Lokibot Office (OLE) / .DOC malware analysis — malicious · 4a23054c2241e20a

MALICIOUS

Office (OLE) / .DOC

691.0 KB Created: 2023-05-27 22:22:00 Authoring application: Microsoft Office Word First seen: 2023-05-28

MD5: 8da89ac6a3f661cfd17e4aca84b27f05 SHA-1: 71e1610f2c2d84760d3fb90060cfcca7c307534b SHA-256: 4a23054c2241e20aec97c9b0937a37f63c30e321be01398977e13228fa980f29

170 Risk Score

Malware Insights

Lokibot · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The critical ClamAV detection and high-severity heuristics for AutoOpen and Document_Open macros strongly indicate a malicious document. The VBA script attempts to write an INF file to the temporary directory and execute it using LaunchINFSectionW, likely to download and run a second-stage payload. The Environ() call suggests dynamic path construction, potentially for persistence or payload staging.

Heuristics 6

ClamAV: Doc.Trojan.Lokibot-10006599-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Lokibot-10006599-1
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `8e57075df5518d4d0b2e0be862760d576c65aa50fe804bbd90a60574045fce68`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	224738 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.