MSExcel/Agent.DKF!tr.dldr
Analysis
MSExcel/Agent.DKF!tr.dldr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as MSExcel/Agent.DKF!tr.dldr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware is distributed as a MSExcel file. When the file is opened, a message will be displayed directing the user to click "Enable Content" in order to view and edit the file. After clicking "Enable Content", the malicious code will execute. The malware will download the malicious payload from a URL that can be found in the hidden sheets of the Excel file and write it to either a ".ocx" or ".dll" file.
- In the case where the malware writes the payload to a ".ocx" file, the name of the ".ocx" file can be found in the hidden sheets. After writing to the ".ocx" file, it will utilize Regsrv32.exe to register the file so that the malicious file can be used by Windows. The malware will continue on to rename the ".ocx" file to a ".dll" file and once again, utilize Regsrv32.exe to register the ".dll" file.
- Below are images of the malicious document:
- Figure 1: Excel file showing only 1 visible sheet and message directing user to click "Enable Content".
- Figure 2: Hidden Sheets.
- Figure 3: Characters found in hidden sheet used in formula to create malicious strings.
- Figure 4: Malicious strings found in hidden sheets.
- Figure 5: Formula to concatenate malicious code.
- Figure 6: Formula decoded.
- Figure 7: Renaming and registering malicious files.
- Below are some of the sites the malware attemps to connect to:
- http://kolej[removed]BkB
- http://lib[removed]wp-adm[removed]
- http://kulu[removed].com/yari[removed]
- http://lig[removed].tv/Jeremy/9vel7
- http://lisad[removed]o15
- Following are some of the exact file hashes associated with this detection:
- Md5: 4ec041fbbbe224159813a1b2b6099a59
Sha256: f3f94412fcec4b1188fb2c149e6df9e06ecb9cccbd46a3d0cbe657d306b0c1e7 - Md5: 7e59d3aa628019455b95edd4a689cca4
Sha256: 5922cd70458d7b8e163c2016c3a06666e36707eb741497f91c5fa665ad4e648e - Md5: dd40a0bd735f02db1c627c4e287c330a
Sha256: 7c444d32aa1101ce204cefaf5105b090b6eaad1a7f8e0dcb77ee885196211fa0 - Md5: c73789218c3756a1d3a4eaed3a79ad1f
Sha256: 58125c36ea2cf4f965ab7eeb482bd5890892bd4b2f873031a6fa81381c0d0012 - Md5: e23973234bfa1bb977be946388ee7d0d
Sha256: c0fb400f65e080cd6fa604f864dd36dcb92fc8fe8dda691d147b61fb213fe390
- Md5: 4ec041fbbbe224159813a1b2b6099a59
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |