VBA/Agent.BE50!tr.dldr is a generic detection for a type of macro downloader trojan that downloads the Locky ransomware onto the compromised computer. Since this is a generic detection, files that are detected as VBA/Agent.BE50!tr.dldr may have varying behavior.
Below are examples of some of these behavior:

  • It downloads the Locky ransomware as the following file:
  • It adds the ".lukitus" extension to encrypted files.
  • It attempts to connect to the following URLs:
    • hxxp://lost{Removed}.top/admin.php?f=1.dat
    • hxxp://tsiv{Removed}
    • hxxp://long{Removed}
  • Below is an example of its Ransom notes and infected document:

    • Figure 1: Infected document.

    • Figure 2: Ransom notes.

  • Recommended Action

    • Make sure that your FortiGate/FortiClient system is using the latest AV database.
    • Quarantine/delete files that are detected and replace infected files with clean backup copies.