topic Cortex XDR flagged malicious macros in Cortex XDR Discussions

Cortex XDR flagged malicious macros

chawki — Wed, 28 Feb 2024 14:51:23 GMT

Hi team
Cortex XDR keeps generates hundreds of alerts due to suspicious macro detected in my network.
Severity : High
Alert Source : XDR Agent
Action : Detected (Post Detected)

Category : Malware
Extensions : .xls .tmp .xlt .xar

Seems Cortex deletes all kind of files that has macros , but in reality those are not malicious.

"alerts_table": {
"alert_json": {
"action_country": [
"UNKNOWN"
],
"action_file_extension": [
".xls"
],
"action_file_name": [
"5406272E.xls"
],
"action_file_path": [
"C:\\Users\\XXXXX\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.MSO\\5406272E.xls"
],
"action_file_sha256": [
"b765f574a58676191bfdd5876ba7fc41d749197b9b8d1d48381bd8b057a8aa40"
],
"action_process_signature_status": [
"SIGNATURE_UNAVAILABLE"
],
"actor_effective_username": [
"N/A"
],
"actor_process_signature_status": [
"SIGNATURE_UNAVAILABLE"
],
"agent_data_collection_status": false,
"agent_device_domain": "XXXX",
"agent_fqdn": "XXXXXX",
"agent_hostname": "XXXXXX",
"agent_id": "9d0d8ee73cfc4be39ce6a3dde57ddfcb",
"agent_ip_addresses": [

],
"agent_is_vdi": false,
"agent_os_sub_type": "10.0.19045",
"agent_os_type": "AGENT_OS_WINDOWS",
"agent_version": "8.2.1.47908",
"alert_action_status": "POST_DETECTED",
"alert_category": "Malware",
"alert_description": "Suspicious macro detected",
"alert_ingest_status": "READY",
"alert_is_fp": false,
"alert_name": "WildFire Malware",
"alert_source": "TRAPS",
"alert_type": "Unclassified",
"association_strength": [
50
],

Re: Cortex XDR flagged malicious macros

Daniel_Ponce — Wed, 28 Feb 2024 15:12:27 GMT

HI,

From my part, I have experienced the same issue in various tenants where alerts are triggered by WildFire, as it has classified a malicious macro with the following hash:

9eec5eadef0a1883a2177e016ff2a0ddc9fd3cdb0549554043079b672a181228

I opened a support case this morning, but I have not received a response yet

Re: Cortex XDR flagged malicious macros

chawki — Wed, 28 Feb 2024 15:14:40 GMT

Same here. I opened a case and still waiting for support.

Re: Cortex XDR flagged malicious macros

InakiMartinez — Wed, 28 Feb 2024 15:22:05 GMT

Same problem here, we are having this issue from 2 AM and still continue triggering the alerts

Re: Cortex XDR flagged malicious macros

micomi — Thu, 29 Feb 2024 09:55:07 GMT

I had the same issue and opened a case. Support told me yesterday that the macro is analysed again and that the verdict for the hash 9eec5eadef0a1883a2177e016ff2a0ddc9fd3cdb0549554043079b672a181228 was changed back to benign. I had no issues since Palo Alto changed the verdict to benign

Re: Cortex XDR flagged malicious macros

aspatil — Thu, 29 Feb 2024 11:39:13 GMT

Hello All,

Thanks for reaching out on LiveCommunity!

The hit was due to Wildfire Verdict which uses Machine Learning to analyze the file. Our Team has investigated the issue and changed the verdict to Benign: The sample is safe and does not exhibit malicious behavior.

Verdicts that you suspect are either false positives or false negatives can be submitted to the Palo Alto Networks threat team for additional analysis via Support Case or reaching out to SE.

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.