{
	"id": "f09c2c77-9b3f-4c30-86e0-b771b5884d9d",
	"created_at": "2026-04-06T02:10:52.069293Z",
	"updated_at": "2026-04-10T03:20:43.152729Z",
	"deleted_at": null,
	"sha1_hash": "38a51c45a2dd892736b58da22e3bfed13d8fad3a",
	"title": "Emotet: New Delivery Mechanism to Bypass VBA Protection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 166599,
	"plain_text": "Emotet: New Delivery Mechanism to Bypass VBA Protection\r\nBy Gustavo Palazolo\r\nPublished: 2022-05-06 · Archived: 2026-04-06 01:34:05 UTC\r\nSummary\r\nEmotet started as a banking trojan in 2014 and later evolved to what has been considered the world’s most\r\ndangerous malware by Europol, often used throughout the world to deliver many different threats, including\r\nTrickBot.\r\nIn October 2020, Netskope analyzed an Emotet campaign that was using PowerShell and WMI within malicious\r\nOffice documents to deliver its payload. Later in 2021, we also spotted new delivery mechanisms being used,\r\nincluding squiblytwo. However, the most popular delivery mechanism used by Emotet to date is the malicious\r\nMicrosoft Office document.\r\nIn January 2022, as an attempt to mitigate attacks via malicious Office documents, Microsoft announced that VBA\r\nmacros will be blocked by default in files downloaded from the internet, which directly affected the way Emotet\r\nwas being delivered. Netskope released a detailed blog post about this protection, anticipating that we would see\r\nthe use of other types of files, like LNK and VBS.\r\nOn April 26, 2022, a new Emotet campaign was spotted in the wild, where the usual Office delivery system was\r\nreplaced with LNK files, in a clear response to the VBA protection launched by Microsoft. Netskope Threat Labs\r\nfound 139 distinct LNK files that are part of the same campaign, delivering two distinct payloads that share the\r\nsame C2 infrastructure.\r\nIn this blog post, we will analyze this Emotet campaign, from the new delivery mechanism to the last payload.\r\nStage 01 – LNK Files\r\nUsually, the initial stage of Emotet is a malicious Office document that abuses VBA macros to download and\r\nexecute the payload. In this new delivery system, Emotet abuses the LNK file format (a.k.a. MS-SHLLINK and\r\nShortcut) to execute a PowerShell script.\r\nLooking at the file’s properties, we can see that the LNK target is pointing to the PowerShell executable.\r\nhttps://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection\r\nPage 1 of 19\n\nEmotet’s LNK file.\r\nUsing the LNK parser tool, it’s possible to extract more details, such as the command executed by PowerShell.\r\nThe command here decodes a large base64 string and saves the output to a file in the user’s temporary folder. This\r\nfile is the main script, which is deleted after it’s executed.\r\nhttps://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection\r\nPage 2 of 19\n\nEmotet’s PowerShell script, executed through the LNK file.\r\nThe decoded script contains a list of URLs where Emotet’s payload is hosted. Once running, it iterates over the list\r\nand makes a request using PowerShell’s Invoke-WebRequest function. If the binary is successfully downloaded, it\r\nsaves the file to Windows’ temporary directory and executes it using regsvr32.exe.\r\nhttps://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection\r\nPage 3 of 19\n\nMain PowerShell script executed by Emotet’s LNK file.\r\nWe found 139 distinct LNK files related to Emotet, sharing three different scripts, where the only differences\r\nwere the payload URLs. All the hashes can be found in our GitHub repository.\r\nhttps://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection\r\nPage 4 of 19\n\nSimilarities between the analyzed LNK files.\r\nStage 02 – Downloaded File\r\nFrom the 139 LNK files we analyzed, we found 12 distinct URLs. Only 9 URLs were online at the time of the\r\nanalysis, delivering 2 distinct payloads.\r\nhttps://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection\r\nPage 5 of 19\n\nPayloads delivered by Emotet URLs.\r\nThese payloads are packed Emotet samples, both 64-bit DLLs with different compilation timestamps. The first\r\none was likely built on April 25, 2022, and the second on April 27, 2022.\r\nhttps://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection\r\nPage 6 of 19\n\nComparison between the two downloaded payloads.\r\nEmotet’s main payload is encrypted and stored in the resources of both packed samples, which despite some\r\ndifferences, are using the same technique to decrypt and load Emotet.\r\nhttps://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection\r\nPage 7 of 19\n\nEncrypted Emotet payload.\r\nOnce running, the packer allocates and executes a shellcode, responsible for the payload decryption process.