VirusMSWord/DDE.4433!tr
Analysis
MSWord/DDE.4433!tr is a generic detection for a trojan Exploit/Powershell Downloader.
Since this is a generic detection, malware that are detected as MSWord/DDE.4433!tr may have varying behaviour.
Below are examples of some of its characteristics/behaviours:
- Using an MSOffice exploit CVE-2017-11826 this malware intends to issue a powershell comamnd that will download from hxxp://bwo{Removed}.be/JHhdg33, afterwhich executes it.
- During the time of our tests the downloaded file, located at undefinedTempundefined\theyweare64.exe, is currently detected as W32/Kryptik.FYAD!tr.
- The malware uses base64 encoding to hide its actual powershell parameter.
- Below is an illustration of an infected document:
- Figure 1: Infected Document.
- Figure 2: The powershell script in the infected Document.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extended | |
| FortiClient | |
| Extreme | |
| FortiAPS | |
| FortiAPU | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |
Version Updates
| Date | Version | Detail |
|---|---|---|
| 2023-02-27 | 91.00975 |