{
	"id": "8f97cbec-51ee-49db-b188-9fd5c16d6fe2",
	"created_at": "2026-04-06T00:17:46.517326Z",
	"updated_at": "2026-04-10T13:11:19.071229Z",
	"deleted_at": null,
	"sha1_hash": "18ca634d30bb318ab842b1965bb0fb3f3268cb35",
	"title": "Emotet: Still Abusing Microsoft Office Macros",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 98392,
	"plain_text": "Emotet: Still Abusing Microsoft Office Macros\r\nBy Gustavo Palazolo\r\nPublished: 2022-06-27 · Archived: 2026-04-05 15:13:32 UTC\r\nSummary\r\nIn April 2022, Netskope Threat Labs analyzed an Emotet campaign that was using LNK files instead of Microsoft\r\nOffice documents, likely as a response to the protections launched by Microsoft in 2022 to mitigate attacks via\r\nExcel 4.0 (XLM) and VBA macros.\r\nHowever, we recently came across hundreds of malicious Office documents that are being used to download and\r\nexecute Emotet, indicating that some attackers are still using old delivery methods in the wild. Despite the\r\nprotection Microsoft released in 2022 to prevent the execution of Excel 4.0 (XLM) macros, this attack is still\r\nfeasible against users who are using outdated versions of Office. It is also feasible against users who have changed\r\nthe default setting to explicitly enable macros. The fact that attackers are still using Excel 4.0 Macros indicates\r\nthat outdated Office versions and users who have this protection disabled are still common.\r\nOption to enable Excel 4.0 Macros.\r\nBy searching for similar files on VirusTotal, we found 776 malicious spreadsheets submitted between June 9, 2022\r\nand June 21, 2022, which abuse Excel 4.0 (XLM) macros to download and execute Emotet’s payload. Most of the\r\nfiles share the same URLs and some metadata. We extracted 18 URLs out of the 776 samples, four of which were\r\nonline and delivering Emotet.\r\nSubmission timeline for Emotet spreadsheets on VirusTotal.\r\nhttps://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros\r\nPage 1 of 15\n\nIn this blog post, we will analyze this Emotet campaign, showing the delivery mechanism to the last payload.\r\nStage 01 – Malicious Spreadsheets\r\nThe first stage is a malicious spreadsheet that abuses Excel 4.0 (XLM) macros to download and execute Emotet.\r\nThese files are being delivered as email attachments.\r\nPhishing emails with malicious spreadsheets attached.\r\nThere are also cases where the spreadsheet is attached within a password-protected ZIP file.\r\nThe spreadsheet contains a message to lure the user to remove the protected view by clicking the “Enable Editing”\r\nbutton.\r\nhttps://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros\r\nPage 2 of 15\n\nSpreadsheet message asking to click “Enable Editing”.\r\nThe malicious code is obfuscated and spread across hidden spreadsheets and cells.\r\nhttps://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros\r\nPage 3 of 15\n\nPart of the Excel 4.0 Macros.\r\nThe code downloads the payload from an external URL via “URLDownloadToFileA” API and executes it with\r\n“regsvr32.exe”, which is a commonly used binary for the Living-off-the-Land technique.\r\nhttps://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros\r\nPage 4 of 15\n\nDeobfuscated code from the spreadsheet.\r\nFurthermore, most of the files we analyzed were authored by “Dream” and last saved either by\r\n“RHRSDJTJDGHT” or “TYHRETH“, indicating the files likely share an author. \r\nhttps://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros\r\nPage 5 of 15\n\nCommon metadata across the spreadsheets.\r\nStage 02 – Packed Emotet\r\nWe were able to download samples from four different URLs out of the 18 extracted from the spreadsheets. Two\r\nof the downloaded files were unpacking the same Emotet payload.\r\nhttps://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros\r\nPage 6 of 15\n\nFour payloads downloaded from the spreadsheet URLs.\r\nEmotet’s main payload is encrypted and stored in the PE resources of the loader, which is the same case as other\r\nEmotet packed samples we analyzed earlier in 2022.\r\nhttps://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros\r\nPage 7 of 15\n\nEmotet’s main payload stored in the PE resources.