VirusVBA/Agent.MUV!tr.dldr
Analysis
VBA/Agent.MUV!tr.dldr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as VBA/Agent.MUV!tr.dldr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- It is a Microsoft Word macro.
- It creates a base64 encoded command and executes it via Powershell in hidden mode
- The Powershell script will attempt to connect to multiple sites to download a file called: 720.exe
- At the time this virus description is written (Jan. 14, 2020), the sites the malware connects to no longer supply the executable.
- The malware attempts to connect to the following sites to download the executable:
- hxxp://www.[REMOVED]-me.com/wp-admin/da5tfh48/
- hxxp://www.ovi[REMOVED].com/mgs1/1jk0225/
- hxxps://jasam[REMOVED].com/wp-content/gzv60154/
- hxxps://www.mary[REMOVED].com/wp-content/brand/zgkb6/
- hxxp://lua[REMOVED].org/calendar/7532946
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| FortiClient | |
| FortiAPS | |
| FortiAPU | |
| FortiMail | |
| FortiSandbox | |
| FortiWeb | |
| Web Application Firewall | |
| FortiIsolator | |
| FortiDeceptor | |
| FortiEDR |
Version Updates
| Date | Version | Detail |
|---|---|---|
| 2022-04-18 | 90.01507 | |
| 2021-08-24 | 88.00605 | |
| 2020-11-24 | 82.07300 | Sig Updated |
| 2020-11-24 | 82.06900 | Sig Updated |
| 2020-11-23 | 82.05300 | Sig Updated |
| 2020-11-17 | 81.90300 | Sig Updated |
| 2020-05-26 | 77.70500 | Sig Updated |
| 2019-11-27 | 73.37100 | Sig Updated |
| 2019-11-27 | 73.37000 | Sig Updated |
| 2019-11-26 | 73.35800 | Sig Updated |