In this part I will analyzed the downloaded macro malware and the Powershell that will download the Emotet malware.
Macro Code:
Sha1: 8f6842f143d7df880c7bdb7219545be28f2ccc63
FileName: BVS-INV-9563373426884.doc
Sha256:f315565e9c9b5b80b563a607e590043cc635b06cc0fbffc790bbd8d5d196445f
the common social engineering used by malware attacker to lure the user to enable macro.
 |
| fig. 1 - the malicious document |
using the oledump.py tool by Didier Steven we can see that the Word document contain macro code.
 |
| fig. 2 - Macro document info |
by extracting the macro within the 2 component "8" and "15" we can see that the macro tries to concat several string that was initialized in some random name variables.
 |
| fig. 3 - macro code |
 |
| fig. 4 - how it execute the concat string |
So using the "Debug.Print" we can extract the whole Powershell it tries to execute.
 |
| fig. 5 - powershell it tries to execute |
The Powershell Code:
The Powershell looks interesting, because now it was encrypted.Technique to hide the actual code it will execute.
 |
| fig. 6 - the powershell code |
the encryption is simple xor with key of 0x3a. so using simple python script we can decrypt it and see the actual code that will download an executable to a malicious URL link and save it to the %temp% directory and execute it by invoking Start-Process module.
 |
| fig. 7 - python decryption script |
 |
| fig. 8 - decrypted Powershell Code |
back to first Analysis:
