{
	"id": "7f8e7a2a-cf9c-4195-9721-7b3028e10f2e",
	"created_at": "2026-04-06T00:09:00.317466Z",
	"updated_at": "2026-04-10T03:21:26.155342Z",
	"deleted_at": null,
	"sha1_hash": "0ff5b67f57593264e7bf0b178ef7343f1efa82f1",
	"title": "Emotet Returns, Now Adopts Binary Padding for Evasion",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49877,
	"plain_text": "Emotet Returns, Now Adopts Binary Padding for Evasion\r\nBy By: Ian Kenefick Mar 13, 2023 Read time: 4 min (1000 words)\r\nPublished: 2023-03-13 · Archived: 2026-04-05 17:10:23 UTC\r\nTable 1. Emotet C\u0026C Server Infrastructure deployments during the early parts of 2023\r\nThe threat actors behind Emotet continue to use malicious documents containing macros to deliver the malicious\r\npayload. Note that while Microsoft disabled macros from the internet by default in 2022, the document template\r\nemploys social engineering techniques to trick users into enabling macros to allow the attack to proceed as\r\nintended.\r\nThe threat actors behind these emails have adopted the use of binary padding as an evasion technique, where both\r\nthe dropper document and the Emotet DLL files are inflated to 500+ megabytes to avoid security solutions. Other\r\nsimilar defense evasion techniques have previously been observed being usednews- cybercrime-and-digital-threats\r\nby other malicious actors.\r\nOnce a user enables macros for the malicious document, it will download a ZIP file will from one of seven\r\nhardcoded and obfuscated URLs (which will be iterated through until the file is successfully retrieved):\r\nhxxps://midcoastsupplies.com[.]au/configNQS/Es2oE4GEH7fbZ/\r\nhxxp://mtp.evotek[.]vn/wp-content/L/\r\nhxxp://www.189dom[.]com/xue80/C0aJr5tfI5Pvi8m/\r\nhxxps://esentai-gourmet[.]kz/404/EDt0f/\r\nhxxp://139.219.4[.]166/wp-includes/XXrRaJtiutdHn7N13/\r\nhxxps://www.snaptikt[.]com/wp-includes/aM4Cz6wp2K4sfQ/\r\nhxxps://diasgallery[.]com:443/about/R/\r\n \r\nThe macro will then check if the response is 200 (indicating a success retrieval of the file). If so, it will then check\r\nif that file is either a PE File or a Zip file, suggesting that the threat actors may adopt alternative file formats to\r\nZip files containing binary padded PE files.\r\nThe macro uses a function that checks the file type of the downloaded payload by examining the first two bytes of\r\nthe file. It first checks if the first two bytes are equal to the ASCII values of \"M\" and \"Z\" (77 and 90, respectively).\r\nIf so, it returns a value of 1, indicating that the file is a PE file. On the other hand, if the first two bytes are not\r\nequal to \"M\" and \"Z,\" the function checks if they are equal to the ASCII values of \"P\" and \"K\" (80 and 75,\r\nrespectively). If so, it returns a value of 2, indicating that the file is a Zip file.\r\nThe CopyHere() method of the Shell32.FolderItems object is then used to extract the contents of the Zip file to the\r\ndestination folder, after which the macro deletes the temporary folder files.\r\nhttps://www.trendmicro.com/en_no/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html\r\nPage 1 of 3\n\nFinally, regsvr32.exe is invoked and the DLL is loaded with the /s switch to silently execute the Emotet payload to\r\ninfect the endpoint.\r\nStealer and spam routines\r\nFor its stealer and spam routines, Emotet will make a copy of certutil.exe (a legitimate command-line tool) in the\r\ntemporary directory that starts in a suspended state and then hollowed out.\r\nThe malware will then load one of several modules such as NirSoft's Web Browser PassView and Mail PassView\r\ntools, an Outlook stealer, and a spam module before resuming execution. Note that we have not observed any\r\nsecond stage payloads outside of Emotet’s stealer and the spam modules. However, it is possible that payloads\r\n(such as backdoors and/or other information stealers) might be dropped in the future to enable access for other\r\nthreat actors.\r\nEvasion techniques\r\nBinary padding is used to inflate file sizes so that they exceed the size limitations imposed by anti-malware\r\nsolutions such as sandboxes and scan engines. In this example, the Emotet DLL is padded with 00 bytes in the\r\noverlay, inflating the PE file from 616KB to 548.1MB.\r\nFor Emotet, both the dropper document and the PE files use the 00-byte padding technique to inflate the file size.\r\nMalicious actors use Zip compression to transport the relatively small files via email and HTTP, before\r\ndecompression is used to inflate the files to evade security solutions.\r\nFinally, reconnaissance activities are performed either via IP configs or through the affected machine’s system\r\ninformation.\r\nConclusion and recommendations\r\nEmotet has been a prolific and resilient threat, even surviving a takedown of its infrastructure in 2021. Given what\r\nwe’ve seen of Emotet over the years, it would not be surprising to see it evolve further in future attacks,\r\nemploying alternative malware delivery methods, adopting new evasion techniques, and integrating additional\r\nsecond and even third-stage payloads into its routines.\r\nTo avoid getting infected by malicious spam emails, users should be cautious of emails from unknown senders or\r\nwith suspicious subject lines. These types of emails are often paired with social engineering techniques that are\r\ndesigned to get recipients to click on a link or download an attachment containing malware. Users should also\r\nensure that macros are disabled in Microsoft Office applicationsopen on a new tab and avoid enabling them even\r\nwhen even prompted. Using spam filters can also help automatically filter out suspicious or unwanted emails\r\nbefore they reach the user’s inbox. By following these precautions, both individual users and organizations can\r\ngreatly reduce the risk of getting infected by malicious spam emails.\r\nEndpoint solutions like Trend Micro's Smart Protection Suitesproducts and Worry-Free Business Securityworry\r\nfree services suites solutions offer protection for both users and businesses against threats like Emotet. These\r\nsolutions come equipped with behavior-monitoring capabilities that enable them to detect malicious files, scripts,\r\nhttps://www.trendmicro.com/en_no/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html\r\nPage 2 of 3\n\nand messages. They can also block all related malicious URLs. Additionally, the Trend Micro™ Deep\r\nDiscovery™products solution includes an email inspection layerproducts that can identify and protect enterprises\r\nfrom malicious attachments and URLs. By leveraging these powerful tools, users and businesses can effectively\r\ndefend themselves against the damaging effects of Emotet and other similar threats.\r\nIndicators of compromise\r\nThe indicators of compromise for this entry can be found here.\r\nSource: https://www.trendmicro.com/en_no/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html\r\nhttps://www.trendmicro.com/en_no/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_no/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html"
	],
	"report_names": [
		"emotet-returns-now-adopts-binary-padding-for-evasion.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434140,
	"ts_updated_at": 1775791286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0ff5b67f57593264e7bf0b178ef7343f1efa82f1.pdf",
		"text": "https://archive.orkl.eu/0ff5b67f57593264e7bf0b178ef7343f1efa82f1.txt",
		"img": "https://archive.orkl.eu/0ff5b67f57593264e7bf0b178ef7343f1efa82f1.jpg"
	}
}