Analysing the Emotet maldoc

I have been analysing maldocs for few days . I analysed two variants of emotet but i will write about only one variant . This will be a static analysis . First download the samples from here:

I dumped the macros using oledump .

The streams with M/m contains the macro . I then dumped the streams using the command “ -s 16 -v file” . Next i checked the entry point

Entry function :Tbcepkcgnhpwx

I kept dumping every streams . I found this file .

It was a big script and it was obsucated . I kept looking at the code . A certain function caught my attention . Create huh ? I think its something related to process .

I then decided to use another tool called olevba . It can detect certain functions used by the script . The create function was creating a process . I think its powershell as all the maldocs do . I thought of debugging the vb script but before that i ran the strings command

Do you see something common ? A certain string (====dsfnnJJJsm388//=) is repeating every time . I decided to make a python script to remove the string and i found a base64 string . After decoding that i found the powershell command

On a high level it just iterates through an array of websites to download the malware and run it . Here is the any run link

I am a hacker and ex-web developer . I sometime work as a freelance dev/hacker . Sometime I hunt bugs