user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:X97M/LionWolf.A
Trojan:X97M/LionWolf.A - Windows Defender threat signature analysis

Trojan:X97M/LionWolf.A - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:X97M/LionWolf.A
Classification:
Type:Trojan
Platform:X97M
Family:LionWolf
Detection Type:Concrete
Known malware family with identified signatures
Variant:A
Specific signature variant within the malware family
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for X97M platform, family LionWolf

Summary:

This is a Critical Trojan (LionWolf.A) distributed via malicious Excel macros. It employs advanced process injection and memory manipulation techniques (e.g., creating remote threads, writing to process memory) to execute code within legitimate processes, potentially allowing it to evade detection, gain persistence, and perform further malicious activities like network reconnaissance or data exfiltration.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - libkernel32aliascreateprocessa (MACROHSTR_EXT)
 - libkernel32aliascreateremotethread (MACROHSTR_EXT)
 - libkernel32aliasvirtualallocex (MACROHSTR_EXT)
 - libkernel32aliaswriteprocessmemory (MACROHSTR_EXT)
 - namespacenetbiosname (MACROHSTR_EXT)
 - getobjectldaprootdse (MACROHSTR_EXT)
 - createobjectmsxml2domdocument (MACROHSTR_EXT)
 - environprogramw6432 (MACROHSTR_EXT)
YARA Rule:
rule Trojan_X97M_LionWolf_A_2147817765_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:X97M/LionWolf.A"
        threat_id = "2147817765"
        type = "Trojan"
        platform = "X97M: Excel 97, 2000, XP, 2003, 2007, and 2010 macros"
        family = "LionWolf"
        severity = "Critical"
        signature_type = "SIGNATURE_TYPE_MACROHSTR_EXT"
        threshold = "18"
        strings_accuracy = "High"
    strings:
        $x_5_1 = "libkernel32aliascreateprocessa" ascii //weight: 5
        $x_5_2 = "libkernel32aliascreateremotethread" ascii //weight: 5
        $x_5_3 = "libkernel32aliasvirtualallocex" ascii //weight: 5
        $x_5_4 = "libkernel32aliaswriteprocessmemory" ascii //weight: 5
        $x_1_5 = "namespacenetbiosname" ascii //weight: 1
        $x_1_6 = "getobjectldaprootdse" ascii //weight: 1
        $x_1_7 = "createobjectmsxml2domdocument" ascii //weight: 1
        $x_1_8 = "environwindir" ascii //weight: 1
        $x_1_9 = "environprogramw6432" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (
            ((3 of ($x_5_*) and 3 of ($x_1_*))) or
            ((4 of ($x_5_*))) or
            (all of ($x*))
        )
}
Known malware which is associated with this threat:
Filename: CobaltStrike.doc
96db5d52f4addf46b0a41d45351a52041d9e5368aead642402db577bcb33cc3d
18/12/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected system, remove the malicious Excel file, and perform a full system scan with updated antivirus. Disable macros by default in Microsoft Office applications and ensure that only digitally signed macros from trusted publishers are allowed to run. Investigate for any persistence mechanisms or further lateral movement within the network.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 18/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$