{ "id": "f133818c-e20a-4985-a8d1-1071abccdc10", "created_at": "2026-04-06T00:15:32.505638Z", "updated_at": "2026-04-10T03:35:43.306897Z", "deleted_at": null, "sha1_hash": "c7dfe735fbb1d6e4c3366aa16991eb2c086c4e53", "title": "Quick Post: Spooky New PowerShell Obfuscation in Emotet Maldocs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 116869, "plain_text": "Quick Post: Spooky New PowerShell Obfuscation in Emotet\r\nMaldocs\r\nPublished: 2020-11-06 · Archived: 2026-04-05 18:23:46 UTC\r\nEmotet is a modular malware delivery platform that has consistently dominated the commodity malware threat\r\nlandscape over the past couple of years. It has evolved from a straightforward banking trojan into a full-fledged\r\nmalware distribution service, delivering a variety of payloads for other threat actor groups. The U.S. Department\r\nof Homeland Security states that Emotet infections cost state and local governments up to $1 million to remediate.\r\nEmotet is operated by the threat group tracked as Mummy Spider.\r\nEmotet is commonly delivered in phishing campaigns via a macro-enabled Word document. I recently had a newer\r\nEmotet maldoc, come across my desk. The part that interested my about this document was that the PowerShell\r\nobfuscation scheme had changed significantly for the first time in a few months. I thought it would be worthwhile\r\nto write a quick post with a few details about this new PowerShell script and provide a handy CyberChef recipe so\r\nthat analysts and responders could quickly decode these PowerShell Scripts.\r\nI won’t dig as deep as I usually do here as Brad Duncan has already done a nice writeup on this campaign over at\r\nthe SANS ISC blog. If readers are interested in seeing more details regarding dynamic analysis, I highly\r\nrecommend checking it out here.\r\nThe overall infection chain in this case remains pretty much the same: a malicious Word document that is\r\nweaponized with macros is opened, which invokes a WMI process call that spawns a PowerShell script. That\r\nscript attempts to download the core binary from a septet of URL resources. \r\nThe Document\r\nThis document was related to the spam runs from 10/29/20 and leveraged a Halloween Party-themed social\r\nengineering lure.\r\nfilename: Party Invitation.doc\r\nSHA256: ed51269c3602786ff6ddef3a808d8178d26e4e5960f4ac7af765e4bd642128dd\r\nI pulled the document down from VirusTotal. These campaigns still appear to using the “upgrade your edition of\r\nMicrosoft Word” template in order to induce the victim into enabling macros. Much more about related campaigns\r\nis available thanks to the incredible work of the Cryptolaemus team here.\r\nhttps://security-soup.net/quick-post-spooky-new-powershell-obfuscation-in-emotet-maldocs/\r\nPage 1 of 3\n\nEmotet doc downloader template\r\nThe PowerShell script that is executed when macros are enabled is base64 encoded per usual. Peeling back the\r\nfirst layer of obfuscation reveals the following:\r\nThe URLs that are hosting the next stage payload, which is the Emotet loader are obfuscated with a string\r\nreplacement operation. This is slightly more complex that in the recent techniques, but still leverages an empty\r\nstring replacement for ‘[]w’ and ‘ jjkgS []’, while a character replacement is used to swap ‘][ 1’ for the slash ‘/’\r\ncharacter. At that point, an analyst would just need to split the the string at the “@” delimeter, use a regular\r\nexpression to isolate URL patterns, and then defang for sharing.\r\nhxxps[://]enjoymylifecheryl[.]com/wp-includes/FPNxoUiCz3/\r\nhxxps[://]homewatchamelia[.]com/wp-admin/qmK/\r\nhxxps[://]seramporemunicipality[.]org/replacement-vin/Ql4R/\r\nhxxps[://]imperfectdream[.]com/wp-content/xb2csjPW6/\r\nhxxps[://]mayxaycafe[.]net/wp-includes/UxdWFzYQj/\r\nhxxps[://]420extracts[.]ca/cgi-bin/Ecv/\r\nhxxps[://]casinopalacett[.]com/wp-admin/voZDArg/\r\nhttps://security-soup.net/quick-post-spooky-new-powershell-obfuscation-in-emotet-maldocs/\r\nPage 2 of 3\n\nHere is the code for the recipe in Chef format, which I also have on my GitHub:\r\nFrom_Base64('A-Za-z0-9+/=',true)\r\nRemove_null_bytes()\r\nFind_/_Replace({'option':'Simple string','string':'+'},'',true,false,true,false)\r\nFind_/_Replace({'option':'Simple string','string':'('},'',true,false,true,false)\r\nFind_/_Replace({'option':'Simple string','string':')'},'',true,false,true,false)\r\nFind_/_Replace({'option':'Simple string','string':'\\''},'',true,false,true,false)\r\nFind_/_Replace({'option':'Simple string','string':'[]w'},'',true,false,true,false)\r\nFind_/_Replace({'option':'Simple string','string':' jjkgS []'},'',true,false,true,false)\r\nFind_/_Replace({'option':'Simple string','string':'][ 1'},'/',true,false,true,false)\r\nSplit('@','\\\\n')\r\nRemove_whitespace(true,false,false,false,false,false)\r\nRegular_expression('URL','([A-Za-z]+://)([-\\\\w]+(?:\\\\.\\\\w[-\\\\w]*)+)(:\\\\d+)?(/[^.!,?\"\u003c\u003e\\\\[\\\\]{}\\\\s\\\\x7F-\\\\xFF]*(?\r\nDefang_URL(true,true,true,'Valid domains and full URLs')\r\nThis Direct Link has the recipe already preloaded in CyberChef.\r\nSummary\r\nSo that’s it. Just a quick look at some new PowerShell obfuscation used by Mummy Spider in recent campaigns.\r\nThese tactics used to change quite frequently but the cadence of updates has slowed considerably as of late. As\r\nalways, CyberChef is my preferred tool for de-obfuscating these scripts to quickly extract the network indicators\r\nof compromise in order to increase velocity during and Incident Response investigation.\r\nReferences\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.emotet\r\nhttps://www.us-cert.gov/ncas/alerts/TA18-201A\r\nhttps://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/\r\nhttps://gchq.github.io/CyberChef/\r\nhttps://isc.sans.edu/forums/diary/Emotet+Qakbot+more+Emotet/26750/\r\nhttps://www.virustotal.com/gui/file/ed51269c3602786ff6ddef3a808d8178d26e4e5960f4ac7af765e4bd642128dd/detection\r\nhttps://paste.cryptolaemus.com/emotet/2020/10/29/emotet-malware-IoCs_10-29-20.html\r\nhttps://github.com/Sec-Soup/CyberChef-Recipes/blob/master/Emotet-Recipe_20200826\r\nSource: https://security-soup.net/quick-post-spooky-new-powershell-obfuscation-in-emotet-maldocs/\r\nhttps://security-soup.net/quick-post-spooky-new-powershell-obfuscation-in-emotet-maldocs/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://security-soup.net/quick-post-spooky-new-powershell-obfuscation-in-emotet-maldocs/" ], "report_names": [ "quick-post-spooky-new-powershell-obfuscation-in-emotet-maldocs" ], "threat_actors": [ { "id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4", "created_at": "2022-10-25T16:07:23.667223Z", "updated_at": "2026-04-10T02:00:04.705778Z", "deleted_at": null, "main_name": "GCHQ", "aliases": [ "Government Communications Headquarters", "Operation Socialist" ], "source_name": "ETDA:GCHQ", "tools": [ "Prax", "Regin", "WarriorPride" ], "source_id": "ETDA", "reports": null }, { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434532, "ts_updated_at": 1775792143, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c7dfe735fbb1d6e4c3366aa16991eb2c086c4e53.pdf", "text": "https://archive.orkl.eu/c7dfe735fbb1d6e4c3366aa16991eb2c086c4e53.txt", "img": "https://archive.orkl.eu/c7dfe735fbb1d6e4c3366aa16991eb2c086c4e53.jpg" } }