{ "id": "89635028-3f12-4c8a-bda2-708bec275e05", "created_at": "2026-04-06T00:11:48.323277Z", "updated_at": "2026-04-10T03:22:50.197459Z", "deleted_at": null, "sha1_hash": "47b6feae591217c7cb3b5c735fbd4d6acf06410e", "title": "LokiBot: Getting Equation Editor Shellcode", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 228492, "plain_text": "LokiBot: Getting Equation Editor Shellcode\r\nBy Published by Jamie\r\nPublished: 2020-03-31 · Archived: 2026-04-05 16:48:01 UTC\r\nWhile today’s analysis will be similar to one we’ve done before, it will be almost exactly the same as this one\r\nfrom SANS. Although it’s been done by others, it never hurts to practice using these tools and get that muscle\r\nmemory down. We’ll be working off of this document right here: https://app.any.run/tasks/db864efd-35b3-4e91-\r\n9e84-c6149dbfd4d7.\r\nOLEDUMP\r\nUsing oledump, we see a big chunk of data called ‘EncryptedPackage’.\r\nIn this case, it means that one or more sheets in the workbook have been locked to protect changes to the data.\r\nBut there are tools to get around this. By simply pointing msoffcrypto-crack.py at the document, we will see a\r\nfamiliar password pop up.\r\nhttps://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/\r\nPage 1 of 5\n\nAt this point, we could do one of two things. We could use msoffcrypto-crack.py to crack the password and output\r\na new unprotected file of the same name…\r\n… or we could just pipe the output directly into oledump.py. Doing so, we see that there are no macros or\r\nanything like that. Instead, we see ‘eQUaTiON naTIvE’.\r\nLet’s dump that part of the object to another file where we can work on that.\r\nWe can use XORSearch.exe to search that binary file for various signatures of 32-bit shellcode. We see that\r\nGetEIP was found in two locations.\r\nscDbg.exe\r\nWe then move to a shellcode emulator called scDbg.exe. We can load the dumped binary in there and feed it the\r\noffset position and to see if any sort of decoded shellcode appears.\r\nhttps://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/\r\nPage 2 of 5\n\nAnd it does! Note that it dumped it to a file called oledump.unpack. However, notice how the unpacked\r\ninformation isn’t very informative. But that last line says, “Change found at 402438…”. We can use another tool\r\ncalled to cut-bytes.py to look at the oledump.unpack from that point. Notice strings such as LoadLibraryW…\r\nExpandEnvironmentStringsW… APPDATA\\vbc.exe… htp://frndgreen and so on.\r\nhttps://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/\r\nPage 3 of 5\n\nBut can we get this output in a little more… readable form? Yes, we can do with scDbg.exe again. First, let’s cut\r\nout only the bytes necessary.\r\nUsing oledump-cut.unpack, we do run into a problem when we toss it into scDbg.exe. We don’t see anything\r\nbeyond ExpandEnvironmentStringsW.\r\nThe SANS blog post referenced at the beginning shows how to deal with this. It turns out that scDbg.exe does not\r\nhook ExpandEnvironmentStringsW. But it does hook ExpandEnvironmentStringsA. We can then try patching the\r\n.unpack file by overwriting the StringsW with StringsA. Save your change and then toss it back into scDbg.exe\r\nlike we tried above.\r\nhttps://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/\r\nPage 4 of 5\n\nAnother option is to overwrite that character directly from the command line. Looking at the hex editor above, we\r\ncan see that we are at offset 0x77. We can add that to the starting point in scDbg.exe like so:\r\nWe can now see everything in a much clearer format and it looks like it’s downloading Lokibot.\r\nThanks for reading!\r\nJust a Security Engineer that loves ripping apart malicious documents. View all posts by Jamie\r\nPost navigation\r\nSource: https://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/\r\nhttps://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/" ], "report_names": [ "lokibot-getting-equation-editor-shellcode" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434308, "ts_updated_at": 1775791370, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/47b6feae591217c7cb3b5c735fbd4d6acf06410e.pdf", "text": "https://archive.orkl.eu/47b6feae591217c7cb3b5c735fbd4d6acf06410e.txt", "img": "https://archive.orkl.eu/47b6feae591217c7cb3b5c735fbd4d6acf06410e.jpg" } }