Doc.Downloader.Loda — Office (OOXML) / .DOC malware analysis

Static analysis result for SHA-256 c24018bb807d3e92…

MALICIOUS

Office (OOXML) / .DOC

16.0 KB Created: 2023-03-27 22:13:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2023-09-12
MD5: c5d8ebe810f693d620b17a184cecd785 SHA-1: 8fecc3498d6481e7a423ae5795cda5f996ddc27a SHA-256: c24018bb807d3e9291b2cfe7b7930bb8664508150ad1a7d108e667160345b643
162 Risk Score

Malware Insights

Doc.Downloader.Loda · confidence 95%

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious File

The file is identified as a malicious downloader by ClamAV. It uses a lure of an inventory list to trick users into enabling macros. The presence of remote template injection and external relationship heuristics, along with an unknown reputation URL, indicates it is configured to fetch additional content from a remote source.

Heuristics 5

  • ClamAV: Doc.Downloader.Loda-7570590-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Loda-7570590-0
  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (http://185.28.39.17:7777/185.28.39.18/obizx.doc) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: http://185.28.39.17:7777/185.28.39.18/obizx.doc
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://185.28.39.17:7777/185.28.39.18/obizx.doc
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Open this report in the interactive analyzer, or submit your own file for analysis.