{
	"id": "2e078517-6cab-42fa-9adf-46b00b595788",
	"created_at": "2026-04-06T00:13:21.876622Z",
	"updated_at": "2026-04-10T03:21:10.65801Z",
	"deleted_at": null,
	"sha1_hash": "49c140e8985188749a21a84589a1786a0f748164",
	"title": "Trends in the Recent Emotet Maldoc Outbreak | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2893063,
	"plain_text": "Trends in the Recent Emotet Maldoc Outbreak | FortiGuard Labs\r\nBy Erin Lin\r\nPublished: 2022-04-18 · Archived: 2026-04-05 16:56:39 UTC\r\nEmotet is a malware family that steals sensitive and private information from victims' computers. The malware\r\nhas infected more than a million devices and is considered one of the most dangerous threats of the decade.\r\nIn addition to analyzing threats, FortiGuard Labs also focuses on how malware spreads. We have observed that the\r\nrecent Emotet outbreak is being spread through a variety of malicious Microsoft Office files, or maldocs, attached\r\nto phishing emails. Once a victim opens the attached document, a VBA Macro or Excel 4.0 Macro is used to\r\nexecute malicious code that downloads and runs the Emotet malware.\r\nIn this blog, we will focus on what these malicious documents look like and how they drop Emotet malware onto\r\na victim's local disk. We will first look at the samples captured in this campaign and then examine their\r\npropagation trends.\r\nAffected Platforms: Microsoft Windows\r\nImpacted Users: Windows users\r\nImpact: Controls victim's device and collects sensitive information\r\nSeverity Level: Critical\r\nPhishing Emails with Malicious Attachment\r\nThe recent Emotet outbreak uses phishing emails combined with social engineering to trick victims into loading\r\nthe malware onto their devices. These emails often include \"Re:\" or \"Fw:\" in the subject line, as shown in Figure 1\r\nand 2, to disguise the email as a reply or forwarded message to help convince the target that the email is\r\nlegitimate.\r\nhttps://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak\r\nPage 1 of 14\n\nFigure 1: Reply email with an attachment\r\nFigure 2: Forwarded email with .xls file attachment\r\nFigure 3 showcases another technique, where the malicious document is packed into a ZIP archive with a\r\npassword that is attached to an email, with the password included in the body of the text.\r\nhttps://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak\r\nPage 2 of 14\n\nFigure 3: Email with a password-protected ZIP archive attachment\r\nExamining the Malicious Excel Files and Word Documents\r\nThe attached Excel files and Word documents contain malicious macros. Once opened, they display an image\r\nrequesting the victim to click the \"Enable Content\" button in the security warning bar. This enables the malicious\r\nmacro to be executed.\r\nThe images below show the techniques used to trick victims into clicking the \"Enable Content\" button in the Excel\r\nfiles and Word documents used in this campaign. Figure 4 shows screenshots of an opened Word document and\r\nFigure 5 is of the opened Excel file.\r\nhttps://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak\r\nPage 3 of 14\n\nFigure 4: Word document content when opened\r\nFigure 5: Excel file content when opened\r\nAnalyzing the Malicious Macros and their Behaviors\r\nMacros in Microsoft Office files are usually written in VBA (Visual Basic for Applications). In this case, the Word\r\ndocuments contain malicious VBA code while the Excel files use Excel 4.0 Macro in addition to VBA Macro.\r\nWe captured five different samples connected with this Emotet campaign that contain differences in the macro\r\ncode and execution flow. For identification purposes, we have given each sample a tag name, which is from when\r\nthe sample first appeared. The tag name consists of two parts, the year prefix and a suffix with the week of the\r\nmonth, connected by an underscore.