LokiBot — Office (OOXML) / .DOC malware analysis

Static analysis result for SHA-256 ce1bcd2279471731…

MALICIOUS

Office (OOXML) / .DOC

422.3 KB Created: 2022-04-21 02:07:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2022-04-21
MD5: 9f9f76d603f0422d3e77e21809bc9a15 SHA-1: 7da6f9666883d9f422486c037a4ffeba38f5ba0f SHA-256: ce1bcd227947173147be480be0993880e6594e35dd75e72fbef8f72ff5271d8a
282 Risk Score

Malware Insights

LokiBot · confidence 95%

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The file is identified as malicious by ClamAV as Win.Dropper.LokiBot-10023508-0. Static analysis revealed an embedded OLE object containing a script designed to download and execute a second-stage payload. The heuristic 'OFFICE_PACKAGE_SCRIPT_DROPPER' specifically indicates that the package payload combines shell, network-fetch, and execute markers, with URLs pointing to Microsoft domains which are likely used as part of the download mechanism. The presence of an executable file type within the OLE package further supports its role as a dropper.

Heuristics 7

  • OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514
    Office document contains embedded OLE (word/embeddings/oleObject1.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
  • Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPER
    The OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
  • ClamAV: Win.Dropper.LokiBot-10023508-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Dropper.LokiBot-10023508-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • https://docs.microsoft.com/windows/win32/fileio/maximum-file-path-limitation
    • http://schemas.microsoft.com/SMI/2005/WindowsSettings
    • http://schemas.microsoft.com/SMI/2016/WindowsSettings

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
bb3ede3c62d5e46644a54d5bba1afb7283701d02dae3a30fedcb9737f4427b24		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 602112 bytes
Detection
ClamAV: Win.Dropper.LokiBot-10023508-0
Obfuscation or payload: unlikely
ooxml_oleobject_00_ole10native_00.bin
a95ff5be3aac238b23153ab9ad325f0874f52d561d563ee662a91755f030ea08		 ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 594831 bytes
Detection
ClamAV: Win.Dropper.LokiBot-10023508-0
Obfuscation or payload: unlikely
emf_00.emf
1859020400393d5d33cad00a74e4239d5d89caaf08ae76007840d61a2f7ea004		 ooxml-emf OOXML EMF part: word/media/image1.emf 5260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.