Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Christmas Eve Warning! Malware Targeting Amazon Shoppers

Shopping for Christmas gifts has never been easier, especially with Amazon—and who doesn’t use Amazon? This is why using fake Amazon orders is a favorite method bad actors have been using this time of year to bait rushed Christmas shoppers. As a warning to anybody (everybody?) caught up in receiving last-minute Amazon deliveries, we’ve come across a malicious email campaign (see image below) to install a variant of the Emotet malware, a polymorphic banking Trojan that is virtual machine-aware and primarily functions as a downloader or dropper of other malware such as spyware and ransomware.

The gift that keeps on giving

Since it’s a Trojan, that means the malicious campaign could have one of many objectives (or multiple objectives!)—once a user has installed it, what happens next depends on what module the cybercriminal decides to deploy, although it’s usually a module intended to steal passwords or to steal emails.

shopping for emotet amazon

Figure 1: Fake email pretending to be an Amazon order confirmation

The above email, which appears to be an order confirmation from Amazon, is anything but—it is part of a large malware campaign which is proving very active during this Christmas 2018 holiday season. If the recipient is puzzled by the suggestion of an Amazon order they don’t believe they made (which they didn’t) and clicks on the order details button, a file named “ORDER_DETAILS_FORM.doc” is downloaded that contains a malicious macro, and the user is asked to enable the content.

shopping for emotet office 365

Figure 2: User is asked to enable content to view online Word doc

Under the hood: Garbage code and obfuscation used

Checking the contents of the macro code, at first glance it appears to be obfuscated. But careful inspection reveals that most of it is just garbage code. The important part is the interaction where the Shell method executes a command line.

shopping for emotet code snippet

Figure 3: Shell method executed command line

The shell command content is also a bit obfuscated, including a directory traversal at the start of the command and uses: “%PROGRaMDatA:~0,1%%prOGrAMdatA:~9,2%” which is equal to “CmD”

PowerShell script variable shown in red box

Figure 3: PowerShell script variable shown in red box

The value of “2khP” shown in the red box in figure 3 is a PowerShell script which is reversed. (The image of the code shown below was organized for readability.) Here we can see that the “PowerShell” string is also obfuscated by using “pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll”. The script will try and download the EXE payload on one of the following sites:

  • hxxp://
  • hxxp://
  • hxxp://
  • hxxp://
  • hxxp://

 Destination download sites shown

Figure 4: Destination download sites shown

Emotet Config

RSA key:



Indicators of Compromise and Cyren Detection

SHA256 Object Type Remarks Detection
5748091ed2f71992fac8eda3ca86212d942adfad28cfd7c1574c5f56b4d124d4 Email Your order.eml HTML/Downldr.BE
d17017dd6b262beede4a9e3ec41877ee1efcd27f7dff1a50fc1e7de2d45c1783 DOC ORDER_DETAILS_FORM.doc W97M/Agent.gen
40583fafdb858bef8aace8ae91febbbc98eded8c0590e01fb4fafe269fdf002c W32 EXE compareiface.exe W32/Emotet.LD.gen!Eldorado

You might also like

Phishing with QR codes

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...