{
	"id": "0b9bcb24-b5fb-4042-bee8-ab29338808a3",
	"created_at": "2026-04-06T00:12:28.455142Z",
	"updated_at": "2026-04-10T13:12:05.975084Z",
	"deleted_at": null,
	"sha1_hash": "4b2ad380595cb0ad3cc0c373cfe9d6a602555752",
	"title": "Trickbot Delivered via Highly Obfuscated JS File",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 107940,
	"plain_text": "Trickbot Delivered via Highly Obfuscated JS File\r\nPublished: 2019-08-05 · Archived: 2026-04-05 19:03:42 UTC\r\nWe have been tracking Trickbot banking trojan activity and recently discovered a variant of the malware (detected by Trend\r\nMicro as TrojanSpy.Win32.TRICKBOT.TIGOCDCopen on a new tab) from distributed spam emails that contain a\r\nMicrosoft Word document with enabled macro. Once the document is clicked, it drops a heavily obfuscated JS file\r\n(JavaScript) that downloads Trickbot as its payload. This malware also checks for the number of running processes in the\r\naffected machine; if it detects that it’s in an environment with limited processes, the malware will not proceed with its\r\nroutine as it assumes that it is running in a virtual environment.\r\nAside from its information theft capabilities, it also deletes files located in removable and network drives that have\r\nparticular extensions, after which the files are replaced with a copy of the malware. Based on our telemetry, this Trickbot\r\ncampaign has affected the United States the most. It has also distributed spam to China, Canada, and India.\r\nintel\r\nFigure 1. Infection chain\r\nIn a sample email, the spam purports to be a subscription notification involving advertising providers, even telling the user\r\nthat it submitted an application for a three-year subscription and settled a sum of money with the sender. The mail then\r\nexplains that several more fees will be charged to the user’s card in the coming transactions. It ends by prompting the user to\r\nsee the attached document for all the settlement and subscription information. The document in question contains the\r\nmalicious script.\r\nThe distributed Word document presents the user with the following notification (see Figure 2) that states the content can be\r\nviewed by enabling macro content. It’s worth noting that the document hides the JS script in the document itself and not in\r\nthe macro. It does this by disguising the script through the same font color as the document background.\r\nintel\r\nFigure 2. Document asking users to enable macro\r\nThe script is obfuscated and contains different functions. In order to decrypt a function, it will use another function that will\r\nconvert it to a single character.\r\nintel\r\nFigure 3. Function for decryption\r\nUpon successfully deobfuscating the file, we were able to analyze it and observed some interesting behaviors. Upon\r\nexecution, it will display a fake Microsoft error to trick the user with an error message that pops up after enabling the macro.\r\nBut actually, the JS file is already running in the background.\r\nintel\r\nFigure 4. Fake Microsoft error\r\nFor persistence, the malware creates a copy of itself into the Startup folder as Shell.jse. The JS file also checks for running\r\nprocesses — what’s particularly notable is the malware’s anti-analysis or evasion characteristic, which checks for the total\r\nnumber of all the running processes in the victim’s machine, which means it will not proceed with its execution if there are\r\nnot enough processes running.\r\nIf the running processes are under 1,400 characters (length of the string), the malware assumes it to be an indicator that it is\r\nrunning in a virtual or sandbox environment. It will also check for the existence of processes usually used for analysis. Aside\r\nfrom these, the malware inspects if the environment it runs in relates to specific usernames.\r\nintel\r\nFigure 5. A snippet of checked processes and usernames\r\nintel\r\nFigure 6. Code error shown if anything matches the check\r\nHere’s a list of processes and debugging tools the malware checks for in the affected system:\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/\r\nPage 1 of 4\n\nAgentSimulator.exe\r\nB.exe\r\nBehaviorDumper\r\nBennyDB.exe\r\nctfmon.exe\r\nDFLocker64\r\nFrzState2k\r\ngemu - ga.exe\r\niexplore.exe\r\nImmunityDebugger\r\nLOGSystem.Agent.Service.exe\r\nlordPE.exe\r\nProcessHacker\r\nprocexp\r\nProcmon\r\nPROCMON\r\nProxifier.exe\r\ntcpdump\r\nVBoxService\r\nVBoxTray.exe\r\nvmtoolsd\r\nvmware\r\nVzService.exe\r\nwindanr.exe\r\nWireshark\r\nUpon further analysis, we’ve also compiled the usernames the malware checks for based on the following strings:\r\nEmily\r\nHAPUBWS\r\nHong Lee\r\nJohnson\r\nmilozs\r\nPeter Wilson\r\nSystemIT | admin\r\nVmRemoteGuest\r\nWIN7 - TRAPS\r\nFor the malware’s payload, it will connect to the URL hxxps://185[.]159[.]82[.]15/hollyhole/c644[.]php then checks for the\r\nfile to be downloaded. If it is an executable file, it will save the file to %Temp% as {random}.exe and execute it afterwards.\r\nIf the file is not an executable, it will then save it as {random}.cro in the same folder. The .cro file will then be decoded\r\nusing certutil.exe, saved as {random}.exe in the same directory, and executed. Upon further research, we discovered that the\r\ndownloaded .exe file is a variant of the Trickbot malware.\r\nintel\r\nFigure 7. The file is saved, random names get generated, and .cro is decoded using certutil.exe\r\nAside from stealing system information such as OS, CPU, and memory information; user accounts; installed programs and\r\nservices; IP configuration; and network information (configuration, users, and domain settings), this Trickbot variant also\r\ngathers the following credentials and information from applications and internet browsers.\r\nApplication credentials\r\nFilezilla\r\nMicrosoft Outlook\r\nPuTTy\r\nRemote Desktop (RDP)\r\nVNC\r\nWinSCP\r\nBrowser credentials and information (Google Chrome, Internet Explorer, Microsoft Edge, and Mozilla Firefox)\r\nAutofills\r\nBilling info data\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/\r\nPage 2 of 4\n\nBrowsing history\r\nCredit card data\r\nHTTP POST responses\r\nInternet cookies\r\nUsernames and passwords\r\nThis malware also uses a point-of-sale (PoS) extraction module called psfin32, which identifies PoS-related terms located in\r\nthe domain of interest. The module usesopen on a new tab LDAP queries to search for PoS information on machines with\r\nthe following substrings:\r\n*ALOHA*\r\n*BOH*\r\n*CASH*\r\n*LANE*\r\n*MICROS*\r\n*POS*\r\n*REG*\r\n*RETAIL*\r\n*STORE*\r\n*TERM*\r\nThe variant also appears to drop shadnewdll, a proxy module that intercepts and modifies web traffic on an affected device\r\nto create fraudulent bank transactions over the network. Additionally, according to security researcher Brad Duncan, the\r\nmodule shares similaritiesopen on a new tab with the banking trojan IcedID, which redirects victims to fake online banking\r\nsites or attaches to a browser process to inject fake content in phishing schemes.\r\nIn such cases where the malware fails to connect, it will search for files with the following extensions in the removable and\r\nnetwork drives. These extensions are file types used by Microsoft Office and OpenDocument:\r\n.doc\r\n.xls\r\n.pdf\r\n.rtf\r\n.txt\r\n.pub\r\n.odt\r\n.ods\r\n.odp\r\n.odm\r\n.odc\r\n.odb\r\nFiles with the aforementioned extensions will be saved in the %Temp% folder as ascii.txt. The said files will all then be\r\ndeleted and replaced with a copy of the malware and the extension .jse (but is actually a JS file).