user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat TrojanDownloader:O97M/MsiexecAbu
TrojanDownloader:O97M/MsiexecAbu - Windows Defender threat signature analysis

TrojanDownloader:O97M/MsiexecAbu - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: TrojanDownloader:O97M/MsiexecAbu
Classification:
Type:TrojanDownloader
Platform:O97M
Family:MsiexecAbu
Detection Type:Concrete
Known malware family with identified signatures
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan Downloader - Downloads additional malware for O97M platform, family MsiexecAbu

Summary:

This malware is a Lotus 1-2-3/Office 97 macro-based downloader that abuses the Windows Installer (msiexec) to silently install malicious components. It embeds multiple auxiliary payloads such as rundll32, PowerShell, and scheduled tasks within its macro strings, enabling remote execution and persistence.

Severity:
Medium
VDM Static Detection:
Relevant strings associated with this threat:
 - msiexec (MACROHSTR_EXT)
 - 0http (MACROHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForSoftwarePacking.C!pli (PEHSTR_EXT)
YARA Rule:
rule TrojanDownloader_O97M_MsiexecAbuse_B_2147735593_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "TrojanDownloader:O97M/MsiexecAbuse.B"
        threat_id = "2147735593"
        type = "TrojanDownloader"
        platform = "O97M: Office 97, 2000, XP, 2003, 2007, and 2010 macros - those that affect Word, Excel, and PowerPoint"
        family = "MsiexecAbuse"
        severity = "Critical"
        signature_type = "SIGNATURE_TYPE_MACROHSTR_EXT"
        threshold = "6"
        strings_accuracy = "Low"
    strings:
        $x_6_1 = {6d 73 69 65 78 65 63 [0-48] 68 74 74 70}  //weight: 6, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Remediation Steps:
Block and quarantine the macro-enabled document, deploy an up-to-date Office macro security policy disabling all macros unless signed, enforce application whitelisting for msiexec, rundll32, and PowerShell, and monitor for unauthorized installer or scheduled task creation.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 10/04/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$