VirusMSExcel/Agent.5400!tr.dldr
Analysis
MSExcel/Agent.5400!tr.dldr is a generic detection for an Excel trojan.
Since this is a generic detection, malware that are detected as MSExcel/Agent.5400!tr.dldr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malicious Excel document has been observed to be distributed/spammed on the early hours of May 12th, 2020.
- This malware appears to contain some unconventional formula script, whereby it possibly intends to serve as a downloader.
- A default installation of MSOffice would flash a warning of an unsecure macro settings once a malicious document is opened.
- Some instance of this malware utilizes a hidden label scheme to somehow obscure its AutoOpen and from there concats/forms some of the formula scripts scattered wide over the malicious sheet, its intention is basically to be a downloader.
- The malware utilizes a template illustration much like the one below:
- Figure 1: Sample Malware.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| FortiClient | |
| FortiAPS | |
| FortiAPU | |
| FortiMail | |
| FortiSandbox | |
| FortiWeb | |
| Web Application Firewall | |
| FortiIsolator | |
| FortiDeceptor | |
| FortiEDR |
Version Updates
| Date | Version | Detail |
|---|---|---|
| 2020-11-10 | 81.73400 | Sig Updated |
| 2020-08-18 | 79.72000 | Sig Updated |
| 2020-08-11 | 79.55200 | Sig Updated |
| 2020-05-21 | 77.58400 | Sig Updated |
| 2020-05-13 | 77.39300 | Sig Updated |
| 2020-05-13 | 77.39200 | Sig Updated |
| 2020-05-13 | 77.38900 | Sig Updated |
| 2020-05-13 | 77.38500 | Sig Updated |
| 2020-05-13 | 77.38400 | Sig Added |
| 2020-05-12 | 77.38100 | Sig Updated |