On December 16th, 2020 Twitter user Insomnihack @pro_integritate posted an interesting obfuscated document, where it was flagged as Dridex in some sandboxes. This sample threw an error and would not open in Office 2010 until I changed the file extension to “doc’. The thing that stood out the most on initial inspection is the massive use of the properties “wd.. “ like “wdArtWeavingStrips” each of these properties map to constant values of “Word Enumerated Constants”
This article covers the analysis of an interesting customer malspam encounter that was identified with a user-defined signature focusing on high levels of entropy within the file. Starting with a pdf lure to get an macro laiden downloader document and finished with emotet banking malware.
Powershell Empire is a go-to tool for pentesters, red-teamers, and cyber-criminals. While it is an incredible framwork, the InQuest platform easily detects the obfuscated payloads that are generated.