{
	"id": "2cd44148-615e-432b-91ee-1bc87857ffff",
	"created_at": "2026-04-06T00:06:44.091431Z",
	"updated_at": "2026-04-10T03:21:20.486672Z",
	"deleted_at": null,
	"sha1_hash": "8d0959e01ae6161719267cc308774e003bdaa884",
	"title": "Maldoc (RTF) drops Loda Logger",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1087061,
	"plain_text": "Maldoc (RTF) drops Loda Logger\r\nPublished: 2018-01-23 · Archived: 2026-04-05 15:33:05 UTC\r\nSummary:\r\nLately I’ve been looking at a lot of maldocs. I’ve found all sorts of malware some of which I could not even\r\nidentify. The problem is by the time I get around to blogging it, someone else has inevitable posted about it. For\r\nexample this blog I have been preparing for the last few hours on and off yet someone has tweeted the document.\r\nI originally found this document from an email. Out of all the emails that I had, this sample of Loda Logger was\r\nprobably the most interesting (not Loki or Formbook, etc.).\r\nI have been using any.run lately as I find it really quite good and the ability to interact with it is very useful.\r\nThis blog just gives a little more info to what is already available from the any.run run that I did.\r\nBackground:\r\nhttps://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware\r\nDownloads:\r\nThe run was done using any.run and hopefully you can download any files you want to look at from it. If not\r\nthough let me know.\r\nhttps://app.any.run/tasks/2f5e4b28-4e8a-4418-b036-0368c2435c3a\r\nhttps://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/\r\nPage 1 of 4\n\nOverview:\r\nAnalysis:\r\nThe maldoc came attached to a phishing email asking me to confirm receipt of a payment.\r\nIt had relatively few detections on VT at the time of submission.\r\nSHA256: 08db174405930afcfdbd415220e1c863dadfe9c1a049c42d735c96d1dee251e1\r\nhttps://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/\r\nPage 2 of 4\n\nFile name: Swift00002.doc\r\nDetection ratio: 9 / 58\r\nAnalysis date: 2018-01-23 04:54:11 UTC ( 7 hours ago )\r\nI believe the doc exploits CVE-2017-0199 which drops and runs a “.sct” file which is actually a scriplet.\r\nThe executable is added to Startup and copied to the folder\r\n“C:\\Users\\admin\\AppData\\Local\\Temp\\Skyp\\CWAHLM.exe”\r\nhttps://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/\r\nPage 3 of 4\n\nFinally after an ipcheck (with a AutoIt user agent), data is sent to the C2 which matched a pattern for Loda\r\nLogger. According to Proofpoint’s article (link in the Background section) the following data is sent:\r\nVictim’s Country\r\nA hard coded string (seen ‘victim’, ‘Clientv4’)\r\nVictim’s IP address\r\nUser account name\r\nWindows version\r\nWindows architecture (X64 or X86)\r\nWebcam installed (Yes or No, enumerated using capGetDriverDescription from Avicap32.dll)\r\nInstalled AV Vendor (enumerated via running process names)\r\nMalware version, i.e. 1.0.1\r\nHard coded string (seen ‘ddd’)\r\nMonitor resolution in a special format (“Pr[Height]X2[Width]X3”)\r\nOS type (can be “laptop”, “Desktop”, or “x”, enumerated using the WMI query “Select * from\r\nWin32_SystemEnclosure”)\r\nVersion (beta)\r\nIf you watch the any.run video you can see the mouse moving towards the end of the video which was not\r\nsomething I was doing. So either someone else was looking at my run at the same time or the threat actor was\r\nconnected to the VM.\r\nSource: https://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/\r\nhttps://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/"
	],
	"report_names": [
		"maldoc-rtf-drop-loda-logger"
	],
	"threat_actors": [],
	"ts_created_at": 1775434004,
	"ts_updated_at": 1775791280,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8d0959e01ae6161719267cc308774e003bdaa884.pdf",
		"text": "https://archive.orkl.eu/8d0959e01ae6161719267cc308774e003bdaa884.txt",
		"img": "https://archive.orkl.eu/8d0959e01ae6161719267cc308774e003bdaa884.jpg"
	}
}