{
	"id": "75baade2-3660-4664-ab9e-d87536aef3f9",
	"created_at": "2026-04-06T00:13:30.536582Z",
	"updated_at": "2026-04-10T03:22:00.255907Z",
	"deleted_at": null,
	"sha1_hash": "acbc681416fa8950e6e8d567cd861751eb49610e",
	"title": "Analysis of the latest Emotet propagation campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 677966,
	"plain_text": "Analysis of the latest Emotet propagation campaign\r\nBy Diego Perez\r\nArchived: 2026-04-05 14:45:53 UTC\r\nESET Research\r\nAn analysis of the workings of this new Emotet campaign, which has affected various countries in Latin America\r\nby taking advantage of Microsoft Office files to hide its malicious activity\r\n28 Dec 2018  •  , 3 min. read\r\nIn November, we issued warnings about a huge new spam campaign which was being used to propagate Emotet.\r\nConsidering the scale of the attack in some Latin American countries and the fact that we received numerous\r\ninquiries about it over the last few days, we decided to publish a brief explanation of how this propagation\r\ncampaign worked.\r\nIn recent years we have seen how cybercriminals have taken advantage of the Microsoft Office suite to propagate\r\ntheir threats, from simple macros embedded in files to the exploitation of vulnerabilities. On this occasion though,\r\nthe implementation is a little unusual, consisting of a downloader incorporated into an Office file. This caused\r\nconfusion among many users, who asked us to explain how the threat works.\r\nThe propagation began with an email message, which had nothing particularly special about it. As seen in\r\nFigure 1, it was pretty much the kind of email we are used to seeing in these campaigns.\r\nhttps://www.welivesecurity.com/2018/12/28/analysis-latest-emotet-propagation-campaign/\r\nPage 1 of 6\n\nFigure 1 – A typical email from this Emotet campaign\r\nAs we might expect, if the user decides to download the email attachment and open the document, it asks them to\r\nenable the macros. Again, as is usual, some justification for this requirement is provided. Figure 2 shows that in\r\nthis case it is implied this is necessary because the document was created using Office 365, but really it is so it can\r\nexecute a function embedded in the file.\r\nhttps://www.welivesecurity.com/2018/12/28/analysis-latest-emotet-propagation-campaign/\r\nPage 2 of 6\n\nFigure 2 – Request to enable the document's macros\r\nClearly, this behavior is already known to be malicious. However, the trick used by the cybercriminals in this\r\ncampaign has several unusual features. If you opt to look at the macro, you find that it is not very big and at first\r\nglance, it does not seem to be one of those known macros that try to connect to a website to download some\r\ncontent... or is it?\r\nhttps://www.welivesecurity.com/2018/12/28/analysis-latest-emotet-propagation-campaign/\r\nPage 3 of 6\n\nFigure 3 – The unusually compact VBA macro code in these documents\r\nLooking at the macro, what stands out clearly is that its function is to read text from an object. But where is the\r\nobject located? After searching for it, it turns out that there is an all-but-imperceptible object in the page. If you\r\nlook closely at the top-left of the page in Figure 2, you will see what appears to be a very small, square, solid,\r\nblack box. If you expand that, you can see what it contains.\r\nhttps://www.welivesecurity.com/2018/12/28/analysis-latest-emotet-propagation-campaign/\r\nPage 4 of 6\n\nFigure 4 – Expanding the tiny object in the page to expose its contents\r\nEffectively, this text box contains a \"cmd\" command, which launches a PowerShell script that tries to connect to\r\nfive sites and then download the payload, which in this case is an obfuscated variant of Emotet.\r\nAs we have discussed in previous posts (for example, in this post from November 9), once the payload is\r\nexecuted, it establishes persistence on the computer and reports its success to its C\u0026C server. Having completed\r\nthis initial infection, further downloads can occur, installing attack modules and secondary payloads which carry\r\nout other kinds of actions on the compromised computer.\r\nThe various additional modules extend the range of malicious activities that can compromise the user's device, in\r\norder to steal credentials, propagate itself on the network, harvest sensitive information, carry out port forwarding,\r\nand many other possibilities.\r\nThough not at all a new technique, this small change in the way Emotet's action is hidden within the Word file\r\ndemonstrates how sneaky cybercriminals can be when it comes to concealing their malicious activity and trying to\r\ncompromise user information. Staying in the know about the kinds of techniques they might use is always going\r\nto give the defenders an advantage in identifying these malicious campaigns.\r\nhttps://www.welivesecurity.com/2018/12/28/analysis-latest-emotet-propagation-campaign/\r\nPage 5 of 6\n\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2018/12/28/analysis-latest-emotet-propagation-campaign/\r\nhttps://www.welivesecurity.com/2018/12/28/analysis-latest-emotet-propagation-campaign/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://www.welivesecurity.com/2018/12/28/analysis-latest-emotet-propagation-campaign/"
	],
	"report_names": [
		"analysis-latest-emotet-propagation-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434410,
	"ts_updated_at": 1775791320,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/acbc681416fa8950e6e8d567cd861751eb49610e.pdf",
		"text": "https://archive.orkl.eu/acbc681416fa8950e6e8d567cd861751eb49610e.txt",
		"img": "https://archive.orkl.eu/acbc681416fa8950e6e8d567cd861751eb49610e.jpg"
	}
}