This post was authored by Fareed.
NetbyteSEC malware analysis team has come across a Microsoft Word malicious document containing macro code. The suspicious email was received by our client before the news of global law enforcement took down the Emotet cyber criminals team.
1.0 Malicious Document Technical Analysis
|
MD5 Hash
|
809928addbff4e5f9b7d9f55e0ac88e9
|
|
Filename
|
file-20210122-QRN6275.doc
|
|
File type
|
Microsoft
Word 97 - 2003 Document (.doc)
|
Upon opening the malicious document file, a common phishing method uses to bait victims to click the “Enable Content” ribbon button display
in Microsoft Word as shown in Figure 1. Normally, a document like this
indicates there is macro content in the document. The purpose of lure to enable
the content is to allow the execution of malicious macro code inside the word
document.
Figure 1: Content of the lure
document
Enabling the content will execute the macro embedded in the
lure document which will lead to malicious execution activities in the victim’s
machine.
A quick analysis using oledump script on the file
disclose three macro content in the document sample reside in stream 7, 8, and
9 as follows.
Figure 2: oledump result
Analyzing the content of stream 8 reveals the entry point of
the macro which is the document_open procedure was used to execute the macro
code whenever the victim opens the malicious document and enables the content
Figure 3: Content of steam 7
and 8 of Oledump
In the stream 8, once the document_open procedure
being triggered, a function with a random character name “Iemid5ewh9fn44ue4d”
will be called which then will execute its code that resides in the stream 9. The
VBA file for stream 9 containing 448 lines of macro code uses for the malicious
actions explained on the next section.
1.1 Deobfuscating malicious macro
The VBA script containing 448 lines of obfuscated macro
code. The macro code was being obfuscated to produce an anti-analysis to make
analyst difficult to read and understand the code. This technique is commonly
used among cyber threat groups to make obfuscated their code. In this section,
the NetbyteSEC malware analysis team will explain the method for deobfuscating
the macro.
Figure 4: Snippet of the VBA code
As a solution, debugging the macro code can help to trace each of the content of the variable and dive into the detail of the macro code.
First, the code builds long obfuscated strings and append the strings to the variable name V6x19m6t_qhh. The encoded strings as follow:
wx [ sh binx [ sh bmx [ sh bgmx [ sh btx [ sh bx [ sh bx [ sh bx [ sh bsx [ sh bx [ sh bx [ sh b:wx [ sh bx [ sh binx [ sh b3x [ sh b2x [ sh b_x [ sh bx [ sh bpx [ sh bx [ sh brox [ sh bx [ sh bcex [ sh bsx [ sh bsx [ sh bx [ sh b
The encoded strings then will be decoded and saved the clear text of the encoded strings in variable G1i061417oxvyh_k as shown in Figure 5.
Figure 5: G1i061417oxvyh_k value
At this point, the macro builds an encoded string and decodes the string to become winmgmts:win32_process indicating the VBA script will be using something related to WMI classes for the next instruction.
Next, the VBA script creating an object which is the winmgmts:win32_process, and sets it to variable F_yz9ots5y0q916g as shown in Figure 6 below.
Figure 6: F_yz9ots5y0q916g value
Inspecting the local variable
F_yz9ots5y0q916g will show that the variable has become the
SWbemObjectEx object which normally can be abused to execute a command line.
Figure 7: F_yz9ots5y0q916g became SWbemObjectEx
The macro code then builds another encoded string and append the strings to the variable name V6x19m6t_qhh again. The encoded string is a bit different from the previously encoded string. The encoded string built as follows:
x [ sh bx [ sh bcx [ sh bmx [ sh bdx [ sh b x [ sh bcx [ sh bmx [ sh bdx [ sh b x [ sh b/x [ sh bcx [ sh b x [ sh bmx [ sh b^x [ sh bsx [ sh b^x [ sh bgx [ sh b x [ sh b%x [ sh bux [ sh bsx [ sh bex [ sh brx [ sh bnx [ sh bax [ sh bmx [ sh bex [ sh b%x [
Figure 8: Decoding encoded strings
Next, the encoded string will be decoded and save into variable G1i061417oxvyh_k shown in the above Figure 8.
Inspecting the variable, the decoded strings are actually a cmd command line of msg and base64 PowerShell line. To view the malicious command line, adding a MsgBox line to the variable will display the full command line to our screen as shown in Figure 9.
Figure 9: Malicious command line generated
Finally, the macro will execute the command using winmgmts:win32_process explained before and exit the macro.
Figure 10: Execute command
The command line will first run the command msg to send a message to a user. The figure below shows the message box that will be displayed to the victim once the Macro is executed.
Figure 11: Msg command
The encoded PowerShell command will be explained in the next section.
1.2 Deobfuscating encoded PowerShell command line
Retrieving the encoded PowerShell command-line reveals that the executed command is actually a long-encoded line than it shows in the MsgBox shown in figure 9 in the previous section.
Figure 12: Powershell command
Decoding the encrypted base64 strings will give this output as follows:
Figure 13: Decoded Powershell base64 line
After removing a lot of garbage characters and cleaning the code to more readable and understandable code, the result shows as follows:
Figure 14: Clean code of the obfuscated Powershell
In summary of the above code, the PowerShell first creates a directory and subdirectory name %UserProfile%/Scnfrf7\Pb6asvf. After that, the code assigns seven URL strings to variable $URL which then will be used in the next block of code of for-each statement. The for-each statement will get the element of the array in the variable $URL and download the DLL file. The file that being download will be saved as O66D.dll at the created directory %UserProfile%/Scnfrf7\Pb6asvf. If the executable file has a length of more than value 32360, the code will continue to execute the DLL using the rundll32 utility with the string “AnyString” as its first parameter. Vice versa, if it is lower than the value 32360 or the file not available in the directory, the code will be break and exit.
1.3 URL check
Navigating and download the content of all URLs only brings to the error page. Thus, retrieving the DLL file is failed.
Figure 15: Fiddler result
Checking all the URLs we found in figure 14 with URLhaus Database shows that all the URLs were tagged as Emotet malware URL.
Moreover, one of the samples that identically same macro code and PowerShell command pattern were found in JoeSandbox public submission. The result of the JoeSandbox detects the sample document as Emotet.
Figure 16: https://www.joesandbox.com/analysis/343392/0/html
2.0 IOCs
The following MD5 hashes are associated with this Emotet malware analysis:
- 809928addbff4e5f9b7d9f55e0ac88e9 - file-20210122-QRN6275.doc
- bde8abd3c29befafb3815d9b74785a3c - VBA file
- 1542602628751eb95eecd6c00ff5cee8 - O66D.dll
The following domain names are associated with this Emotet malware analysis:
- 213.82.114.106 (Mail Server)
- hxxp://www.pcsaha[.]com/wp-content/fG1tM/
- hxxp://rosvt[.]com/img/9h1Q/
- hxxp://skver[.]net/benjamin-moore-xha9o/t/
- hxxp://fultonandassociates[.]com/administrator/IUHeit/
- hxxp://zippywaytest.toppermaterial[.]com/wp-admin/wwbJ/
- hxxp://admin.toppermaterial[.]com/js/jGcwS/
- hxxp://notebook03[.]com/templates/G2Ay/
