I have been analysing maldocs for few days . I analysed two variants of emotet but i will write about only one variant . This will be a static analysis . First download the samples from here:https://github.com/jstrosch/malware-samples/blob/master/maldocs/emotet/2020/January/samples.zip
I dumped the macros using oledump .
The streams with M/m contains the macro . I then dumped the streams using the command “oledump.py -s 16 -v file” . Next i checked the entry point
I kept dumping every streams . I found this file .
It was a big script and it was obsucated . I kept looking at the code . A certain function caught my attention . Create huh ? I think its something related to process .
I then decided to use another tool called olevba . It can detect certain functions used by the script . The create function was creating a process . I think its powershell as all the maldocs do . I thought of debugging the vb script but before that i ran the strings command
Do you see something common ? A certain string (====dsfnnJJJsm388//=) is repeating every time . I decided to make a python script to remove the string and i found a base64 string . After decoding that i found the powershell command
On a high level it just iterates through an array of websites to download the malware and run it . Here is the any run link https://app.any.run/tasks/06d08be6-3b5e-463b-8fa4-0134a83c978f/