MSExcel/Agent.51D3!tr
Analysis
MSExcel/Agent.51D3!tr is a detection for a trojan Excel.
Below are some of its observed characteristics/behaviours:
- This Formula excel sheet malware primarily intends to be a downloader.
- Some instances of this malware may arrive as a password protected Excel sheet.
- During our initial tests one instance of the malware attempted to connect to a certain 20[Removed].185.122.246/b9xBB3, to which the remote location has been downed during that moment.
- The malware will cause to download a file at the current root directory C:\[Random]\[Random]\[Random].dll, we suspect that this ".dll" is a ZLoader malware.
- Below are some of the malware's illustration:
- Figure 1: Spammed malware arriving as Excel Sheet.
- Figure 2: Exposing the malicious formula script.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |