Initially Emotet arrives as an email lure with an XLS file attachment prompting the user to open it and then enable macros to properly view the document.
Once the malicious XLS file is run it drops an obfuscated VBS script which in turn drops an obfuscated BATCH script, finally a malicious base64 encoded powershell script is executed which contacts the Emotet controlled C2 and downloads a malicious DLL file and executes it.
This DLL file is the emotet trojan.