\r\nThe first sample appeared in the third week of November 2021 and its tag name is \"2021_NovW3\". It is an Excel\r\nfile or Word document with VBA Macro. The second is an Excel file using Excel 4.0 Macro. It appeared in the\r\nfourth week of November 2021 with the tag name \"2021_NovW4\". The third sample is a Word document with a\r\nVBA Macro with the tag name of \"2021_DecW2\". The fourth sample is an Excel file with an Excel 4.0 Macro. It’s\r\nhttps://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak\r\nPage 4 of 14\n\ntag name is \"2021_DecW4\". The fifth sample is an Excel file with a VBA Macro and the tag name of\r\n\"2022_FebW2\".\r\nTag Name File Type Macro Type\r\n2021_NovW3 Excel/Word VBA Macro\r\n2021_NovW4 Excel Excel 4.0 Macro\r\n2021_DecW2 Word VBA Macro\r\n2021_DecW4 Excel Excel 4.0 Macro\r\n2022_FebW2 Excel VBA Macro\r\nBelow is an analysis of the malicious macro component of each captured sample.\r\n2021_NovW3:\r\nThis sample has a VBA function called \"Workbook_Open()\" or \"Document_Open()\" that is executed\r\nautomatically when the file is opened. It then calls another function to write script data to a VBS file and save it in\r\nthe \"C:\\ProgramData\\\" folder. Next, it uses \"Wscript.exe\" to execute the VBS file.\r\nFigure 6: VBA code used to execute the dropped VBS file\r\nhttps://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak\r\nPage 5 of 14\n\nIn the VBS file it generates a PowerShell code snippet to download the Emotet malware dll into the\r\n\"C:\\ProgramData\\\" folder and then execute it using \"regsvr32.exe\".\r\nFigure 7: Script code in the dropped VBS file\r\n2021_NovW4:\r\nThis is an Excel file that uses formulas on an Excel 4.0 Macro sheet instead of a VBA Macro to execute malicious\r\ncode. As shown in Figure 8, some sheets are hidden, including the one that contains the malicious formulas. Cell\r\nA1 in sheet \"FEGFL\" is named \"Auto_Open\" and includes a built-in macro that automatically runs the formula\r\nfrom that cell once the file is opened.\r\nThis macro sheet includes formulas that call the API \"URLDownloadToFileA\" to download the Emotet malware\r\nfrom different URLs. It attempts to download the Emotet malware from the URL in each formula until a download\r\nis successful. The Emotet malware is a dll file saved with an .ocx file extension and executed using\r\n\"regsvr32.exe\".\r\nhttps://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak\r\nPage 6 of 14\n\nFigure 8: The Macro Sheet is hidden and cell A1 is named \"Auto_Open\"\r\n2021_DecW2:\r\nThis VBA code includes a function called \"AutoOpen()\" that automatically runs a macro when the document is\r\nopened. In this function, it saves itself as an HTA (HTML Application) file in text format, as shown in Figure 9. At\r\nthe same time, script data is displayed in the content text area below the picture that is hidden with a minimum\r\nfont size and white font color (the font color has been changed to red in Figure 9 for easier viewing). Since the\r\nHTA file is in text format, the script data in the content text area is the only part included in the file. To execute the\r\nHTA file, \"explorer.exe\" on Windows system is used in the VBA Macro.\r\nhttps://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak\r\nPage 7 of 14\n\nFigure 9: VBA code to save ActiveDocument as HTA file\r\nFigure 10: VBA code to execute the dropped HTA file\r\nScript code in the HTA file extracts JavaScript code to download the Emotet malware. The Emotet malware is\r\nsaved to the \"C:\\Users\\Public\" folder as a JPG file, but it is actually a dll file. In the end, the Emotet malware dll is\r\nexecuted with \"rundll32.exe\".\r\nFigure 11: Script code in the HTA file\r\n2021_DecW4:\r\nIn the hidden macro sheet \"Macro1\", cell F1 is named \"Auto_Open\" to automatically run the formula when the\r\nfile is opened. There is normal text in the cells below cell F1 until cell F18, which contains the formula to execute.\r\nThe simple formula, shown in Figure 12, uses \"mshta.exe\" to execute an HTML URL. The web page of HTML\r\nURL is protected by HTML Guardian, a tool that encrypts source code.\r\nhttps://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak\r\nPage 8 of 14\n\nFigure 12: Formula and \"Auto_Open\" in macro sheet\r\nAfter decrypting the HTML source code, there is a VBScript code snippet obfuscated by the string \"{GOOGLE}\",\r\nas shown in Figure 13. It runs a PowerShell code snippet to download and execute script from a PNG URL. The\r\nPNG URL is not an image file but a PowerShell script file that contains multiple URLs to download Emotet\r\nmalware. Finally, the Emotet malware is saved as a dll file in the \"C:\\Users\\Public\\Documents\\\" folder and\r\nexecuted using \"rundll32.exe\".