On Monday morning I came across a domain which has directory listening open for several subfolders. In most of the folders a Office Word document called “decoy.doc”, a PDF document named “p.doc” (yes, really), an exe and a Python script called “prothemusL_H.py” could be found: That Python script made me curious and I decided to […]
Continue ReadingExtracting Payload Urls From Office Docs With CyberChef
For several months now, Emotet has been using various Office document fields (e.g. Author, Comments) for “hiding” their PowerShell code to download the exe payload. The actors behind the malware often change little things in their code to make automated extraction of urls harder. On November 8th a friend asked me for help on a […]
Continue Reading