\r\nintel\r\nFigure 8. Scanning for files and replacing it with a copy of itself\r\nDefending Against Trickbot: Trend Micro Recommendations and Solutions\r\nInformation-stealing malware Trickbot has become a cybercriminal mainstay for infecting machines and compromising\r\nemails, and has been used to reportedlyopen on a new tab steal more than 250 million accounts. This new development\r\nshows how cybercriminals can constantly tweak an existing banking trojan to add new capabilities. Users, however, can\r\nprevent these attacks by simply following best practicesopen on a new tab against spam. Aside from awareness of the telltale\r\nsigns of a spam email such as suspicious sender address and glaring grammatical errors, we also recommend that users\r\nrefrain from opening email attachments from unverified sources.\r\nUsers and enterprises can also benefit from protection that uses a multilayered approach against risks brought by threats like\r\nTrickbot. We recommend employing endpoint application controlopen on a new tab that reduces attack exposure by ensuring\r\nonly files, documents, and updates associated with whitelisted applications and sites can be installed, downloaded, and\r\nviewed. Endpoint solutions powered by XGen™ securityopen on a new tab such as Trend Micro™ Securityopen on a new\r\ntab and Trend Micro Network Defenseopen on a new tab can detect related malicious files and URLs and protect users’\r\nsystems. Trend Micro™ Smart Protection Suitesopen on a new tab and Trend Micro Worry-Free™ Business Securityopen\r\non a new tab, which have behavior monitoring capabilitiesopen on a new tab, can additionally protect from these types of\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/\r\nPage 3 of 4\n\nthreats by detecting malicious files such as the document and JS file involved in this campaign, as well as blocking all\r\nrelated malicious URLs.\r\nThe Trend Micro Deep Discovery Inspectoropen on a new tab protects customers from threats that may lead to C\u0026C\r\nconnection and data exfiltration via these DDI rules:\r\n1645: Possible Self-Signed SSL certificate detected\r\n2780: TRICKBOT - HTTP (Request)\r\nIndicators of Compromise (IoCs)\r\nSHA-256 and URL\r\nTrend Micro Pattern\r\nDetection\r\nTrend Micro Predictive Machine\r\nLearning Detection\r\n0242ebb681eb1b3dbaa751320dea56e31c5e52c8324a7de125a8144cc5270698\r\nTrojanSpy.Win32.\r\nTRICKBOT.TIGOCDC\r\nTROJ.Win32.TRX.XXPE50FFF031\r\n16429e95922c9521f7a40fa8f4c866444a060122448b243444dd2358a96a344c\r\nTrojan.W97M.\r\nJASCREX.A\r\nDownloader.VBA.TRX.XXVBAF01F\r\n666515eec773e200663fbd5fcad7109e9b97be11a83b41b8a4d73b7f5c8815ff\r\nTrojan.W97M.\r\nJASCREX.AB\r\nDownloader.VBA.TRX.XXVBAF01F\r\n41cd7fec5eaad44d2dba028164b9b9e2d1c6ea9d035679651b3b344542c40d45\r\nTrojan.W97M.\r\nJASCREX.AD\r\nDownloader.VBA.TRX.XXVBAF01F\r\n970b135b4c47c12f97bc3d3bbdf325f391b499d03fe19ac9313bcace3a1450d2\r\nTrojan.W97M.\r\nJASCREX.AC\r\n \r\n8537d74885aed5cab758607e253a60433ef6410fd9b9b1c571ddabe6304bb68a\r\nTrojanSpy.JS.\r\nNEMUCOD.BONINGH\r\n \r\n970b135b4c47c12f97bc3d3bbdf325f391b499d03fe19ac9313bcace3a1450d2    \r\nhxxps://185[.]159[.]82[.]15/hollyhole/c644[.]php    \r\nCheck Point Research also tweetedopen on a new tab about this campaign last July.\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/"
	],
	"report_names": [
		"latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file"
	],
	"threat_actors": [],
	"ts_created_at": 1775434348,
	"ts_updated_at": 1775826725,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4b2ad380595cb0ad3cc0c373cfe9d6a602555752.pdf",
		"text": "https://archive.orkl.eu/4b2ad380595cb0ad3cc0c373cfe9d6a602555752.txt",
		"img": "https://archive.orkl.eu/4b2ad380595cb0ad3cc0c373cfe9d6a602555752.jpg"
	}
}