Emotet and App Installer

Sophos reported on November 11th 2021, Emotet malware is following the same tactics utilized by Bazarloader for abusing the Windows App Installer packages, says twitter security researcher @malware_traffic. The attack chain starts with an email from a stolen reply chain with a URL link to an alleged PDF document. The link leads to a Google Drive styled page where a download will occur for a file hosted on Microsoft Azure URLs at .web.core.windows.net. Following the install of an alleged Adobe PDF component, a DLL file will be downloaded to the %Temp% folder and executed with rundll32, additionally an autorun entry gets created.