MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a755a007b70e18ddefbc16900a9425340b2607299ada0827cc3804d23a77b02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loda


Vendor detections: 18


Intelligence 18 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a755a007b70e18ddefbc16900a9425340b2607299ada0827cc3804d23a77b02
SHA3-384 hash: a754232070e22087b7626ddcb772d8a20395d5703067b392f9670633249f847cf927cc0261b370fc5b88b73f19a1fd44
SHA1 hash: 2f56303d7db40d0b459483299d03e100939acd96
MD5 hash: 2e854dceaf1a40fa2ff8dad30d53a5f3
humanhash: illinois-double-winner-mobile
File name:Detalle_Pago_Reserva_Grupo_Juan_Carlos_RamC3ADrez_Mayo_2026.xls
Download: download sample
Signature Loda
Create hunting rule
File size:2'189'312 bytes
First seen:2026-03-17 06:44:37 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 49152:3NfJ46F5y2zzuIavXEsT+rFrrH+D3JPxaIgBM9M4RAf4:9fJ4iy2z9uYRHAJxaNuzw
TLSH T1F1A52296EAE6407BFA211234142581F515286D296720CD5E26CBFB6F323BFB05FB5E0C
TrID 34.9% (.XLS) Microsoft Excel sheet (32500/1/3)
30.1% (.XLS) Microsoft Excel sheet (alternate) (28000/1/3)
26.3% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
8.6% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika xls
Reporter abuse_ch
Tags:Loda xls


Avatar
abuse_ch
Loda botnet C2:
centos.linkpc.net

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump

MalwareBazaar was able to identify 16 sections in this file using oledump:

Section IDSection sizeSection name
1107 bytesCompObj
2272 bytesDocumentSummaryInformation
3216 bytesSummaryInformation
42069469 bytesWorkbook
5522 bytes_VBA_PROJECT_CUR/PROJECT
6104 bytes_VBA_PROJECT_CUR/PROJECTwm
7977 bytes_VBA_PROJECT_CUR/VBA/Sheet1
8977 bytes_VBA_PROJECT_CUR/VBA/Sheet2
9977 bytes_VBA_PROJECT_CUR/VBA/Sheet3
1081204 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
119871 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
121278 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
13114 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
14420 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
15103 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
16559 bytes_VBA_PROJECT_CUR/VBA/dir

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
MSO
Details
MSO
extracted VBA Macros and, if observed, MS-OFORM variables/data are added to the knowledge base for usage in later parsing of the Macros
Link:
https://research.acce.ciphertechsolutions.com/results/031a6b83-3c4d-43f9-8db7-1b9cf3d997cb/
Malware family:
n/a
ID:
1
File name:
Detalle_Pago_Reserva_Grupo_Juan_Carlos_RamC3ADrez_Mayo_2026.xls
Verdict:
Malicious activity
Analysis date:
2026-03-17 00:39:39 UTC
Tags:
macros macros-on-open loader auto-reg autoit
Link:
https://app.any.run/tasks/ce5fc6a9-2b18-4eca-8593-5034dc24d9dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
False
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57708/
Detection(s):
TwinWave.EvilDoc.StringBuilderInTheAirTonight.M2.20210602.UNOFFICIAL
Create hunting rule

Doc.Dropper.Agent-6412232-1
Create hunting rule

TwinWave.EvilDoc.DidntIBlowYourMindThisTime.20210922.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b8a2ca93b644ca466ac871
Tags:
office macro micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Launching a process
Creating a process from a recently created file
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/2a755a007b70e18ddefbc16900a9425340b2607299ada0827cc3804d23a77b02/results/dashboard
Behaviour
BlacklistAPI detected
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dropper macros macros-on-open obfuscated packed
Link:
https://www.filescan.io/uploads/69b8f87c493cb7d62d017594/reports/0bd690cd-81f9-4488-bdff-7e2a55d3527b/overview
Verdict:
Malicious
Labled as:
Msoffice/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2a755a007b70e18ddefbc16900a9425340b2607299ada0827cc3804d23a77b02
Label:
Malicious
Suspicious Score:
10/10
Score Malicious:
1%
Score Benign:
0%
Link:
https://www.malware.ai/gui/files/?id=5503e633-24b4-4e08-96c3-294f26431ed0
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/2a755a007b70e18ddefbc16900a9425340b2607299ada0827cc3804d23a77b02
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro with File System Write
Detected macro logic that can write data to the file system.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Verdict:
Malicious
File Type:
xls
Detections:
Trojan-Downloader.JS.Cryptoload.sb Trojan.Win32.Agent.sb HEUR:Trojan.VBS.Agent.gen PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Stealer.sb Trojan.MSOffice.SAgent.sb Trojan.MSOffice.Agent.sb Trojan-Spy.Win32.Agent Trojan.MSIL.Dnoper.sb HEUR:Trojan-Downloader.Script.Generic PDM:Exploit.Win32.Generic Trojan.Win32.Agent.xcdbgv Trojan.MSOffice.Stratos.wsnt Trojan-Downloader.AutoIt.TCP.C&C Trojan.Win32.Autoit.sb Trojan-Dropper.MSOffice.SDrop.sb Trojan-Downloader.JS.SLoad.sb not-a-virus:RiskTool.Win32.Agent.sb Trojan-Downloader.VBS.SLoad.sb Trojan-Dropper.JS.SDrop.sb
Link:
https://opentip.kaspersky.com/2a755a007b70e18ddefbc16900a9425340b2607299ada0827cc3804d23a77b02/results?tab=lookup
Result
Threat name:
LodaRAT
Create hunting rule
Detection:
malicious
Classification:
phis.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1884691
Signature
AI detected malicious page (phishing or scam)
Antivirus detection for dropped file
Antivirus detection for URL or domain
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with hexadecimal encoded strings
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document exploit detected (creates forbidden files)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Microsoft Office drops suspicious files
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office process queries suspicious COM object (likely to drop second stage)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Potential malicious VBS script found (has network functionality)
Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Yara detected LodaRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1884691 Sample: Detalle_Pago_Reserva_Grupo_... Startdate: 17/03/2026 Architecture: WINDOWS Score: 100 41 sbstorage.club 2->41 43 us1.roaming1.live.com.akadns.net 2->43 45 10 other IPs or domains 2->45 55 Suricata IDS alerts for network traffic 2->55 57 Antivirus detection for URL or domain 2->57 59 Antivirus detection for dropped file 2->59 61 23 other signatures 2->61 9 EXCEL.EXE 198 46 2->9         started        14 edge.exe 1 2->14         started        16 edge.exe 1 2->16         started        signatures3 process4 dnsIp5 51 13.107.246.38, 443, 49747, 49748 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->51 53 52.110.2.164, 443, 49727 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->53 39 C:\Users\Public\K7P7ERDVZGRC.vbs, ASCII 9->39 dropped 79 Document exploit detected (creates forbidden files) 9->79 81 Office process queries suspicious COM object (likely to drop second stage) 9->81 83 Microsoft Office drops suspicious files 9->83 18 wscript.exe 16 9->18         started        85 Antivirus detection for dropped file 14->85 87 Multi AV Scanner detection for dropped file 14->87 89 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->89 91 Switches to a custom stack to bypass stack traces 14->91 file6 signatures7 process8 dnsIp9 47 sbstorage.club 142.171.127.243, 49734, 80 MTS-ASNCA Canada 18->47 31 C:\Users\user\AppData\...\HQWDTQ.vmp[1].exe, PE32 18->31 dropped 33 C:\Users\Public\1LE2HU3L72EB.exe, PE32 18->33 dropped 63 System process connects to network (likely due to code injection or exploit) 18->63 65 Drops PE files to the user root directory 18->65 67 Windows Scripting host queries suspicious COM object (likely to drop second stage) 18->67 69 WScript reads language and country specific registry keys (likely country aware script) 18->69 23 1LE2HU3L72EB.exe 2 4 18->23         started        file10 signatures11 process12 dnsIp13 49 centos.linkpc.net 195.177.94.66, 4000, 49749 DINET-ASRU Ukraine 23->49 35 C:\Users\user\AppData\Roaming\...\edge.exe, PE32 23->35 dropped 37 C:\Users\user\AppData\Local\Temp\BDCHKP.vbs, ASCII 23->37 dropped 71 Antivirus detection for dropped file 23->71 73 Multi AV Scanner detection for dropped file 23->73 75 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->75 77 3 other signatures 23->77 28 wscript.exe 23->28         started        file14 signatures15 process16 signatures17 93 Windows Scripting host queries suspicious COM object (likely to drop second stage) 28->93
Score:
100%
Verdict:
Malware
File Type:
OFFICE
Link:
https://malprob.io/report/2a755a007b70e18ddefbc16900a9425340b2607299ada0827cc3804d23a77b02
Verdict:
Malware
YARA:
7 match(es)
Tags:
Corrupted Office Document
Link:
https://app.malva.re/file/2e854dceaf1a40fa2ff8dad30d53a5f3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a755a007b70e18ddefbc16900a9425340b2607299ada0827cc3804d23a77b02/
Verdict:
Malicious
Threat:
Trojan.MSOffice.Stratos
Link:
https://tip.neiki.dev/file/2a755a007b70e18ddefbc16900a9425340b2607299ada0827cc3804d23a77b02
Threat name:
Script-WScript.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-03-17 00:39:46 UTC
File Type:
Document
Extracted files:
27
AV detection:
10 of 36 (27.78%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fj2vuad3odqy3xx3yfuqbkkcknaleydstgw2bat4yoae2i5hpmba._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery macro macro_on_action persistence
Link:
https://tria.ge/reports/260317-hh76aaes6q/
Behaviour
Checks processor information in registry
Enumerates system info in registry
NTFS ADS
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
AutoIT Executable
Adds Run key to start application
Process spawned suspicious child process
Checks computer location settings
Executes dropped EXE
Badlisted process makes network request
Downloads MZ/PE file
Process spawned unexpected child process
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2a755a007b70/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a755a007b70e18ddefbc16900a9425340b2607299ada0827cc3804d23a77b02

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/url/3797691/
Cape
Cape
https://www.capesandbox.com/analysis/57708/

Comments