Emotet Maldoc Analysis – Embedded DLL and CertUtil for Base64 Decoding

On 11/10/2020, AnyRun posted an Emotet maldoc that utilized CertUtil to decode a DLL payload that was used for unpacking and running the Emotet trojan. This is a deviation from normal use of obfuscated base64 PowerShell command as well as embedding the DLL into the maldoc instead of retrieving from a compromised host. This video provides analysis of the document using both static and dynamic techniques, as well as a walk-through of the macro code.

The original Tweet from AnyRun can be found at: https://twitter.com/anyrun_app/status/1326157565840023553

Analysis of an Emotet document that uses PowerShell from earlier this year can be found at: https://youtu.be/u_zqw19iWPY