Deobfuscating Emotet Macro Document and Powershell command

NetbyteSEC malware analysis team has come across a Microsoft Word malicious document containing macro code. The suspicious email was received by our client before the news of global law enforcement took down the Emotet cyber criminals team.

1.0 Malicious Document Technical Analysis

MD5 Hash




File type

Microsoft Word 97 - 2003 Document (.doc)

Upon opening the malicious document file, a common phishing method uses to bait victims to click the “Enable Content” ribbon button display in Microsoft Word as shown in Figure 1. Normally, a document like this indicates there is macro content in the document. The purpose of lure to enable the content is to allow the execution of malicious macro code inside the word document.

Figure 1: Content of the lure document

Enabling the content will execute the macro embedded in the lure document which will lead to malicious execution activities in the victim’s machine.

A quick analysis using oledump script on the file disclose three macro content in the document sample reside in stream 7, 8, and 9 as follows.

Figure 2: oledump result

Analyzing the content of stream 8 reveals the entry point of the macro which is the document_open procedure was used to execute the macro code whenever the victim opens the malicious document and enables the content

Figure 3: Content of steam 7 and 8 of Oledump

In the stream 8, once the document_open procedure being triggered, a function with a random character name “Iemid5ewh9fn44ue4d will be called which then will execute its code that resides in the stream 9. The VBA file for stream 9 containing 448 lines of macro code uses for the malicious actions explained on the next section.

1.1 Deobfuscating malicious macro

The VBA script containing 448 lines of obfuscated macro code. The macro code was being obfuscated to produce an anti-analysis to make analyst difficult to read and understand the code. This technique is commonly used among cyber threat groups to make obfuscated their code. In this section, the NetbyteSEC malware analysis team will explain the method for deobfuscating the macro.

Figure 4: Snippet of the VBA code

As a solution, debugging the macro code can help to trace each of the content of the variable and dive into the detail of the macro code.

First, the code builds long obfuscated strings and append the strings to the variable name V6x19m6t_qhh. The encoded strings as follow:

wx [ sh binx [ sh bmx [ sh bgmx [ sh btx [ sh bx [ sh bx [ sh bx [ sh bsx [ sh bx [ sh bx [ sh b:wx [ sh bx [ sh binx [ sh b3x [ sh b2x [ sh b_x [ sh bx [ sh bpx [ sh bx [ sh brox [ sh bx [ sh bcex [ sh bsx [ sh bsx [ sh bx [ sh b

The encoded strings then will be decoded and saved the clear text of the encoded strings in variable G1i061417oxvyh_k as shown in Figure 5.

Figure 5: G1i061417oxvyh_k value

At this point, the macro builds an encoded string and decodes the string to become winmgmts:win32_process indicating the VBA script will be using something related to WMI classes for the next instruction.

Next, the VBA script creating an object which is the winmgmts:win32_process, and sets it to variable F_yz9ots5y0q916g as shown in Figure 6 below.

Figure 6: F_yz9ots5y0q916g value

Inspecting the local variable F_yz9ots5y0q916g will show that the variable has become the SWbemObjectEx object which normally can be abused to execute a command line.

Figure 7: F_yz9ots5y0q916g became SWbemObjectEx

The macro code then builds another encoded string and append the strings to the variable name V6x19m6t_qhh again. The encoded string is a bit different from the previously encoded string. The encoded string built as follows:

x [ sh bx [ sh bcx [ sh bmx [ sh bdx [ sh b x [ sh bcx [ sh bmx [ sh bdx [ sh b x [ sh b/x [ sh bcx [ sh b x [ sh bmx [ sh b^x [ sh bsx [ sh b^x [ sh bgx [ sh b x [ sh b%x [ sh bux [ sh bsx [ sh bex [ sh brx [ sh bnx [ sh bax [ sh bmx [ sh bex [ sh b%x [

Figure 8: Decoding encoded strings

Next, the encoded string will be decoded and save into variable G1i061417oxvyh_k shown in the above Figure 8.

Inspecting the variable, the decoded strings are actually a cmd command line of msg and base64 PowerShell line. To view the malicious command line, adding a MsgBox line to the variable will display the full command line to our screen as shown in Figure 9.

Figure 9: Malicious command line generated

Finally, the macro will execute the command using winmgmts:win32_process explained before and exit the macro.

Figure 10: Execute command

The command line will first run the command msg to send a message to a user. The figure below shows the message box that will be displayed to the victim once the Macro is executed.

Figure 11: Msg command

The encoded PowerShell command will be explained in the next section.

1.2 Deobfuscating encoded PowerShell command line

Retrieving the encoded PowerShell command-line reveals that the executed command is actually a long-encoded line than it shows in the MsgBox shown in figure 9 in the previous section.

Figure 12: Powershell command

Decoding the encrypted base64 strings will give this output as follows:

Figure 13: Decoded Powershell base64 line

After removing a lot of garbage characters and cleaning the code to more readable and understandable code, the result shows as follows:

Figure 14: Clean code of the obfuscated Powershell

In summary of the above code, the PowerShell first creates a directory and subdirectory name %UserProfile%/Scnfrf7\Pb6asvf. After that, the code assigns seven URL strings to variable $URL which then will be used in the next block of code of for-each statement. The for-each statement will get the element of the array in the variable $URL and download the DLL file. The file that being download will be saved as O66D.dll at the created directory %UserProfile%/Scnfrf7\Pb6asvf. If the executable file has a length of more than value 32360, the code will continue to execute the DLL using the rundll32 utility with the string “AnyString” as its first parameter. Vice versa, if it is lower than the value 32360 or the file not available in the directory, the code will be break and exit.

1.3 URL check

Navigating and download the content of all URLs only brings to the error page. Thus, retrieving the DLL file is failed.

Figure 15: Fiddler result

Checking all the URLs we found in figure 14 with URLhaus Database shows that all the URLs were tagged as Emotet malware URL.

Moreover, one of the samples that identically same macro code and PowerShell command pattern were found in JoeSandbox public submission. The result of the JoeSandbox detects the sample document as Emotet.

Figure 16:

2.0 IOCs

The following MD5 hashes are associated with this Emotet malware analysis:
  1. 809928addbff4e5f9b7d9f55e0ac88e9 - file-20210122-QRN6275.doc
  2. bde8abd3c29befafb3815d9b74785a3c - VBA file
  3. 1542602628751eb95eecd6c00ff5cee8 - O66D.dll
The following domain names are associated with this Emotet malware analysis:
  1. (Mail Server)
  2. hxxp://www.pcsaha[.]com/wp-content/fG1tM/
  3. hxxp://rosvt[.]com/img/9h1Q/
  4. hxxp://skver[.]net/benjamin-moore-xha9o/t/
  5. hxxp://fultonandassociates[.]com/administrator/IUHeit/
  6. hxxp://zippywaytest.toppermaterial[.]com/wp-admin/wwbJ/
  7. hxxp://admin.toppermaterial[.]com/js/jGcwS/
  8. hxxp://notebook03[.]com/templates/G2Ay/