Xls.Downloader.Donoff Office (OOXML) / .XLSX malware analysis — malicious · f6b99718625395db

MALICIOUS

Office (OOXML) / .XLSX

29.5 KB Created: 2006-09-15 19:01:29 UTC Authoring application: Microsoft Excel 16.0300

MD5: 4a72b2c605831582287abe33e836d505 SHA-1: e5037e290bc2bdc144db03b09b63d09d9bae0f06 SHA-256: f6b99718625395db4b5b2c1cdcf63b6e88b42762c39f9b8adde19d30dca97f74

360 Risk Score

Malware Insights

Xls.Downloader.Donoff · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter

The file is an Excel macro-enabled document containing a Workbook_Open macro. This macro utilizes Shell() and CreateObject calls, indicating it is designed to execute arbitrary commands. ClamAV signatures confirm this is a known downloader variant, Xls.Downloader.Donoff-10030344-0, which likely downloads and executes a second-stage payload.

Heuristics 8

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
ClamAV: Xls.Downloader.Donoff-10030344-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Donoff-10030344-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `c80b02e41e1c7aa20938d72b8e1d21c2ef4aa49db1dc1a8193184b5851d42231`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	11529 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`vbaProject_00.bin` `e546f036a7d4c44187b0020e5c8b52f13ff27606374cdc93aad3d243177573df`	vba-project	OOXML VBA project: xl/vbaProject.bin	41472 bytes
Detection ClamAV: Xls.Downloader.Donoff-10030344-0 Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.