Emotet .xls Dropper
Anyone who's been tracking the evolution of prevalent malware families may or may not have heard that the developers behind Emotet re-emerged earlier this year with a new variant. That included a new delivery method. In this brief blog post, I grab one of those .xls droppers and show you how using nothing but an isolated VM and Microsoft Excel itself, you can grab some IOCs and get an idea of what's going on.
Filename: SCAN9265_0005.xls
Filehash: 23f794cc8a7022ea9c31ea6dbb8a6235d805b60b52a837d538dc1be46c1ce468
File type: Microsoft Excel Sheet 97-2003 Workbook
Thrown for a Loop
I started taking a look at the specimen by utilizing zipdump, and it came up with the following output:
Taking a look at each of the streams, nothing significant came up. I then took a look with olevba, and it supposedly detected XLM macro content:
Still, the content wasn't very conclusive or indicative of what was going on behind the scenes. I ran a simple strings and was able to identify the domains within the file:
I wasn't satisfied with this. Why was none of my usual tooling functioning as expected? I pivoted over to my Windows FLARE VM with Microsoft Office and opened the file there.
Keep It Simple
The first thing I did was added the Developer tab to the Microsoft Office ribbon at the top. This can be done by going to "File > Options > Customize Ribbon > Main Tabs > Developer." This allows you to then select items like "Visual Basic" and "Macros" from the toolbar.
From there, I clicked on "Visual Basic." This then showed me that there were actually multiple sheets within the workbook (which were not visible upon initially opening the file). I saw that each of these had the "Visible" property set to "0 - xlSheetHidden."
I changed that setting on all of the sheets, saved the changes, and closed out of Microsoft Visual Basic for Applications. The first thing I noticed is that now there were multiple sheets available at the bottom of the screen.
When I clicked on sheet Vv1, it was an alphabet soup. Each letter was the result of a function that looked something like this:
=CHAR(90-6)
So it was a chessboard of arbitrary ASCII characters that were the result of computed charcode.
Sheet Vv2 had the staging domains for the follow-on stage of the malware. In other words, it had the URLs that the file would try to call out to in an effort to download the actual badness. I'm aware that this was the functionality because you can see "URLDownloadtoFileA" in fragments on the same sheet.
Lastly, sheet Vv3 had the downloaded file names as they would be saved on the compromised endpoint. These were the result of a formula that would grab characters from Sheet Vv1 and combine them to create an ASCII string. It also did this with "regsvr32.exe," which would be used to execute the malicious download.
If you are to replicate this methodology, please exercise caution. I always preach analysis in a safe environment: make sure this is done in a VM and that the network adapter is set to host-only to prevent actual live connections and subsequent malware downloads.
I hope this offered some insight in to what some of these files look like and what some of the logic within the formulas is. Happy dissecting!
IOCs
Domains:
https://www.itesmeitic[.]com http://ftp.colibriconstruction[.]net http://dmaicinnovations[.]com
https://www.ingonherbal[.]com
http://commune-ariana[.]tn
https://drcreative[.]cz
Filenames:
wurod.ocx