MSExcel/Agent.DKF!tr.dldr

description-logoAnalysis

MSExcel/Agent.DKF!tr.dldr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as MSExcel/Agent.DKF!tr.dldr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware is distributed as a MSExcel file. When the file is opened, a message will be displayed directing the user to click "Enable Content" in order to view and edit the file. After clicking "Enable Content", the malicious code will execute. The malware will download the malicious payload from a URL that can be found in the hidden sheets of the Excel file and write it to either a ".ocx" or ".dll" file.

  • In the case where the malware writes the payload to a ".ocx" file, the name of the ".ocx" file can be found in the hidden sheets. After writing to the ".ocx" file, it will utilize Regsrv32.exe to register the file so that the malicious file can be used by Windows. The malware will continue on to rename the ".ocx" file to a ".dll" file and once again, utilize Regsrv32.exe to register the ".dll" file.

  • Below are images of the malicious document:

    • Figure 1: Excel file showing only 1 visible sheet and message directing user to click "Enable Content".


    • Figure 2: Hidden Sheets.


    • Figure 3: Characters found in hidden sheet used in formula to create malicious strings.


    • Figure 4: Malicious strings found in hidden sheets.


    • Figure 5: Formula to concatenate malicious code.


    • Figure 6: Formula decoded.


    • Figure 7: Renaming and registering malicious files.


  • Below are some of the sites the malware attemps to connect to:
    • http://kolej[removed]BkB
    • http://lib[removed]wp-adm[removed]
    • http://kulu[removed].com/yari[removed]
    • http://lig[removed].tv/Jeremy/9vel7
    • http://lisad[removed]o15

  • Following are some of the exact file hashes associated with this detection:
    • Md5: 4ec041fbbbe224159813a1b2b6099a59
      Sha256: f3f94412fcec4b1188fb2c149e6df9e06ecb9cccbd46a3d0cbe657d306b0c1e7
    • Md5: 7e59d3aa628019455b95edd4a689cca4
      Sha256: 5922cd70458d7b8e163c2016c3a06666e36707eb741497f91c5fa665ad4e648e
    • Md5: dd40a0bd735f02db1c627c4e287c330a
      Sha256: 7c444d32aa1101ce204cefaf5105b090b6eaad1a7f8e0dcb77ee885196211fa0
    • Md5: c73789218c3756a1d3a4eaed3a79ad1f
      Sha256: 58125c36ea2cf4f965ab7eeb482bd5890892bd4b2f873031a6fa81381c0d0012
    • Md5: e23973234bfa1bb977be946388ee7d0d
      Sha256: c0fb400f65e080cd6fa604f864dd36dcb92fc8fe8dda691d147b61fb213fe390

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extreme
FortiClient
Extended
FortiMail
Extended
FortiSandbox
Extended
FortiWeb
Extended
Web Application Firewall
Extended
FortiIsolator
Extended
FortiDeceptor
Extended
FortiEDR

Version Updates

Date Version Detail
2024-02-05 92.01302
2023-06-06 91.03953
2023-03-21 91.01631
2023-02-27 91.00982
2023-02-16 91.00655
2023-02-16 91.00640
2023-02-14 91.00580
2023-01-03 90.09317
2022-12-27 90.09105
2022-12-26 90.09065