Hackers’ Favourite Scripting Languages Part 2: Offensive and Defensive Analysis of a VBA Script used by a Real Malware (Emotet)
Süleyman Özarslan, PhD
In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers. has found that Scripting was the sixth most prevalent ATT&CK technique used by adversaries in their malware.
Red and Blue Team Exercises
Red Teaming — How to simulate?
In this exercise, we explain a real VBA code that was used by Emotet malware. We analyzed this payload in our following blog posts:
- Emotet Technical Analysis — Part 1 Reveal the Evil Code
- Emotet Technical Analysis — Part 2 PowerShell Unveiled
This payload was included in the following Word document:
Researchers identified Emotet for the first time in 2014 as a banking malware stealing sensitive and private information. Now, adversaries are using Emotet as Infrastructure as a Service (IaaS) for delivering malware, including other banking Trojans. Emotet incorporated various obfuscation and evasion techniques to avoid detection in its payload.
If you’d like to learn more about MITRE ATT&CK, check out our LinkedIn group with all the latest! https://www.linkedin.com/groups/8955879/
Briefly, the VBA code embedded in the Word document executes an encoded PowerShell command using WMI, then the PowerShell code downloads a second payload of Emotet. Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems .
Let’s split and analyze the command:
Do While GetObject(winmgmtS:win32_Process).Create(): In the
Do Whileloop, the
Createmethod of the
Win32_Process classis used to create a new process. The first variable of this method is the
CommandLinecode to execute, which is a
PowerShellcommand in this code.
Powershell -w hidden: There is not a parameter named
-waccording to the official
PowerShelldocumentation . In fact, the
-wparameter is completed by
PowerShellas the -
WindowStyleparameter because of the parameter substring completion feature of
PowerShell. Adversaries commonly use the -WindowStyle parameter with
Hiddenvalue in malicious
PowerShellcommands to avoid detection.
-w, there is not a parameter named
-en, according to the official PowerShell documentation . The
-enparameter is completed as -EncodedCommand parameter by
-EncodedCommandaccepts a base-64-encoded string version of a command. Therefore, we must use
base64decoding to reveal the
We’ll get the following code after
base64 decoding, removing garbage variables, backtick (
`), and plus (
+) characters, and putting values of variables and beautifying the code. You can read the details of these de-obfuscation process in our blog post .
Briefly, this code tries to download a file from the URLS included in the
$list array in the given order via the
Net.WebClient.DownloadFile method and saves the downloaded file to the
$env:userprofile directory as
In conclusion, the VBA code given in this exercise incorporates following MITRE ATT&CK techniques:
- T1059.005 Command and Scripting Interpreter: Visual Basic
- T1047 Windows Management Instrumentation
- T1059.001 Command and Scripting Interpreter: PowerShell
- T1564.003 Hide Artifacts: Hidden Window
- T102 Obfuscated Files or Information
Blue Teaming — How to detect?
The following Sigma rule can be used to detect WMI DLLs loaded via VBA Macros in Word, Excel, PowerPoint and Outlook files:
 stevewhims, “Windows Management Instrumentation.” [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page. [Accessed: 11-Aug-2020]
 SteveL-MSFT, “about_PowerShell_exe — PowerShell.” [Online]. Available: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe. [Accessed: 11-Aug-2020]
 S. Özarslan, “Emotet Technical Analysis — Part 2 PowerShell Unveiled.” [Online]. Available: https://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled. [Accessed: 12-Aug-2020]
Originally published at https://www.picussecurity.com.