Emotet! (09-16-2019) – Document Analysis


No, not like James Brown, but after a long summer of lounging by the Black Sea, Emotet has started spamming once again. I’ll be working off of this document here.

Using OfficeMalScanner, we can rip out the macros from the document. We can see the typical Sub autoopen() kicking things off. Looking through the code we can see it creating objects and sewing various variables together.


Opening the document, we can see the new document theme. It’s from here that we can step through the macros and see how they’re all working together.Emotet2.png

While it can be interesting to step through the document, I’ve explained how to do that on this blog before. I created a stripped down version where I pulled out the main pieces of code that actually do anything. The “powershell -enco…” string is in green. wpLnXI starts WmiPrvSE.exe which calls up powershell in turn.


So while the macro has changed up a bit since last spring, the encoded powershell certainly hasn’t. Let’s decode that base-64 code using CyberChef.


Once again, this is not overly complicated. After you’ve undone the base-64 string, use Remove null bytes to clean it up. Split and Extract URLs will complete the job and you ought to be good to go!


Thanks for reading.