2019-02-12 Deobfuscating an Emotet maldoc
This blog entry is going to cover how I managed to de-obfuscate the macro from the Emotet sample that I was able to grab. The maldoc can be found in my Github repo located here: http://github.com/bloomer1016/2019-02-12-Deobfuscating-Emotet-Maldoc. Indicators of Compromise: ========================== MD5 of Word doc: 35c716c82f9912cb1a57bf7ee72e0c53 VT: http://www.virustotal.com/#/file/9fb5e5242394557e27ca3ccfc492f7db0f7474662148a8797953df702b4d78db/detection Any.Run: http://app.any.run/tasks/0e428667-3602-489f-85ac-1f022e2c9c1f Analysis: ========= So to be honest, I was using this maldoc as a case to try to get better using oledump from Didier Stevens. This all stems from his latest posts on the SANS ISC blog (http://isc.sans.edu/forums/diary/Maldoc+Analysis+of+the+Weekend/24626/ and http://isc.sans.edu/forums/diary/Video+Maldoc+Analysis+of+the+Weekend/24628/). Unfortunately I was not able to get this maldoc de-obfuscated as easily…