top of page
Writer's pictureJosh Stroschein

Emotet Maldoc Analysis – Embedded DLL and CertUtil for Base64 Decoding

Updated: Feb 11

On 11/10/2020, AnyRun posted an Emotet maldoc that utilized CertUtil to decode a DLL payload that was used for unpacking and running the Emotet trojan. This is a deviation from normal use of obfuscated base64 PowerShell command as well as embedding the DLL into the maldoc instead of retrieving from a compromised host. This video provides analysis of the document using both static and dynamic techniques, as well as a walk-through of the macro code.



The original Tweet from AnyRun can be found at: https://twitter.com/anyrun_app/status/1326157565840023553


Analysis of an Emotet document that uses PowerShell from earlier this year can be found at: https://youtu.be/u_zqw19iWPY

18 views

Comments


Want to know when my latest content drops? Sign-up to receive email notications and access to other exclusive content!

bottom of page