\r\nFigure 13: VBScript code used to run a PowerShell script\r\nhttps://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak\r\nPage 9 of 14\n\n2022_FebW2:\r\nThis sample has the same code and execution flow as \"2021_DecW4\". But instead of using an Excel 4.0 Macro, it\r\nuses a VBA Macro to execute its malicious behaviors. Figure 14 shows the content in the autorun function\r\n\"AutoOpen()\". Although there are lots of comments, the VBA code is very simple, using \"mshta.exe\" to execute\r\nan HTML URL. As the script code and subsequent process in the HTML URL is identical to the contents in\r\n\"2021_DecW4\", we can look at it for more details.\r\nFigure 14: VBA code that an HTML URL is executed\r\nhttps://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak\r\nPage 10 of 14\n\nAttack Trends in the Latest Emotet Campaign\r\nEmotet was first discovered in 2014 and continues to attack victims. The latest Emotet campaign broke out in\r\nmid-November of 2021 and is spread using malicious documents attached to phishing emails. FortiGuard Labs\r\nhas been tracking these malicious documents as well as the number of variants used to evade detection in this\r\ncampaign. Figure 15 shows the daily timestamps for Emotet maldocs used from mid-November 2021 to March\r\n2022. All the samples mentioned in the previous section emerged during this period.\r\nThe first attack appeared on November 16, 2021. After that, it spread different types of malicious documents every\r\nweek until the Christmas break. Once the break ended on January 12, it surged with more frequent and consistent\r\nattacks, releasing a large number and variety of malicious documents. From the end of February through the end\r\nof March, it turned to using the same type of malicious document (2021_NovW4) with different phishing picture\r\ntemplates. After February 28th, new malicious documents appeared every day except for weekends, with only one\r\nor two days off.\r\nFigure 15: Timeline of the latest Emotet Maldoc campaign\r\nConclusion\r\nIn the previous section, we showed that some types of malicious documents have more timestamps on the timeline\r\nthan others. The pie chart in Figure 16 is based on the occurrence frequency of timestamps, showing the usage rate\r\nof each malicious document in this campaign. According to this chart, \"2021_NovW4\" has been the most active,\r\ninvolving more than 50% of the malicious documents discovered. The second most is \"2021_NovW3\", consisting\r\nof 27% Excel files and 6% Word documents. It is worth mentioning that Excel files accounted for 93% of all\r\nhttps://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak\r\nPage 11 of 14\n\nmalicious documents, much higher than Word documents at only 7%. One of the possible reasons is that the Excel\r\n4.0 Macro only works with Excel files. Because if this, users should be especially cautious about suspicious\r\nemails with an attached Excel file from an unknown sender.\r\nFigure 16: Types of malicious documents in the campaign\r\nFortiGuard Labs also collected the Emotet malware payloads during this period. Figure 17 shows the weekly\r\ncounts of Emotet malware, with timestamps for each Emotet maldoc in the timeline displayed below the bar chart.\r\nWeeks with high counts match when malicious documents appeared, while those without malicious documents\r\nwere almost silent.\r\nFigure 17: Count of Emotet malware per week\r\nhttps://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak\r\nPage 12 of 14\n\nThe graph also shows that all malicious documents detected after Christmas were Excel files. Using an Excel file\r\nis more flexible because its macro type can be VBA Macro, Excel 4.0 Macro, or both. One of the benefits is that\r\nExcel 4.0 Macro, an older technique, bypasses antivirus detection more easily than a VBA Macro.