Aside from its information theft capabilities, it also deletes files located in removable and network drives that have particular extensions, after which the files are replaced with a copy of the malware., this Trickbot campaign has affected the United States the most. It has also distributed spam to China, Canada, and India.
The distributed Word document presents the user with the following notification that states the content can be viewed by enabling macro content. It’s worth noting that the document hides the JS script in the document itself and not in the macro. It does this by disguising the script through the same font color as the document background.
The script is obfuscated and contains different functions. In order to decrypt a function, it will use another function that will convert it to a single character.
Upon successfully deobfuscating the file, we were able to analyze it and observed some interesting behaviors. Upon execution, it will display a fake Microsoft error to trick the user with an error message that pops up after enabling the macro. But actually, the JS file is already running in the background.
Malware Hash (MD5/SHA1/SH256)