Deobfuscating Emotet Macro Document and Powershell command
NetbyteSEC malware analysis team has come across a Microsoft Word malicious document containing macro code. The suspicious email was received by our client before the news of global law enforcement took down the Emotet cyber criminals team.
1.0 Malicious Document Technical Analysis
Microsoft Word 97 - 2003 Document (.doc)
Upon opening the malicious document file, a common phishing method uses to bait victims to click the “Enable Content” ribbon button display in Microsoft Word as shown in Figure 1. Normally, a document like this indicates there is macro content in the document. The purpose of lure to enable the content is to allow the execution of malicious macro code inside the word document.
Enabling the content will execute the macro embedded in the lure document which will lead to malicious execution activities in the victim’s machine.
A quick analysis using oledump script on the file disclose three macro content in the document sample reside in stream 7, 8, and 9 as follows.
Analyzing the content of stream 8 reveals the entry point of the macro which is the document_open procedure was used to execute the macro code whenever the victim opens the malicious document and enables the content
In the stream 8, once the document_open procedure being triggered, a function with a random character name “Iemid5ewh9fn44ue4d” will be called which then will execute its code that resides in the stream 9. The VBA file for stream 9 containing 448 lines of macro code uses for the malicious actions explained on the next section.
1.1 Deobfuscating malicious macro
The VBA script containing 448 lines of obfuscated macro code. The macro code was being obfuscated to produce an anti-analysis to make analyst difficult to read and understand the code. This technique is commonly used among cyber threat groups to make obfuscated their code. In this section, the NetbyteSEC malware analysis team will explain the method for deobfuscating the macro.
1.2 Deobfuscating encoded PowerShell command line
1.3 URL check
- 809928addbff4e5f9b7d9f55e0ac88e9 - file-20210122-QRN6275.doc
- bde8abd3c29befafb3815d9b74785a3c - VBA file
- 1542602628751eb95eecd6c00ff5cee8 - O66D.dll
- 126.96.36.199 (Mail Server)