Today I was asked for a copy of a website that was already nuked before the analysis was completed. No online platforms has yet picked up a copy and VirusTotal did not show a hash for the download. Trying to come up with a solution for this problem, I remembered that browsers often keep a […]
Continue ReadingExtracting Payload Urls From Office Docs With CyberChef
For several months now, Emotet has been using various Office document fields (e.g. Author, Comments) for “hiding” their PowerShell code to download the exe payload. The actors behind the malware often change little things in their code to make automated extraction of urls harder. On November 8th a friend asked me for help on a […]
Continue Reading