[ Fake DnB documents malspam delivers Trickbot banking Trojan ]

I happened to chance upon this alert from Singapore Commercial Credit Bureau as shown in the image below.

I got interested in this since it’s a Singapore company giving this alert. I started looking at the samples from VirusTotal and found this interesting email.
An email with the subject of “FW: Case DNB928929” pretending to come from “Dun & BradStreet” but actually coming from a look-a-like domain “” with either a malicious zip attachment containing a .doc file or a .doc attachment delivering Trickbot banking Trojan.

As the malware authors are using email addresses that is similar to the real “Dun & BradStreet” and subjects that will scare or entice a user to read the email and open the attachment.

The email looks like:

The hash of the malicious doc is: 79344f12ecfbd478a564297e339067180625e83c7266c4cab39b2f68440fcb6b

If we were to analyse the malicious doc, we can see the following VBA within it.

For simplicity sake, i’ve made a simpler version to show the decoded string here: https://dotnetfiddle.net/31w0YF
As we can see from the code snippet below, the VBA in the malicious doc will download the payload from “http://calendarortodox[.]ro/serstalkerskysbox.png

That “serstalkerskysbox.png” is actually Trickbot
The hash of that Trickbot is 3e225d16e486fae7df684d73c6e4531fbaf203b898ea899623cf5150a0f13652

As hasherezade already made an awesome video on unpacking Trickbot. Users can just watch the youtube video and learn from it.

As a gentle reminder to all users.
PLEASE be very CAREFUL with email attachments. All of these emails usually use Social Engineering tricks to persuade you to open the malicious attachments that comes attached with the email.

Have Phun
Jacob Soo