2017-07-03 Malspam Leading To Geodo/Emotet Malware

This write up stems from a user getting a malicious Word document via an email for an invoice. Running the PCAP file through Network Total, I saw that that this was tagged as Geodo/Emotet malware. Googling around for Emotet, I came across a Forcepoint article in which they did a great walk-through which you can read about here. Their article seems to cover most of what I was seeing from the network traffic perspective. Fortinet has two more articles (http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1 and http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-2) that goes into really good detail about how this malware works. For the artifacts from this investigation, check…