XF/Lexcel.Z!tr.dldr
Analysis
XF/Lexcel.Z!tr.dldr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as XF/Lexcel.Z!tr.dldr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware is distributed as a MSExcel file. When the file is opened, a message will be displayed. The message may vary from directing the user to click "Enable Content" in order to view and decrypt the file or it may direct the user to copy the file to another location and perform a relaunch.
- After clicking "Enable Content", the malicious code will execute. The malware will download the malicious payload from a URL that can be found in the hidden sheets of the Excel file. It will drop a file to "C:\Users\[UserName]".
- Depending on the sample, it may attempt to execute the dropped file using "Rundll32.exe" or first utilize "Regsrv32.exe" to register the file so that the malicious file can be used by Windows and then proceed to execute the payload.
- Below are images of the malicious document:
- Figure 1: Excel file directing user to click "Enable Content".
- Figure 2: Strings found in hidden sheet used in formula to download the payload.
- Figure 3: After clicking "Enable Content".
- Figure 4: Utilizing Rundll32.exe to execute payload.
- Figure 5: Different variation of the malware.
- Figure 6: Malicious Excel document with different instructions.
- Below are some of the sites the malware attemps to connect to:
- http://chaw[removed]nn.com
- http://chr[removed].et.com[removed]AAB
- http://he[removed].ve.com/wp-admin/s[removed]
- Following are some of the near/exact IOCs/file hash associated with this detection:
- Md5: 709d80d798c1e9ec08633070f0d1660f
Sha256: 6b5fe919f8ec3df1c4d7eb9579ccb11290618cf7db51000eb5c589e31d6f6eff - Md5: cf8128032fec813d68c384dd6502413e
Sha256: 27ed0667420ea8566b5f2bb2ded281ecc5ee1e4769742b977e67b1b73ce84ede - Md5: b4418214f4ec42dfbd33051f502566dd
Sha256: 1b55ac9b540aeed0cb41c24eb192676fdbc6dd1c752ac29a6de27d3c27733ef7 - Md5: 089e2ad1248e598b3b13e3567e344070
Sha256: 548636aa9afb62453fa1f233666d7d14ecdb05d7c1cebfa1723dc64b7471cd4d - Md5: 48a8e3cd0f445c48ad01b3713f3db6bd
Sha256: 703e649d604c92722af20068b1c801e36f55c621e357e67f914b69ad9e4d1d9d
- Md5: 709d80d798c1e9ec08633070f0d1660f
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |