![]() The VBA code then extracts two files onto the victim’s system. One of the VBA modules has an autorun() function that is called automatically when the Word document opens. On the form there is a Label control containing the malicious JS code, outlined with a red rectangle. Once this is done, its malicious Macro (VBA code) is executed. When the malicious Word document is opened with MS Office Word, it requests input, as shown in Figure 1, by asking the victim to click the “Enable Content” button to enable the document’s Macro feature. I did an analysis on this sample file, and in this post I will explain how it works on the victim’s machine. Recently, FortiGuard Labs captured an MS Office Word sample in the wild that is spreading a new variant of TrickBot. It is also able to send spam to its victim’s email contacts, as well as deliver other malware to the victim’s device, such as Emotet. While it was initially identified as banking Trojan, it has gradually extended its functionalities to collect credentials from its victims’ email accounts, browsers, installed network apps, and so on. TrickBot is a module-based malware, which means it can extend its functionalities by downloading new modules from its C&C server and executing them on its victim’s device. TrickBot is a malware family first captured by FortiGuard Labs and then analyzed by me back in 2016.
0 Comments
Leave a Reply. |