For a long time, many of us have tried to keep pace with the Emotet threat actors as they regularly change the macro obfuscation methods they use. It’s a cat and mouse game. Just as soon as you figure out how to deobfuscate the macros, they change things up and you’re back to the start.
I’ll admit, the game is fun. It can also be educational. At the same time, it’s also really inefficient. Let’s face it, all that we’re really after are the Emotet payload URLs. Also, when you have dozens (or hundreds) of Word documents to examine, you need a solution that doesn’t have you fishing through documents one at a time.
After many months of being led around by the nose by the Emotet threat actors, I decided to try to find a way to look past the macros and just grab the payload URLs.
I’ve seen a number if attempts to do this that were really clever and did exactly what I wanted – just produce the payload URLs. The problem is, these methods were great if one only has a few documents to examine.
Finally, after being myopic about the macros, I realized that I don’t need to even think about the macros. When the the Emotet maldocs are opened, they immediately start calling out to try to download the Emotet payload. Let’s let that happen but without an internet connection. In a nutshell, the method I came up with is to use a Windows 7 VM with Microsoft Word and no internet connection. I use Fiddler to log all of the internet traffic (or, more accurately, internet traffic attempts).
The specifics are like this:
1. Open Fiddler – be sure it’s capturing traffic (you might want to filter out any other
2. Open Word – be sure to set your macros settings to Enable All Macros.
3. Close any open Word documents and then drag and drop all of the Emotet sample documents that you have onto the open instance of Word.
Note: be sure you have enough system resources assigned to your VM for this.
4. Now, monitor the traffic in Fiddler – you should see all of the payload URLs being tried and logged. Be sure to leave the documents (and Fiddler) open long enough to record all of the URLs.
5. Select all of the Fiddler entries for the payload URLs and press CTRL-U – this copies the URLs to the paste buffer.
6. Paste into Notepad (or your text editor of choice).
Now you have all of the Emotet Payload URLs without worrying about whatever new obfuscation tricks are being used to hide what the macros are doing.
Article Link: https://executemalware.com/?p=540