exe [filename]

Successful HTTPS Traffic for Emotet C2 Activity:

– port 7080
– port 4143 <– sent approx 4 MB of data to infected host immediately before spambot activity
– port 8080
– port 80
– port 443
– port 8080
– port 8080
– port 8080
– port 8080
– port 8080
– port 7080
– port 443
– port 8080
– port 443
– port 8080



We welcome you to contact us for more information
about HAWKEYE - SOC As A Service.