tRat is a modular delphi remote access trojan from the threat actor TA505. TA505 was previously responsible for Dridex and Locky campaigns. tRAT malicious word document present itself as if it is written in old verion of Word and the user have to enable the macro to view the content. Once the macro are enabled a tRAT is downloaded. Malicious binary is stored in C:UsersAppDataRoamingAdobeFlash PlayerServicesFrame Hostfhost.exe. Next, tRat creates a LNK file in the Startup directory that executes the binary on startup C:UsersAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupbfhost.lnk. Sample Malicious Microsoft Word Document.