{ "id": "2c9515fd-9e5b-4c45-8bb5-e2dc4c6f8178", "created_at": "2026-04-06T00:19:33.023741Z", "updated_at": "2026-04-10T13:12:52.87475Z", "deleted_at": null, "sha1_hash": "49924fd082744057702c768bafcc7f145f9a5153", "title": "Deobfuscating Emotet Macro Document and Powershell command", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 93661, "plain_text": "Deobfuscating Emotet Macro Document and Powershell command\r\nBy Anonymous\r\nPublished: 2021-02-28 · Archived: 2026-04-05 22:36:28 UTC\r\nThis post was authored by Fareed.\r\nNetbyteSEC malware analysis team has come across a Microsoft Word malicious document containing macro\r\ncode. The suspicious email was received by our client before the news of global law enforcement took down the\r\nEmotet cyber criminals team.\r\n1.0 Malicious Document Technical Analysis\r\nMD5 Hash 809928addbff4e5f9b7d9f55e0ac88e9\r\nFilename file-20210122-QRN6275.doc\r\nFile type Microsoft Word 97 - 2003 Document (.doc)\r\nUpon opening the malicious document file, a common phishing method uses to bait victims to click the “Enable\r\nContent” ribbon button display in Microsoft Word as shown in Figure 1. Normally, a document like this indicates\r\nthere is macro content in the document. The purpose of lure to enable the content is to allow the execution of\r\nmalicious macro code inside the word document.\r\nhttps://notes.netbytesec.com/2021/02/deobfuscating-emotet-macro-and.html\r\nPage 1 of 9\n\nFigure 1: Content of the lure document\r\nEnabling the content will execute the macro embedded in the lure document which will lead to malicious\r\nexecution activities in the victim’s machine.\r\nA quick analysis using oledump script on the file disclose three macro content in the document sample reside in\r\nstream 7, 8, and 9 as follows.\r\nFigure 2: oledump result\r\nAnalyzing the content of stream 8 reveals the entry point of the macro which is the document_open procedure was\r\nused to execute the macro code whenever the victim opens the malicious document and enables the content\r\nhttps://notes.netbytesec.com/2021/02/deobfuscating-emotet-macro-and.html\r\nPage 2 of 9\n\nFigure 3: Content of steam 7 and 8 of Oledump\r\nIn the stream 8, once the document_open procedure being triggered, a function with a random character name\r\n“Iemid5ewh9fn44ue4d” will be called which then will execute its code that resides in the stream 9. The VBA file\r\nfor stream 9 containing 448 lines of macro code uses for the malicious actions explained on the next section.\r\n1.1 Deobfuscating malicious macro\r\nThe VBA script containing 448 lines of obfuscated macro code. The macro code was being obfuscated to produce\r\nan anti-analysis to make analyst difficult to read and understand the code. This technique is commonly used\r\namong cyber threat groups to make obfuscated their code. In this section, the NetbyteSEC malware analysis team\r\nwill explain the method for deobfuscating the macro.\r\nFigure 4: Snippet of the VBA code\r\nAs a solution, debugging the macro code can help to trace each of the content of the variable and dive into the\r\ndetail of the macro code.\r\nFirst, the code builds long obfuscated strings and append the strings to the variable name V6x19m6t_qhh. The\r\nencoded strings as follow:\r\nwx [ sh binx [ sh bmx [ sh bgmx [ sh btx [ sh bx [ sh bx [ sh bx [ sh bsx [ sh bx [ sh bx [ sh b:wx [ sh bx [ sh binx [\r\nsh b3x [ sh b2x [ sh b_x [ sh bx [ sh bpx [ sh bx [ sh brox [ sh bx [ sh bcex [ sh bsx [ sh bsx [ sh bx [ sh b\r\nhttps://notes.netbytesec.com/2021/02/deobfuscating-emotet-macro-and.html\r\nPage 3 of 9\n\nThe encoded strings then will be decoded and saved the clear text of the encoded strings in variable\r\nG1i061417oxvyh_k as shown in Figure 5.\r\nFigure 5: G1i061417oxvyh_k value\r\nAt this point, the macro builds an encoded string and decodes the string to become winmgmts:win32_process\r\nindicating the VBA script will be using something related to WMI classes for the next instruction.\r\nNext, the VBA script creating an object which is the winmgmts:win32_process, and sets it to variable\r\nF_yz9ots5y0q916g as shown in Figure 6 below.\r\nFigure 6: F_yz9ots5y0q916g value\r\nInspecting the local variable F_yz9ots5y0q916g will show that the variable has become the SWbemObjectEx\r\nobject which normally can be abused to execute a command line.\r\nFigure 7: F_yz9ots5y0q916g became SWbemObjectEx\r\nThe macro code then builds another encoded string and append the strings to the variable name V6x19m6t_qhh\r\nagain. The encoded string is a bit different from the previously encoded string. The encoded string built as\r\nfollows:\r\nx [ sh bx [ sh bcx [ sh bmx [ sh bdx [ sh b x [ sh bcx [ sh bmx [ sh bdx [ sh b x [ sh b/x [ sh bcx [ sh b x [ sh bmx [\r\nsh b^x [ sh bsx [ sh b^x [ sh bgx [ sh b x [ sh b%x [ sh bux [ sh bsx [ sh bex [ sh brx [ sh bnx [ sh bax [ sh bmx [ sh\r\nbex [ sh b%x [\r\nhttps://notes.netbytesec.com/2021/02/deobfuscating-emotet-macro-and.html\r\nPage 4 of 9\n\nFigure 8: Decoding encoded strings\r\nNext, the encoded string will be decoded and save into variable G1i061417oxvyh_k shown in the above Figure 8.\r\nInspecting the variable, the decoded strings are actually a cmd command line of msg and base64 PowerShell line.\r\nTo view the malicious command line, adding a MsgBox line to the variable will display the full command line to\r\nour screen as shown in Figure 9.\r\nFigure 9: Malicious command line generated\r\nFinally, the macro will execute the command using winmgmts:win32_process explained before and exit the\r\nmacro.\r\nFigure 10: Execute command\r\nThe command line will first run the command msg to send a message to a user. The figure below shows the\r\nmessage box that will be displayed to the victim once the Macro is executed.\r\nhttps://notes.netbytesec.com/2021/02/deobfuscating-emotet-macro-and.html\r\nPage 5 of 9\n\nFigure 11: Msg command\r\nThe encoded PowerShell command will be explained in the next section.\r\n1.2 Deobfuscating encoded PowerShell command line\r\nRetrieving the encoded PowerShell command-line reveals that the executed command is actually a long-encoded\r\nline than it shows in the MsgBox shown in figure 9 in the previous section.\r\nFigure 12: Powershell command\r\nDecoding the encrypted base64 strings will give this output as follows:\r\nhttps://notes.netbytesec.com/2021/02/deobfuscating-emotet-macro-and.html\r\nPage 6 of 9\n\nFigure 13: Decoded Powershell base64 line\r\nAfter removing a lot of garbage characters and cleaning the code to more readable and understandable code, the\r\nresult shows as follows:\r\nFigure 14: Clean code of the obfuscated Powershell\r\nIn summary of the above code, the PowerShell first creates a directory and subdirectory name\r\n%UserProfile%/Scnfrf7\\Pb6asvf. After that, the code assigns seven URL strings to variable $URL which then\r\nwill be used in the next block of code of for-each statement. The for-each statement will get the element of the\r\narray in the variable $URL and download the DLL file. The file that being download will be saved as O66D.dll at\r\nthe created directory %UserProfile%/Scnfrf7\\Pb6asvf. If the executable file has a length of more than value\r\n32360, the code will continue to execute the DLL using the rundll32 utility with the string “AnyString” as its first\r\nparameter. Vice versa, if it is lower than the value 32360 or the file not available in the directory, the code will be\r\nbreak and exit.\r\nhttps://notes.netbytesec.com/2021/02/deobfuscating-emotet-macro-and.html\r\nPage 7 of 9\n\n1.3 URL check\r\nNavigating and download the content of all URLs only brings to the error page. Thus, retrieving the DLL file is\r\nfailed.\r\nFigure 15: Fiddler result\r\nChecking all the URLs we found in figure 14 with URLhaus Database shows that all the URLs were tagged as\r\nEmotet malware URL.\r\nMoreover, one of the samples that identically same macro code and PowerShell command pattern were found in\r\nJoeSandbox public submission. The result of the JoeSandbox detects the sample document as Emotet.\r\nhttps://notes.netbytesec.com/2021/02/deobfuscating-emotet-macro-and.html\r\nPage 8 of 9\n\nFigure 16: https://www.joesandbox.com/analysis/343392/0/html\r\n2.0 IOCs\r\nThe following MD5 hashes are associated with this Emotet malware analysis:\r\n1. 809928addbff4e5f9b7d9f55e0ac88e9 - file-20210122-QRN6275.doc\r\n2. bde8abd3c29befafb3815d9b74785a3c - VBA file\r\n3. 1542602628751eb95eecd6c00ff5cee8 - O66D.dll\r\nThe following domain names are associated with this Emotet malware analysis:\r\n1. 213.82.114.106 (Mail Server)\r\n2. hxxp://www.pcsaha[.]com/wp-content/fG1tM/\r\n3. hxxp://rosvt[.]com/img/9h1Q/\r\n4. hxxp://skver[.]net/benjamin-moore-xha9o/t/\r\n5. hxxp://fultonandassociates[.]com/administrator/IUHeit/\r\n6. hxxp://zippywaytest.toppermaterial[.]com/wp-admin/wwbJ/\r\n7. hxxp://admin.toppermaterial[.]com/js/jGcwS/\r\n8. hxxp://notebook03[.]com/templates/G2Ay/\r\nSource: https://notes.netbytesec.com/2021/02/deobfuscating-emotet-macro-and.html\r\nhttps://notes.netbytesec.com/2021/02/deobfuscating-emotet-macro-and.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://notes.netbytesec.com/2021/02/deobfuscating-emotet-macro-and.html" ], "report_names": [ "deobfuscating-emotet-macro-and.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434773, "ts_updated_at": 1775826772, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/49924fd082744057702c768bafcc7f145f9a5153.pdf", "text": "https://archive.orkl.eu/49924fd082744057702c768bafcc7f145f9a5153.txt", "img": "https://archive.orkl.eu/49924fd082744057702c768bafcc7f145f9a5153.jpg" } }