Blue Hexagon Blog

A Deep Look at the Stages of Emotet Malware Delivery

Emotet is a banking trojan first discovered in 2014, that has since evolved to become a delivery vehicle for other malware. In July 2018, the U.S. Department of Homeland Security published an alert warning that Emotet is capable of both evading signature-based defenses and also of laying dormant when running in a sandbox environment–two features that make the malware difficult to combat. Emotet has affected government organizations, private sector businesses, and individuals and, depending on the severity of the infection can cost upwards of $1 million per incident to clean up.  

The typical Emotet distribution strategy is via spammed emails embedded with malicious script, macro-enabled document files, or malicious links. These emails are typically crafted with legitimate-looking subjects and topics around payment of invoices, shipment of products, and payment details. Like any good spam campaign, even if most of the infected emails are blocked or deleted, a single message clicked or opened can have devastating results. 

Hackers are constantly modifying Emotet to keep a step ahead of traditional defenses, but Blue Hexagon Labs has observed a variant in the delivery of Emotet that uses PDFs with links to malicious word docs. The PDF itself appears benign to traditional malware detection systems to help avoid detection on delivery; once the message is past the firewall and in someone’s inbox, the malicious URL is more likely to be clicked.

This is a new trend, and the challenge for security teams is that, with this approach, malware detection needs to extend into multiple stages of the kill chain to be effective. By using deep learning and Blue Hexagon’s multiple models of detection, this malware was caught in each of the stages in less than a second–before being able to infect a user’s machine.

Here is an example of this new Emotet delivery scheme and Blue Hexagon Labs analysis:

Emotet PDF document
Figure 1: Emotet PDF document

Although there are signs–misspellings, poor grammar, and vague identification–that this document is bait in a phishing campaign, it does not contain any PDF exploits that would normally be caught in signature based deployments. To a busy person, it may appear to be nothing more than a benign PDF as part of a routine payment report with a link to the invoice.

On first upload to Virustotal, this document had 3/57 detections, meaning this PDF document was more than likely to have been successfully delivered via email to victims.

Detection of this Emotet variant in Virus Total
Figure 2: Detection of this Emotet variant in Virus Total

Looking deeper into this document, we see three URIs which lead to a single destination containing a malicious Word document. When the victim opens the PDF link inside the PDF, Blue Hexagon’s HTTP model detects the URL as malicious and the message is blocked. 

         Object Index: 15

  Object Start Offset: 0xF05  (3845)

    Object End Offset: 0xF8B  (3979)

        Detected Type:.unk

            HeaderCRC: 29A73BEE



/Type /Action


/URI (


Three URIs which lead to a malicious word document
Figure 3: Three URIs which lead to a malicious word document

Continuing through to the next stage of this malware, the Word document is downloaded from our First-Stage payload URL. 

The file downloaded – pg89l1zxaxd6qbmjb4l9h924loun_n1ghb5at-06078805319 (Hash: fd8c3fcf8ca04ddd17f6fb7f7a6463912e6f33bfaf27e765188887fde52686f0) is identified by Blue Hexagon as Emotet.

Blue Hexagon identifies malicious file download
Figure 4: Blue Hexagon identifies malicious file download
More details on the malicious word document
Figure 5: More details on the malicious word document

The Word document downloaded, authored by Thalia Romaguera with the title Australian Dollar, contains Visual Basic for Application (VBA) scripting similar to recent samples. There are large amounts of commented lines, random variables, and large strings used to obfuscate itself and confuse detection methods. 

At first upload to Virustotal, this file had only had 16/59 detections. 

Detections in Virus Total
Figure 6: Detections in Virus Total

This document takes advantage of “invisible” text objects to hold variables that will be used to download the second-stage payload. 

This document takes advantage of “invisible” text objects to hold variables that will be used to download the second-stage payload. 

(The thicker line is actually 4 text objects as 1 pixel blocks containing the payload code)

Invisible text object in malicious word document
Figure 8: Invisible text object in malicious word document

Running the code through CyberChef we are able to extract the URLs from the TextObject value. 

This value is read from the VBA script and contains the instructions to download the payload exe file from one of 5 websites (if one is down it’ll attempt to connect to the next) 

Once again the Blue Hexagon HTTP model successfully detects these URLs as malicious as they reach out. 

  • –
  • –

The second-stage payload that is downloaded from is named 249.exe (Hash: 9352f33597815aed4ff9832521e28d736b5b90516509c597d3ea6eff06baf522) on the victim’s computer. This payload is caught by Blue Hexagon’s Deep Learning model and identified as Emotet. 

The payload TimeDateStamp: Sun Oct 06 14:34:50 2019

Blue Hexagon identifies 2nd stage payload
Figure 9: Blue Hexagon identifies second stage payload


Attackers continue to evolve malware to evade signature and sandbox-based security controls, and AI-based threat detection solutions are the only way to keep up with polymorphic malware like Emotet. Any malware detection solution must be able to identify infection at various phases of the kill chain– delivery, command and control, first and second stage payloads–and threat verdicts must be made in seconds or less to ensure we keep pace with attackers. 

The Blue Hexagon deep learning models inspect both payloads and headers, ensuring that malware and its manifestations such as command and control communications are identified at various stages.  Even if the attacker is able to evade one phase of the deep learning inspection, it will be identified at other stages.