Doc.Downloader.Loda — Office (OOXML) / .DOC malware analysis

Static analysis result for SHA-256 9cd46f97596a81bd…

MALICIOUS

Office (OOXML) / .DOC

179.5 KB Created: 2024-08-01 04:21:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 1f37c78539a155318f4cd8745b1c1d01 SHA-1: 4acb2320b8368f00693baf955b5b67048e477257 SHA-256: 9cd46f97596a81bd0ed8d5eaa88b26262d68a56c03d5e92481c45079a52f56d4
160 Risk Score

Malware Insights

Doc.Downloader.Loda · confidence 95%

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is identified as malicious by ClamAV with the signature Doc.Downloader.Loda-7570590-0. Heuristics indicate remote template injection and external relationships pointing to http://154.216.19.225/file/siEOdAkkMiuAnxVO.doc. The document body presents a list of industrial parts, likely as a lure to encourage users to enable macros. The SE_ENABLE_LURE heuristic confirms the presence of such a lure. This suggests the document's primary purpose is to download and execute a secondary payload.

Heuristics 5

  • ClamAV: Doc.Downloader.Loda-7570590-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Loda-7570590-0
  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (http://154.216.19.225/file/siEOdAkkMiuAnxVO.doc) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: http://154.216.19.225/file/siEOdAkkMiuAnxVO.doc
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Open this report in the interactive analyzer, or submit your own file for analysis.