VirusTotal sample – c9bdfb2d6ac9e493bc391b2f64b48d8d5cde10645ea921951b23112e6d73545c
File Type: Microsoft Word Document
Document Property:
I have used Oletools to analyse word document properties and analyse content.
This word document has VBA macros.
After parsing word document using olevba, this tells, file has suspicious hex string and Base64 strings.
And file has below macros,
- LUDoB_BX.cls
- fkkkCAk.bas
- ZAAcAA.bas
And macros will auto execute on opening document
I start debugging macros in word document,
After Enable Editing, Open View Macros under View tab
Click on Edit and change autoopen() function to autoopen2().
during debugging, I got the below values are stored in the variable YAAAAAA and it is reading registry key values.
while debugging, I captured traffic using WireShark and found, connection has been made to web site emseenerji[.]com at IP 94[.]73[.]147[.]237. URL is still alive and can be accessed.
The complete URL which was accessed by this program http:// emseenerji[.]com/wp-content/RRKu/
My host machine AV blocked this URL and I couldn’t analyze traffic further from this URL to my VM.
Thank you.
Article Link: https://malwr-analysis.com/2019/03/16/emotet-malware-analysis/