Rapid7’s Managed Detection and Response (MDR) services team leverages specialized toolsets, malware analysis, tradecraft, and collaboration with Rapid7’s Threat Intelligence researchers to detect and remediate threats. Recently, we identified increased use of a type of malicious document that leverages malformed document headers, white fonts to hide obfuscated JScript code, and embedded VBA macros that execute the document’s contents using WScript.
Rapid7 determined that the techniques related to the sample analyzed in this blog post are commonly used one at a time across many distinct malware families as one-off antivirus bypasses. However, the multi-layered antivirus evasion techniques found in this sample highlight the increasing sophistication of commodity malware campaigns’ dropper payloads. Our MDR team determined that at the time of analysis, the document sample’s actions resulted in the execution of a final-stage payload that contained a configuration file colloquially associated with the TrickBot family of malware. Malicious document dropper techniques are often final-stage-agnostic, so this analysis will focus on the malicious document itself. No familiarity with TrickBot is required.
Malicious document sample:Filename:18575DOC18575.docmMD5:1acfb8c3d7d2f4b72facc09e4d2631adSHA1:984d556e7ed72666a63c2053c4f2e787b3612162SHA256:6779afbdb100e56b118495d0745a7c8ae4bed6beeac6b6c26f578daeffc35c49SHA512:978f29068eb3c865cee95a7bff6d4a9b0c4a6fe209cc06e8870097c348bd6c4eda9fcdad05480a9bff21dd22b9a42e68570ca4b6b2bcac3e91b581c02a53360c
To begin with malicious document analysis, our MDR team often detonates samples using open source automated malware analysis sandbox tools to gain some insight into the behaviors of the sam ..
Support the originator by clicking the read the rest link below.
