Lokibot Office (OLE) / .DOC malware analysis — malicious · 21675edce1fdabfe

MALICIOUS

Office (OLE) / .DOC

694.0 KB Created: 2023-05-29 05:48:00 Authoring application: Microsoft Office Word First seen: 2023-05-30

MD5: b0ca4a594554108648e560f33da3b0c4 SHA-1: 39da93025ca7cdf352c455c0a1b99055ad0dd14a SHA-256: 21675edce1fdabfee96407ac2683bcad0064c3117ef14a4333e564be6adf0539

170 Risk Score

Malware Insights

Lokibot · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1105 Ingress Tool Transfer

The sample is identified as malicious by ClamAV as Doc.Trojan.Lokibot. The embedded VBA macros, specifically the AutoOpen and Document_Open subroutines, are designed to execute a payload. The script attempts to write and execute an INF file named 'RR.inf' from the temporary directory, likely to download and run a second-stage malware component. The use of Environ("tEmP") indicates a common technique for staging malicious files.

Heuristics 6

ClamAV: Doc.Trojan.Lokibot-10006599-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Lokibot-10006599-1
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `5cce945c341cab465a860477e9d17b47de434be4cad80f6f7b5e0bd13c0f4646`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	220230 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.