Close this search box.

Christmas Eve Warning! Malware Targeting Amazon Shoppers


Shopping for Christmas gifts has never been easier, especially with Amazon—and who doesn’t use Amazon? This is why using fake Amazon orders is a favorite method bad actors have been using this time of year to bait rushed Christmas shoppers. As a warning to anybody (everybody?) caught up in receiving last-minute Amazon deliveries, we’ve come across a malicious email campaign (see image below) to install a variant of the Emotet malware, a polymorphic banking Trojan that is virtual machine-aware and primarily functions as a downloader or dropper of other malware such as spyware and ransomware.

The gift that keeps on giving 

Since it’s a Trojan, that means the malicious campaign could have one of many objectives (or multiple objectives!)—once a user has installed it, what happens next depends on what module the cybercriminal decides to deploy, although it’s usually a module intended to steal passwords or to steal emails.

shopping for emotet amazon

Figure 1: Fake email pretending to be an Amazon order confirmation

The above email, which appears to be an order confirmation from Amazon, is anything but—it is part of a large malware campaign which is proving very active during this Christmas 2018 holiday season. If the recipient is puzzled by the suggestion of an Amazon order they don’t believe they made (which they didn’t) and clicks on the order details button, a file named “ORDER_DETAILS_FORM.doc” is downloaded that contains a malicious macro, and the user is asked to enable the content.

shopping for emotet office 365

Figure 2: User is asked to enable content to view online Word doc

Under the hood: Garbage code and obfuscation used

Checking the contents of the macro code, at first glance it appears to be obfuscated. But careful inspection reveals that most of it is just garbage code. The important part is the interaction where the Shell method executes a command line.

shopping for emotet code snippet

Figure 3: Shell method executed command line

The shell command content is also a bit obfuscated, including a directory traversal at the start of the command and uses: “%PROGRaMDatA:~0,1%%prOGrAMdatA:~9,2%” which is equal to “CmD”

PowerShell script variable shown in red box

Figure 3: PowerShell script variable shown in red box

The value of “2khP” shown in the red box in figure 3 is a PowerShell script which is reversed. (The image of the code shown below was organized for readability.) Here we can see that the “PowerShell” string is also obfuscated by using “pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll”. The script will try and download the EXE payload on one of the following sites:

  • hxxp://
  • hxxp://
  • hxxp://
  • hxxp://
  • hxxp://

 Destination download sites shown

Figure 4: Destination download sites shown

Emotet Config

RSA key:



Indicators of Compromise and Cyren Detection

SHA256 Object Type Remarks Detection
5748091ed2f71992fac8eda3ca86212d942adfad28cfd7c1574c5f56b4d124d4 Email Your order.eml HTML/Downldr.BE
d17017dd6b262beede4a9e3ec41877ee1efcd27f7dff1a50fc1e7de2d45c1783 DOC ORDER_DETAILS_FORM.doc W97M/Agent.gen
40583fafdb858bef8aace8ae91febbbc98eded8c0590e01fb4fafe269fdf002c W32 EXE compareiface.exe W32/Emotet.LD.gen!Eldorado