Maldoc (RTF) drops Loda Logger


Lately I’ve been looking at a lot of maldocs. I’ve found all sorts of malware some of which I could not even identify. The problem is by the time I get around to blogging it, someone else has inevitable posted about it. For example this blog I have been preparing for the last few hours on and off yet someone has tweeted the document.

I originally found this document from an email. Out of all the emails that I had, this sample of Loda Logger was probably the most interesting (not Loki or Formbook, etc.).

I have been using lately as I find it really quite good and the ability to interact with it is very useful.

This blog just gives a little more info to what is already available from the run that I did.



The run was done using and hopefully you can download any files you want to look at from it. If not though let me know.





The maldoc came attached to a phishing email asking me to confirm receipt of a payment.

phishing email

It had relatively few detections on VT at the time of submission.

SHA256: 08db174405930afcfdbd415220e1c863dadfe9c1a049c42d735c96d1dee251e1
File name: Swift00002.doc
Detection ratio: 9 / 58
Analysis date: 2018-01-23 04:54:11 UTC ( 7 hours ago )

I believe the doc exploits CVE-2017-0199 which drops and runs a “.sct” file which is actually a scriplet.


The executable is added to Startup and copied to the folder “C:\Users\admin\AppData\Local\Temp\Skyp\CWAHLM.exe

Finally after an ipcheck (with a AutoIt user agent), data is sent to the C2 which matched a pattern for Loda Logger. According to Proofpoint’s article (link in the Background section) the following data is sent:

  • Victim’s Country
  • A hard coded string (seen ‘victim’, ‘Clientv4’)
  • Victim’s IP address
  • User account name
  • Windows version
  • Windows architecture (X64 or X86)
  • Webcam installed (Yes or No, enumerated using capGetDriverDescription from Avicap32.dll)
  • Installed AV Vendor (enumerated via running process names)
  • Malware version, i.e. 1.0.1
  • Hard coded string (seen ‘ddd’)
  • Monitor resolution in a special format (“Pr[Height]X2[Width]X3”)
  • OS type (can be “laptop”, “Desktop”, or “x”, enumerated using the WMI query “Select * from Win32_SystemEnclosure”)
  • Version (beta)


If you watch the video you can see the mouse moving towards the end of the video which was not something I was doing. So either someone else was looking at my run at the same time or the threat actor was connected to the VM.