\r\nAs shown in the timeline, Emotet malware has primarily been spread since March 2022 through the malicious\r\nExcel file \"2021_NovW4\", which uses the Excel 4.0 Macro. We believe that the authors prefer to use Excel files\r\nwith Excel 4.0 Macro for malicious documents to reduce detection by antivirus engines.\r\nFortinet Protections\r\nFortinet customers are protected from this malware by FortiGuard’s Web Filtering, AntiVirus, FortiMail,\r\nFortiClient, FortiEDR, and CDR (content disarm and reconstruction) services:\r\nThe malicious macros inside the Excel sample can be disarmed by the FortiGuard CDR (content disarm and\r\nreconstruction) service.\r\nFortiEDR detects the Word and Excel files and Emotet dll file as malicious based on their behavior.\r\nFortinet customers are protected from these malicious documents and malware by FortiGuard AntiVirus, which is\r\nincluded in FortiMail. It detects all malicious macro file types, including Excel 4.0 Macro samples.\r\nAll malicious documents described in this report are detected by FortiGuard AntiVirus as follows:\r\nVBA/Agent.8095!tr.dldr\r\nVBA/Agent.5A47!tr\r\nVBA/Bomber.46B3!tr.dldr\r\nXF/Agent.NN!tr.dldr\r\nXF/CoinMiner.Z!tr\r\nMSExcel/Agent.DVP!tr.dldr\r\nHTML/Sabsik.FL!tr\r\nThe Emotet malware payloads are detected by FortiGuard AntiVirus as follows:\r\nW32/Emotet.EHR!tr\r\nW32/GenKryptik.FSPR!tr\r\nW32/Emotet.1156!tr\r\nW32/Agent.FSUQ!tr\r\nW32/Kryptik.HNXJ!tr\r\nW32/Emotet.1143!tr\r\nW32/Emote.CQ!tr\r\nIn addition, Fortinet has multiple solutions designed to train users on how to understand and detect phishing\r\nthreats:\r\nThe FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness\r\nand vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted\r\nhttps://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak\r\nPage 13 of 14\n\nphishing attacks.\r\nWe also suggest that organizations have their end users go through our FREE NSE training: NSE 1 – Information\r\nSecurity Awareness. It includes a module on Internet threats to train end users on how to identify and protect\r\nthemselves from phishing attacks.\r\nIOCs\r\nMalicious documents (SHA256):\r\n3e97f09fc53890ba2d5ae2539b5c8df372ed2506ed217d05ff2cf8899d15b8e6\r\n2ecc2a48fa4eadb80367f69799277c54a0fe6dd2220a6a2dd7b81cfba328ed19\r\ned180371dfec2186148bbcab99102ce45fb1fcc3764b384c2abcaceba2fa65b6\r\n719900e330cecd87250ac1f6c31f2d6f42f226294fb011cf47c442f8d2b7455b\r\n3ccb809cd97cc08ff380600dcaa5244ef2abd7afd9e7a9f2df7c4e28fee637f0\r\ne167804a6f36dc99e96909bcededa8a733dd8633037b8b52e8d7881d20446c16\r\nbd9b8fe173935ad51f14abc16ed6a5bf6ee92ec4f45fd2ae1154dd2f727fb245\r\n57fcbb058fc0dfe0cce29676569f2e30d1f8a59345ab161d8183d0769428f4e2\r\nEmotet malware (SHA256):\r\n4900d1e66cef8507b265c0eec3ff94cb5f774847d969e044dc8ccd72334181f5\r\n2dcfcaaf3ccd8e06043e651cd5b761ae50f3463c6420d067b661969e0500dce2\r\n52f6fce27184b61ceb3c02d360e04dc1489c4136a0ffcbb39c50d27474e4283b\r\nccbefa930edc4d5b5b34a5dea16c73c9d3f3b4167406c3ae841bc71fce45c68e\r\ncd105196cbf17f11dbff2b623f5bfaf9ef8d91f2598fe3bc2a7da192c2cee457\r\n9535c3f02ee8a47ad1392f36a1ff44a3d5cb067ecef748e63e1628bc489c9d90\r\nca2b7c0f2a2a42ce586d63ccfcf131f8b99d73521742cc15d6255e76f9278fbc\r\nd5f4292d4f5661ce12dd8384cfbb22a3d17908290ba80d9de3a1697064d248a7\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak\r\nhttps://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak\r\nPage 14 of 14\n\nof each malicious involving more document in this than 50% of the malicious campaign. According documents to this chart, discovered. \"2021_NovW4\" The second most has been is \"2021_NovW3\", the most active, consisting\nof 27% Excel files and 6% Word documents. It is worth mentioning that Excel files accounted for 93% of all\n   Page 11 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak"
	],
	"report_names": [
		"Trends-in-the-recent-emotet-maldoc-outbreak"
	],
	"threat_actors": [],
	"ts_created_at": 1775434401,
	"ts_updated_at": 1775791270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/49c140e8985188749a21a84589a1786a0f748164.pdf",
		"text": "https://archive.orkl.eu/49c140e8985188749a21a84589a1786a0f748164.txt",
		"img": "https://archive.orkl.eu/49c140e8985188749a21a84589a1786a0f748164.jpg"
	}
}