world tour:
Join us for a live look at how Menlo’s Secure Enterprise Browser puts you ahead of attackers
Icon Rounded Closed - BRIX Templates

Emotet Trojan Malware: A Small change in tactics leads to a spike in attacks

Krishnan Subramanian
February 10, 2019
linkedin logotwitter/x logofacebook logoSocial share icon via eMail

Since mid-January 2019, Menlo Security has witnessed an uptick in the Emotet Trojan activity across our customer base, Based on our research we wanted to share some of the interesting observations.

Emotet dates back to 2014 and has been evolving ever since then. Emotet was originally designed as a banking malware that attempted to steal sensitive and private information from infected endpoints. As the campaign evolved, the Emotet group added the ability to be a malware delivery service—including to other banking Trojans. According to a US-CERT alert published in 2018, “Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.” Based on the Emotet activity we saw across our logs, we will focus this blog on three of its aspects:

  • The top categories being abused to host malicious documents and the industries being targeted by Emotet
  • A specific delivery mechanism currently being used: Embedded macros inside XML files disguised as Word documents
  • Use of “Invoke-DOSfucation” techniques in Windows command line/powerShell

Emotet Malware Delivery

 We have seen the Emotet malicious document delivered in two different ways:

  • Via a URL hosted on attacker-controlled infrastructure
  • As an email attachment

The following chart shows a distribution of industries being targeted by Emotet based on the data we collected in January 2019.

pie chart showing business being the most targeted industry, followed by unknown, gambling, and restaurants/dining

Based on the same data, the click-time category distribution for the websites hosting the malicious documents is shown below. (Each click to a link is categorized using the standard categorization databases available.)

pie chart showing business being the most targeted industry, followed by unknown, gambling, and restaurants/dining

The Business category is the most prominent; hosting malicious files behind legitimate categories makes this attack increasingly difficult to detect.

We have also seen these malicious documents delivered via email attachments. The following is a sample of the email “Subject:” header values and “From:” address domains used.

screenshot of various phishing subject lines and senders

It is not surprising that these infected documents are using embedded macros to deliver the Trojan, as this is very typical of Emotet. In the set of documents, we saw, 80 percent were disguised as Word documents with a .doc extension, but they were actually XML files. This technique is probably used to evade sandboxes, since sandboxes typically use the true file type and not the extension to identify the application, they need to run in inside the sandbox. While the true file type is XML, it is still opened in Microsoft Word at the endpoint, thereby prompting the user to enable the malicious embedded macro. The remaining 20 percent of malicious documents we saw were standard Word documents with an embedded malicious macro. For 10 percent of the malicious files we saw, the antivirus (AV) scan results were unknown (in other words, none of the AV vendors classified the initial document as malicious).

Emotet Analysis

The content of the initial documents used different message themes with the appropriate Microsoft Office logos to trick the user into enabling the embedded macro in the document.

screenshot of themed messages instructing users to turn on macros

In some documents, we observed that viewing the contents of the macro was disabled, and the VBA Project was locked down, possibly with an intent to thwart the analysis of the macro’s contents.

project locked popup


We saw two different types of malicious document formats used.

The first type, and the more prominent one, was an XML file that contains the standard XML header, plus the Microsoft Word Document XML format tags. This is followed by Base64 encoded data, which contains the compressed and obfuscated VBA macro code. The file itself was named with a .doc extension.

screenshot of xml file

The technique of disguising a Word document as an XML document with Base64 encoded data is probably done to evade antivirus detection. Looking at our log data for these files, the click-time antivirus scan results for these files had a poor detection ratio.

antivirus showing 4 engines detecting file

The second type of documents consisted of regular Microsoft Word documents that had a malicious embedded macro in them.

Embedded Macro

The embedded VBA macro was highly obfuscated, with dead code insertion. The macro ends up calling a shell function with the vbHide parameter set. Some interesting points on how the remaining commands get built after the shell function gets called from the VBA macro:

  • Stores encoded variable content in environmental variables using the “set” command.
  • Usage of “Invoke-DOSfucation” techniques, for example: %ProgramData:~0,1%%ProgramData:~9,2% This is the encoded form of “cmd” (the command-line shell).
  • Passes command-line arguments /V and /C to cmd and adds another level of execution. The /V option uses delayed variable expansion; this option is leveraged to dynamically generate a variable and use this to spawn another cmd process. The /C option is used to run the command and terminate the process.
  • Multiple levels of cmd processes are spawned, and the last cmd process in the tree ends up calling PowerShell.
  • This Powershell script makes use of the Net.WebClient class method DownloadFile to download the initial Emotet payload to the TEMP directory and start the process.
  • In certain documents, we also saw the PowerShell script calling Get-Item and checking the size of the file to make sure it was greater than a certain limit, and then calling Invoke-Item to execute the payload.
  • We also observed that the PowerShell script tries a list of URLs (probably the attacker’s command-and-control servers) in a loop and breaks when one succeeds.


flowchart diagram

Example VBA making call to “Shell” function, with the “vbHide” parameter set:

screenshot of vba making call

Example CMD/PowerShell script from one of the observed samples making use of “Invoke-DOSfucation” techniques.

screenshot of CMD/PowerShell script

After successful execution of the PowerShell script, we saw that the final delivered payload was the Emotet Trojan, which establishes a command-and-control channel with the attacker’s infrastructure. Over the years, Emotet has become highly customizable, so the attackers can use this command-and-control channel to send additional malware.


Domains (Hosting the Malicious Documents):














URLs (PowerShell Callbacks):










Emotet Payload Hashes








Email "From:" Address Domains
















Email MIME Type:

application/xml and filename endswith .doc

NOTE: Most of the above-mentioned URLs/domains might no longer be active.



In the past, we have seen Emotet being delivered through regular macro-infested Word documents, but this technique of disguising an XML document as a Word document seems to be a recent change in the delivery technique. With such constant changes in tactics from the Emotet threat actors, we foresee that this campaign will continue to evolve and become more sophisticated. In 2018, we observed that Emotet was among the top banking Trojans, and we expect this trend to continue in 2019.

Check out the Remote browser adoption overview from Gartner and Magic Quadrant for Secure Web Gateway to see why Menlo Zero Trust solutions continue to be the answer to security concerns.