Emotet is a banking trojan that topped the list for most widely seen malware in 2021. Similar to some of my previous posts, Emotet is usually delivered via phishing campaign. In this blog post we'll cover some initial .xlsm analysis and extract useful IOCs.
If you're interested in learning how to set up an environment and replicate some of this activity, check out my "Cracking the Malware Piñata" series here.
INITIAL ANALYSIS
Running exiftool, we get the following information from the sample:
On the exiftool output, we see that this is an XLSM file type. XLSM files, according to Microsoft, are Excel Macro-Enabled Workbooks. Macros allow for the automation of tasks within Microsoft Office documents, and this file extension and type applies specifically to those documents compatible with Microsoft Excel.
TOOL GEARED TOWARDS MACROS
While we can absolutely use zipdump and have some findings, olevba proves to be more successful in this specific circumstance. Developed by Decalage, olevba parses Microsoft OLE2 files. In simple terms, OLE2 files serve as structured storage for linked objects and embedded objects. This tool interacts with files in this format to extract the necessary data for analysis.
Below are screenshots of the olevba tool at work:
There's a lot of information here. We see that the macro calls out to 3 different domains with the intent of downloading a file. The file has an .ocx extension, meaning it is used as an ActiveX control and, once configured, can steal information from the browser, download additional files, amongst other malicious behaviors.
We see the DllRegisterServer function, which is typically used with the regsvr32.exe binary but can also be leveraged by rundll32.exe, shown in olevba's output. According to Microsoft, the DllRegisterServer function "instructs an in-process server to create its registry entries for all classes supported." In this instance, it is being used to register the ActiveX controls and bypass application controls in the process.
At the bottom of the olevba output, we see a reference to an XLM macro. It doesn't hurt to run the file through XLMdeobfuscator to see if we can extract any additional information. In this instance, the output already corroborates our findings from olevba:
INDICATORS OF COMPROMISE
Domains:
https://zml.laneso[.]com/packet/AlvJ80dtSYEeeCQP/
http://ostadsarma[.]com/wp-admin/JNgASjNC/
http://govtjobresultbd[.]xyz/sjjz/UIUh0HsLqj0y9/
File names:
erum.ocx
File hash:
1a243db583013a6999761dad88d6952351fdc2cd17d2016990276a9dd11ac90b
FURTHER REFERENCES
OLE Formats (Microsoft)
DLLRegisterServer Function (Microsoft)
2021 Threat Detection Report - rundll32.exe (Red Canary)
Register an ActiveX Control Manually (Microsoft)
Comments