Objective
Practice a malware-analysis workflow for a suspicious Office document: identify macro behavior, extract payload clues, observe network indicators, and turn the findings into IOCs that a SOC team could search for or block.
Environment
- Analysis host: FlareVM-style isolated Windows sandbox
- Supporting tools:
oledump.py, Wireshark, registry review, and static string inspection - Sample type: Macro-enabled Word document
- Defensive goal: Produce clear indicators and behavioral notes without losing the reasoning path
Sample Overview
- File:
invoice_20260425.docm - SHA256:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - Type: Microsoft Word Macro-Enabled Document
- Family: Emotet (epoch 5)
Static Analysis
OLE Structure
Used oledump.py to inspect the OLE streams:
oledump.py invoice.docmStream 8 contained VBA macros. Extracted with:
oledump.py -s 8 -v invoice.docm > macro.vbaMacro Deobfuscation
The macro was heavily obfuscated with string concatenation and Chr() encoding. After manual deobfuscation, the payload revealed:
- PowerShell download cradle to
hxxp://192.168.1[.]100/payload.exe - Persistence via scheduled task
- PowerShell execution policy bypass (
-ExecutionPolicy Bypass)
Dynamic Analysis
Deployed in FlareVM isolated sandbox. Key observations:
| Time | Event |
|---|---|
| T+0s | Macro execution, PowerShell spawns |
| T+3s | Outbound connection to C2 on port 8080 |
| T+5s | Payload dropped to %APPDATA%\emotet.dll |
| T+10s | Persistence established via HKCU\Run |
| T+30s | Credential harvesting from browsers and Outlook |
Network Indicators
192.168.1.100:8080 — C2 callback
185.234.72.18:443 — Secondary C2Evidence Summary
| Evidence | Finding | Analyst Note |
|---|---|---|
| OLE stream | VBA macro in stream 8 | Macro extraction is the first useful pivot |
| Execution | PowerShell spawned after macro run | Suspicious child process chain |
| Persistence | HKCU\Run key observed | User-level persistence behavior |
| Network | C2 callback on 8080 | Network detection and block candidate |
| Payload | %APPDATA%\emotet.dll | File indicator for endpoint hunting |
IOCs
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
C2: 192.168.1[.]100:8080
C2: 185.234.72[.]18:443
Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\EmotetUpdate
File: %APPDATA%\emotet.dllDefensive Takeaway
For document malware, the strongest investigation output is a short chain of behavior: document macro, script execution, payload path, persistence location, and network callback. That chain is easier to hunt than a single hash.
Key Takeaways
- OLE streams are the first place to check in suspicious Office documents
- Emotet's macro obfuscation follows predictable patterns — manual deobfuscation is faster than automated tools
- Always monitor for scheduled tasks and registry run keys during dynamic analysis