\r\nhttps://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection\r\nPage 8 of 19\n\nShellcode responsible for decrypting Emotet.\r\nThen, it loads the resource data and decrypts it using a simple rolling XOR algorithm with a small string as the\r\nkey, revealing Emotet’s payload.\r\nhttps://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection\r\nPage 9 of 19\n\nEmotet’s unpacking process.\r\nWe created a Python script that can be used to statically decrypt and extract Emotet’s payload from the\r\nloader/packed sample.\r\nhttps://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection\r\nPage 10 of 19\n\nPython script used to unpack Emotet.\r\nAs previously mentioned, both files unpack Emotet using the same process. The only difference is the decryption\r\nkey.\r\nhttps://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection\r\nPage 11 of 19\n\nDecryption key used in the second payload.\r\nStage 03 – Emotet Payload\r\nIn the third stage, we have two 64-bit Emotet DLLs that were extracted from the two loaders/packed samples.\r\nThey share many similarities, such as the real DLL name, the compiler, and some C2 server addresses. The first\r\none was likely compiled on April 19, 2022, and the second one on April 26, 2022.\r\nhttps://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection\r\nPage 12 of 19\n\nComparison between the two Emotet payloads.\r\nThe real name for both files is “Y.dll”.\r\nhttps://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection\r\nPage 13 of 19\n\nEmotet’s DLL real name.\r\nFor persistence, Emotet creates a Windows service to execute itself via regsvr32.exe.\r\nhttps://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection\r\nPage 14 of 19\n\nAll the important strings used by Emotet are encrypted, located in the PE .text section.\r\nhttps://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection\r\nPage 15 of 19\n\nEmotet encrypted string.\r\nTo decrypt the string, this sample uses the same algorithm that is found in 32-bit samples. The first four bytes are\r\nthe decryption key, followed by the length and the encrypted string.\r\nhttps://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection\r\nPage 16 of 19\n\nPart of decrypted Emotet strings.\r\nAll the decrypted strings can be found in our GitHub repository. For the C2 addresses, Emotet uses the same logic,\r\nbut the data is located in the PE .data section.\r\nhttps://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection\r\nPage 17 of 19\n\nEncrypted C2 addresses\r\nWe found 63 IP addresses in each binary we analyzed. To extract this information statically, we used a Python\r\nscript that parses the file and implements the same decryption logic.\r\nPython script to extract Emotet’s C2 addresses.\r\nConclusions\r\nhttps://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection\r\nPage 18 of 19\n\nEmotet has already proven to be extremely resilient, as even after a global collaboration among law enforcement\r\nagencies in January 2021 disrupted the malware’s infrastructure, the botnet managed to return to its activities in\r\nlate 2021. Replacing the delivery mechanism from malicious Office documents with another file format shows\r\nthat the attackers are constantly adapting Emotet to remain active.\r\nProtection\r\nNetskope Threat Labs is actively monitoring this campaign and has ensured coverage for all known threat\r\nindicators and payloads. \r\nNetskope Threat Protection\r\nShortcut.Trojan.GenAutorunLnkFile\r\nWin64.Trojan.Emotet\r\nNetskope Advanced Threat Protection provides proactive coverage against this threat.\r\nGen.Malware.Detect.By.StHeur indicates a sample that was detected using static analysis\r\nGen.Malware.Detect.By.Sandbox indicates a sample that was detected by our cloud sandbox\r\nIOCs\r\nAll the IOCs related to this campaign, the scripts, and the Yara rules can be found in our GitHub repository.\r\nSource: https://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection\r\nhttps://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection\r\nPage 19 of 19\n\nIn the third stage, we They share many similarities, have two 64-bit such as Emotet DLLs that the real DLL name, were extracted the compiler, from the two and some loaders/packed C2 server addresses. samples. The first\none was likely compiled on April 19, 2022, and the second one on April 26, 2022.\n   Page 12 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection"
	],
	"report_names": [
		"emotet-new-delivery-mechanism-to-bypass-vba-protection"
	],
	"threat_actors": [],
	"ts_created_at": 1775441452,
	"ts_updated_at": 1775791243,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/38a51c45a2dd892736b58da22e3bfed13d8fad3a.pdf",
		"text": "https://archive.orkl.eu/38a51c45a2dd892736b58da22e3bfed13d8fad3a.txt",
		"img": "https://archive.orkl.eu/38a51c45a2dd892736b58da22e3bfed13d8fad3a.jpg"
	}
}