top of page
  • Writer's pictureJosh Stroschein

Emotet Maldoc Analysis – Embedded DLL and CertUtil for Base64 Decoding

Updated: Feb 11

On 11/10/2020, AnyRun posted an Emotet maldoc that utilized CertUtil to decode a DLL payload that was used for unpacking and running the Emotet trojan. This is a deviation from normal use of obfuscated base64 PowerShell command as well as embedding the DLL into the maldoc instead of retrieving from a compromised host. This video provides analysis of the document using both static and dynamic techniques, as well as a walk-through of the macro code.

The original Tweet from AnyRun can be found at:

Analysis of an Emotet document that uses PowerShell from earlier this year can be found at:



Want to know when my latest content drops? Sign-up to receive email notications and access to other exclusive content!

bottom of page