If you read our earlier post you are already familiar with Emotet. Recently Minerva prevented a new wave of Emotet attacks, a special Christmas-themed Emotet campaign – “Emotet Grinch”.

Cybercriminals are recently pushing this malware highly aggressively, finding ways to consistently evade baseline security controls to compromise systems. At the end of December Minerva prevented a new wave of Emotet attacks, a special Christmas-themed Emotet campaign. The “Emotet Grinch” infection starts with an email containing a link to a malicious document named “Your Holidays eCard.doc”. Like many other cases, the document lures the victim to enable the embedded malicious macro:

Your Holidays eCard.doc, luring a victim to enable macro execution


The next stage of the attack is similar to an earlier Emotet campaign: the macro executes cmd.exe with the following string as its argument:

The script includes some dummy lines, hiding the string “powershell” in multiple variables, carefully assembling it and launching the next stage of the attack, which is a fileless PowerShell payload. In earlier campaigns the payload started with an obfuscated Invoke-Expression call followed by a string interpreted as yet another nested PowerShell script:

Older Emotet variant, before the nested PowerSHell payload – an obfuscated “iex”


The environment variable “comspec” is the path to cmd.exe; when carefully selecting the characters in the correct position the string “iex” is assembled, an alias of Invoke-Expression:

Unlike earlier attacks, this time the Emotet Grinch decided to wrap its “gift” to the victims with triple(!) Invoke-Expression layers. Each layer abuses a command that returns a pre-determined value to craft the golden “iex” string:

First layer, abuses “MaximumDriveCount”

Second layer, abuses the “$Shellid” variable


Third and last layer, abuses “$VerbosePreference”


This “iex matryoshka” obfuscation technique is combined with string replacements (e.g. replace “garBaGe” with the letter “c”), allowing it to bypass static scans and many security products which fail to “peel” enough layers before reaching its malicious functionality.

Once the deobfuscation is completed, the following script is executed on the victim’s system:

The final deobfuscated script

In its deobfuscated form, this is an elementary PowerShell script, downloading Emotet’s executable payload from a hardcoded list of 5 domains, executing it under a random numeric name.

It is worth noting that, just like earlier Emotet executable payload, it’s possible to vaccinate endpoints against this Emotet campaign using Minerva’s DIY Emotet vaccination:

Emotet terminates itself once files related to environment analysis are found

Multiple capabilities of Minerva’s Anti-Evasion Platform are able to prevent Emotet infections. The earliest one to kick in is our Malicious Document Prevention module, which breaks the infection chain before it even has a chance to launch it first stage from the infected document.

Want to hear more about Minerva’s Anti-Evasion Platform? Contact us for a demo!



Analyzed Document SHA256


URLs serving the executable payload






Many other URLs are available on daily basis on this Pastebin page by @NelsonSecurity:


URLs serving the malicious document