The routine for bringing Emotet onto the system starts with the victim launching the fake document; code in the embedded macro then downloads and installs the malware on the system.
This is done by first invoking PowerShell, which contacts Emotet's distribution center to retrieve the payload. After the download, the malware strain is deployed on the victim's computer.
Although the threat's initial launch to infamy was because it included banking trojan capabilities, its current list of features show its evolution into a piece of malware modular in nature and thus capable to deliver a variety of other payloads: banking trojans, information stealers, malware that collects emails, and ransomware.
The security researchers say that the features included constantly in the malware will maintain Emotet at the top of the crimeware landscape.