Trickbot Analysis – Part 1: Macro Analysis

This is the first in a three-part series of analysis on this malicious document.

Part 1: An analysis of the extracted macros.

Part 2: An analysis of the locked document.

Part 3: An analysis of the dropped javascript file.

Macro Analysis

I extracted the macros using OfficeMalScanner. It dumped two files, NewMacros and ThisDocument. We can see that ThisDocument contains Sub AutoClose(). This means that the macro will run when you close the document.


The sub named Tokio is located in NewMacros. It pulls from other variables in that same file.


A little bit of searching, copying, and pasting in that file allows us to piece together line 28.

VBA.CallByName VBA.CreateObject(Shell.Application), ShellExecute, VbMethod, WScript, /e:JScript "glob", "open", 1

The variable glob is the name of the file that is going to be executed. And that’s what is unusual about this document. Not only does it drop a new file to disk, but it also is going to run it as javascript. A sub called Oslo is used to drop a .css file with the same name as the original .docm file.


Line 40 grabs the name of the current document and replaces .docm with .css. Line 48 creates the new document. Notice how it grabs the data from ActiveDocument.Content.Text. This data is stored in the pages of the .docm file itself. If you were to open the document, you would see this:


The data that gets dumped into the .css file is all of the yellow text above. In fact, from this point you could copy and paste all of that yellow text into a new text file and find all of the same javascript.

2 thoughts on “Trickbot Analysis – Part 1: Macro Analysis

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s