Threat Encyclopedia

VBA/Agent.32DC!tr.dldr

Analysis

VBA/Agent.32DC!tr.dldr is a generic detection for a type of macro downloader trojan that downloads other malware onto the compromised computer. Since this is a generic detection, files that are detected as VBA/Agent.32DC!tr.dldr may have varying behavior.
Below are examples of some of these behavior:

• This malware may drop any of the following file(s):
  
  • %AppData%\Local\Temp\{Random}.bat: This file is likely to be detected as PowerShell/Agent.C1546!tr.dldr..


• This malware issues a powershell command line that downloads from a remote site listed below, then drops it on the hosts, usually located in %AppData%\. However, most downloading files are already removed at the time during analysis.
  
  • hxxp://srient{Removed}.net/lop.bin. The file is likely to be detected as W32/Mansabo.BHL!tr
  • hxxp://nl{Removed}.biz/lop.bin. The file is likely to be detected as W32/Mansabo.BHL!tr
  • hxxp://electrofluxequipment{Removed}.com/pl.bin. The file is likely to be detected as W32/Malicious_Behavior.VEX
  • hxxp://golora{Removed}.com/pl.bin. The file is likely to be detected as W32/Malicious_Behavior.VEX
  • hxxp://nrrgar{Removed}.com/saryacan.bin. The file is likely to be detected as W32/GenKryptik.CDXE!tr
  • hxxp://oasis-{Removed}.com/saryacan.bin. The file is likely to be detected as W32/GenKryptik.CDXE!tr
  • hxxp://mean{Removed}.com/bri.ri. The file is likely to be detected as W32/GenKryptik.CEHY!tr
  • hxxp://25kstart{Removed}.com/
  • hxxp://www.winandgo{Removed}.com/


• Below are sample illustrations of infected document:
  

  Figure 1: Infected Document.

  
  

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry