A Fun CTF-Like Malware

From a Twitter post by InQuest, we analyzed an interesting malware:

Encrypted MS Office Document, VBA, Windows Link File (LNK), OLE objects, Windows Help Files (CHM), PNG steganography and Powershell.

SHA256: 46AFA83E0B43FDB9062DD3E5FB7805997C432DD96F09DDF81F2162781DAAF834

The analysis should take about 15-20 minutes in Cerbero Suite.

Highly recommended!

SPOILER ALERT: The images below show all the steps of our analysis.

Video: Emotet MS Office Malware 150-Seconds Analysis

This Microsoft Office document belongs to the Emotet malware campaign and as part of its obfuscation strategy uses the content of text boxes from its VBA code. In the upcoming Cerbero Suite 5.1 we have simplified the analysis of text controls by previewing their name in the format view.

The script below deobfuscates the VBA code.

from Pro.UI import *

v = proContext().findView("Analysis [VBA code]")
if v.isValid():
    s = v.getText()
    lines = s.split("\n")
    new_lines = []
    for line in lines:
        if line.strip().startswith(("'", "Debug.Print")):
        while True:
            i = line.rfind("'")
            if i == -1:
            line = line[:i]

Video: In-Depth Obfuscated VBA Analysis

This script concatenates strings such as “a” + “b”:

from Pro.UI import *
import re

ctx = proContext()
v = ctx.getCurrentView()
if v.isValid() and v.hasSelection():
    s = v.getSelectedText().replace('" &', '" +')
    s = eval(s)
    v.setSelectedText('"' + s + '"')

This second script decrypts strings the same way as the “NobosMeik” function:

from Pro.UI import *
import base64

ctx = proContext()
v = ctx.getCurrentView()
if v.isValid() and v.hasSelection():
    s = v.getSelectedText()
    s = base64.b64decode(s)
    key = b"versache"
    s2 = bytearray(s)
    y = 0
    tire = lambda r, g: (r & ~g) | (~r & g)
    for x in range(len(s)):
        s2[x] = tire(s2[x], key[y])
        if y < len(key) - 1:
            y += 1
            y = 0