\r\nThe unpacking/decryption process is also very similar to the samples we analyzed earlier in 2022, where a key is\r\nused in a simple rolling XOR algorithm.\r\nhttps://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros\r\nPage 8 of 15\n\nEmotet decryption process.\r\nStage 03 – Emotet Payload\r\nWe extracted three different payloads (64-bit DLLs) from the samples we downloaded from the URLs. \r\nhttps://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros\r\nPage 9 of 15\n\nMain Emotet payloads.\r\nWe can find some similarities by comparing these payloads with the ones we analyzed in April 2022, like the\r\npattern used in the DLL name.\r\nReal name for all three samples is “E.dll”.\r\nAnd also the persistence mechanism via Windows service that executes the payload via regsvr32.exe.\r\nhttps://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros\r\nPage 10 of 15\n\nEmotet persistence mechanism.\r\nHowever, there are some differences between these payloads and the ones we analyzed in April 2022. The first\r\none is where and how Emotet decrypts its strings. In previous payloads, Emotet was storing its strings in the PE\r\n.text section.\r\nIn these latest payloads, Emotet uses functions to retrieve decrypted strings. Simply put, the attacker is using the\r\nconcept of stack strings, which are passed via parameter to the function that performs the decryption process.\r\nhttps://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros\r\nPage 11 of 15\n\nEmotet function to return a decrypted string.\r\nThe decrypted strings can be easily retrieved by placing breakpoints in the return of these functions. Also, it’s\r\npossible to use a Python script to automatically extract this data using Dumpulator or any other emulation\r\nframework.\r\nhttps://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros\r\nPage 12 of 15\n\nEmotet decrypted strings.\r\nThe C2 addresses are also retrieved in a different way on these payloads. Instead of storing this data in the PE\r\n.data section, Emotet parses the C2 addresses via functions as well.\r\nhttps://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros\r\nPage 13 of 15\n\nEmotet parsing the C2 server addresses.\r\nAnd it’s also possible to extract this information statically using an emulation script, similar to the one used for the\r\nstrings.\r\nPart of Emotet C2 server addresses.\r\nConclusions\r\nhttps://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros\r\nPage 14 of 15\n\nIn April 2022 we analyzed an Emotet campaign that was not using Microsoft Office files to spread, as a possible\r\nresponse to Microsoft protections. However, we still see some attackers abusing Microsoft Office files to\r\ndownload and execute Emotet. We strongly recommend users to update Microsoft Office to its latest versions.\r\nAlso, IT administrators may also completely block Excel 4.0 (XLM) Macros via Group Policy.\r\nProtection\r\nNetskope Threat Labs is actively monitoring this campaign and has ensured coverage for all known threat\r\nindicators and payloads. \r\nNetskope Threat Protection\r\nDocument-Excel.Trojan.Emotet\r\nWin64.Trojan.Emotet\r\nNetskope Advanced Threat Protection provides proactive coverage against this threat.\r\nGen.Malware.Detect.By.StHeur indicates a sample that was detected using static analysis\r\nGen.Malware.Detect.By.Sandbox indicates a sample that was detected by our cloud sandbox\r\nIOCs\r\nAll the IOCs related to this campaign, scripts, and the Yara rules can be found in our GitHub repository.\r\nSource: https://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros\r\nhttps://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros"
	],
	"report_names": [
		"emotet-still-abusing-microsoft-office-macros"
	],
	"threat_actors": [],
	"ts_created_at": 1775434666,
	"ts_updated_at": 1775826679,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/18ca634d30bb318ab842b1965bb0fb3f3268cb35.pdf",
		"text": "https://archive.orkl.eu/18ca634d30bb318ab842b1965bb0fb3f3268cb35.txt",
		"img": "https://archive.orkl.eu/18ca634d30bb318ab842b1965bb0fb3f3268cb35.jpg"
	}
}