Recent Emotet Spam Campaign Utilizing New Tactics

Emotet Malware Adapts with OneNote Attachments to Deliver Payloads

Emotet is a sophisticated banking malware that usually spreads via email attachments. Its primary aim is to extract confidential data from its targets, including passwords and banking details, and send it to the Command and Control (C&C) server.

Cyble Research and Intelligence Labs (CRIL) is closely monitoring the Emotet campaign, which recently reappeared on March 7th after three months of dormancy.

Emotet is once again spreading malicious emails and infecting devices globally by rebuilding its network. During the previous week’s campaign, Emotet used malicious ZIP attachments containing DOC files. In this campaign, Emotet utilized a technique named “ZIP bombing,” compressing a very large DOC file into a small archive file.

However, in the most recent campaign, Emotet has shifted its tactics and now employs OneNote attachments instead of a ZIP archive with malicious document files in spam emails. OneNote is a powerful digital notebook software provided by Microsoft that enables users to efficiently store their ideas, thoughts, and notes in a centralized location, promoting organization.

OneNote software is widely used by people all around the world. There has been an observation of various malware families, such as Qakbot, utilizing OneNote attachments in their spam campaigns. Threat actors (TAs) regularly alter their techniques for infecting users to evade detection by anti-virus programs and increase the probability of successfully infiltrating targets. It is a primary motivation behind their adaptation of methods.

The delivery mechanism of Emotet malware via a spam email’s OneNote attachment is illustrated in the figure below.

Figure 1 – Emotet Delivery Mechanism

Technical Analysis

In a recent campaign, it has been observed that the Emotet is being distributed via a malicious OneNote attachment, as shown in the figure below.

Figure 2 – Initial Spam email containing OneNote file

When a user opens the spam email attachment that appears to be a OneNote document, a fake OneNote page is displayed, deceiving the user into double-clicking to view the document. This action triggers the Emotet infection process.

The below figure shows the fake OneNote document.

Figure 3 – Fake OneNote Page

An obfuscated script file is inserted in the “view” button within the OneNote document. When clicking the “View” button on a OneNote page triggers a hidden action that involves dropping and executing a .wsf file (Windows Script File) called “click.wsf” using “wscript.exe” from the below location.

  • C:\Users\ [user-name]\AppData\Local\Temp\OneNote\16.0\Exported\{26E0D824-BE38-4186-AF90-9A9C389A36B0}\NT\0\click.wsf

The below figure shows the content of the dropped obfuscated .wsf file.

Figure 4 – Obfuscated WSF file content

After de-obfuscation, the contents of the .wsf file reveal a list of URLs and contains code that constructs strings such as file name and “regsvr32” which are later used to execute the Emotet payload as illustrated in the below figure.

Figure 5 – Content of De-obfuscated .wsf file

The de-obfuscated content also includes the code to download an Emotet payload from a predetermined set of URLs. After downloading the payload, the malware verifies its size by comparing it to 150 KB.

If the file content size exceeds 150 KB, the script ends any additional download attempts from the remaining URLs, and the payload is saved to the directory where the .wsf file was initially dropped. The payload file is given a random name, such as “rad59f5c.tmp.dll” and subsequently executed using regsvr32.exe.

On the other hand, If the file size is less than or equal to 150 KB, the malware repeatedly attempts to download the Emotet from the remaining URLs. This verification ensures that the Emotet payload is retrieved from various URLs, even if any one of them is unavailable.

The figure below illustrates a code snippet demonstrating how the Emotet payload size is verified and executed.

Figure 6 –Code to check payload size and its execution

The below figure shows the process chain of Emotet DLL launched using “regsvr32.exe” from the OneNote document.

Figure 7 – Emotet Process tree

Upon execution, the Emotet malware operates discreetly in the background and creates a connection with a Command and Control (C&C) server to receive additional instructions or install extra payloads.

The following image depicts the most frequently utilized OneNote filenames employed by the Emotet spam campaign.

Figure 8 – Top OneNote filenames used by the Emotet spam campaign


Emotet is a complex and persistent banking malware that has had a global impact on users. Threat Actors continually modify their tactics to keep ahead of cybersecurity organizations, and Emotet is a prime example.

In previous campaigns, TAs employed the zip bombing technique to distribute Emotet, but they have now shifted to utilizing OneNote attachments using WSF to deliver the Emotet payload. Although the latest Emotet campaign utilizes a new approach to infecting victims through OneNote, the malware’s behavior has not changed significantly.

CRIL is closely monitoring the activity of the Emotet malware campaign and will continue to update readers as the campaign evolves. The campaign is anticipated to use new tactics, techniques, and procedures to distribute malware after a hiatus of quite a few months.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices as mentioned below: 

Safety Measures Needed to Prevent Attacks From Similar Threats And Reduce The Impact

  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • ​Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
  • ​Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.   
  • ​Refrain from opening untrusted links and email attachments without verifying their authenticity.
  • ​Conduct regular backup practices and keep those backups offline or in a separate network.
  • Don’t keep important files in common locations such as the Desktop, My Documents, etc.

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name 
Initial Access T1566Spearphishing Attachment
Execution T1204 
User Execution
Command and Scripting Interpreter
Defense Evasion T1140
Deobfuscate/Decode Files or Information
Hidden Window
Modify Registry
PersistenceT1547Registry Run Keys / Startup Folder
Discovery   T1082
System Information Discovery
File and Directory Discovery
System Service Discovery   
Command and
Application Layer Protocol   
Ingress Tool Transfer

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
Spam Email
OneNote Attachment
WSF file
c156c00c7e918f0cb7363614fb1f177c90d8108a 2f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253
Emotet Dll File

Comments are closed.

Scroll to Top