Emotet Maldoc Analysis – Embedded DLL and CertUtil for Base64 Decoding

On 11/10/2020, AnyRun posted an Emotet maldoc that utilized CertUtil to decode a DLL payload that was used for unpacking and running the Emotet trojan. This is a deviation from normal use of obfuscated base64 PowerShell command as well as embedding the DLL into the maldoc instead of retrieving from a compromised host. This video provides analysis of the document using both static and dynamic techniques, as well as a walk-through of the macro code. The original Tweet from AnyRun can be found at: https://twitter.com/anyrun_app/status/1326157565840023553 Analysis of an Emotet document that uses PowerShell from earlier this year can be found…

Read more

Removing Passwords from VBA Projects

Occasionally I’ll encounter a maldoc that has a password-protected VBA project. While tools such as oledump may still extract the macros, the password protection is typically encountered when accessing the project through the Office/VBA IDE (which I typically use for dynamic analysis). This happens rare enough that I often forget the steps of removing the password so thought I’d start collecting possible solutions. Word – 2007+ Sample MD5: dc989fa836fa93fe1f158fa490382686Any.Run: https://app.any.run/tasks/dd8ae979-4afc-44ac-99d2-3b57f9d6e2b1Hybrid-Analysis: https://www.hybrid-analysis.com/sample/4bb275b253db05bfa23a677d3db8f78cef0d633bbef19d05e37780f61577153c?environmentId=100 With this type of document, you can rename the original file with a .zip extension, this will allow you to explore the contents. This type of file uses the…

Read more

Maldoc uses Windows API to perform process hollowing

A favorite technique by malware authors is to use macros in their office documents to utilize a normal system executable and replace the code inside, a technique known as “process hollowing”. The primary goal of this post is to identify this technique and understand how it is employed. I’ve also posted a video that walks through shellcode analysis using Ghidra on YouTube Starting with the Macros To get started, inspect the macros and see where the code begins execution. For this document, this begins with the Document_Open function – which can be found in the ThisDocument stream. As is often…

Read more

Anti-Analysis in JavaScript Executed by Windows Script Host (WSH)

It’s common to see malicious office documents drop a JavaScript (JS) file to be executed by the Windows Script Host (WSH). The JS can then be used to create the necessary objects to create HTTP requests to retrieve and execute the next stage payload. For example, here is a document that drops the JS and executes it via CMD -> WSCRIPT (you can also see the use of CSCRIPT): What caught my eye with this sample was that there was no associated network traffic. While that doesn’t guarantee that the document didn’t achieve it’s objectives, I felt it was worth…

Read more

Anti-Analysis in an Office Document

Please note: This was a blog post I originally authored for Bromium. Due to changes in how they host their blog content, it has fallen into the archives and become somewhat difficult to find. I’m posting this content here mainly as an archive. Office documents have been a favorite method of distribution for malware authors for several years. While most malware authors go to great lengths to hide the intention of their macros through obfuscation, it is seldom that I’ve encountered macros that also exhibit anti-analysis techniques. I recently examined an office document that contained such capabilities. You can find…

Read more