XF/Lexcel.Z!tr.dldr

description-logoAnalysis

XF/Lexcel.Z!tr.dldr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as XF/Lexcel.Z!tr.dldr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware is distributed as a MSExcel file. When the file is opened, a message will be displayed. The message may vary from directing the user to click "Enable Content" in order to view and decrypt the file or it may direct the user to copy the file to another location and perform a relaunch.

  • After clicking "Enable Content", the malicious code will execute. The malware will download the malicious payload from a URL that can be found in the hidden sheets of the Excel file. It will drop a file to "C:\Users\[UserName]".

  • Depending on the sample, it may attempt to execute the dropped file using "Rundll32.exe" or first utilize "Regsrv32.exe" to register the file so that the malicious file can be used by Windows and then proceed to execute the payload.

  • Below are images of the malicious document:

    • Figure 1: Excel file directing user to click "Enable Content".


    • Figure 2: Strings found in hidden sheet used in formula to download the payload.


    • Figure 3: After clicking "Enable Content".


    • Figure 4: Utilizing Rundll32.exe to execute payload.


    • Figure 5: Different variation of the malware.


    • Figure 6: Malicious Excel document with different instructions.


  • Below are some of the sites the malware attemps to connect to:
    • http://chaw[removed]nn.com
    • http://chr[removed].et.com[removed]AAB
    • http://he[removed].ve.com/wp-admin/s[removed]

  • Following are some of the near/exact IOCs/file hash associated with this detection:
    • Md5: 709d80d798c1e9ec08633070f0d1660f
      Sha256: 6b5fe919f8ec3df1c4d7eb9579ccb11290618cf7db51000eb5c589e31d6f6eff
    • Md5: cf8128032fec813d68c384dd6502413e
      Sha256: 27ed0667420ea8566b5f2bb2ded281ecc5ee1e4769742b977e67b1b73ce84ede
    • Md5: b4418214f4ec42dfbd33051f502566dd
      Sha256: 1b55ac9b540aeed0cb41c24eb192676fdbc6dd1c752ac29a6de27d3c27733ef7
    • Md5: 089e2ad1248e598b3b13e3567e344070
      Sha256: 548636aa9afb62453fa1f233666d7d14ecdb05d7c1cebfa1723dc64b7471cd4d
    • Md5: 48a8e3cd0f445c48ad01b3713f3db6bd
      Sha256: 703e649d604c92722af20068b1c801e36f55c621e357e67f914b69ad9e4d1d9d

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-02-16 91.00655
2023-02-16 91.00640
2023-02-14 91.00577
2023-02-07 91.00363
2023-01-11 90.09557