MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e113acf5df0303c2e1c59e52daee010c9a876f34811dbfecf21cba7f82ee12be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loda


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e113acf5df0303c2e1c59e52daee010c9a876f34811dbfecf21cba7f82ee12be
SHA3-384 hash: 7f8eb0844835ddfbe147df44349ce5a9814092b239689d213384c04e8f385e558e26e72e18d9ceaf22b67825e153422b
SHA1 hash: 23d26ef545dfc01d1a251aadd384bc65ee03d31e
MD5 hash: b8f009ee52c99361c03488bca8a0c9b4
humanhash: queen-speaker-michigan-venus
File name:Confirmaci?n de pago.xls
Download: download sample
Signature Loda
Create hunting rule
File size:2'195'968 bytes
First seen:2026-02-27 03:10:16 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 49152:6NfJ46F5y2zzuIavXEsT+rFrrH+D3JPxaIgBM9M4RAfrkEx:YfJ4iy2z9uYRHAJxaNuzw
TLSH T1BDA52294F6F6807BFA111531046542EA15686C2E7A21CD5A35C7FB6F323BFB05EB2A0C
TrID 34.9% (.XLS) Microsoft Excel sheet (32500/1/3)
30.1% (.XLS) Microsoft Excel sheet (alternate) (28000/1/3)
26.3% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
8.6% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika xls
Reporter abuse_ch
Tags:Loda xls


Avatar
abuse_ch
Loda C2:
195.177.94.66:4000

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
195.177.94.66:4000 https://threatfox.abuse.ch/ioc/1755265/

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump

MalwareBazaar was able to identify 16 sections in this file using oledump:

Section IDSection sizeSection name
1107 bytesCompObj
2272 bytesDocumentSummaryInformation
3216 bytesSummaryInformation
42069469 bytesWorkbook
5518 bytes_VBA_PROJECT_CUR/PROJECT
6104 bytes_VBA_PROJECT_CUR/PROJECTwm
7977 bytes_VBA_PROJECT_CUR/VBA/Sheet1
8977 bytes_VBA_PROJECT_CUR/VBA/Sheet2
9977 bytes_VBA_PROJECT_CUR/VBA/Sheet3
1087509 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
1110526 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
121278 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
13114 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
14420 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
15103 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
16559 bytes_VBA_PROJECT_CUR/VBA/dir

Intelligence

File Origin
# of uploads :
1
# of downloads :
194
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
MSO
Details
MSO
extracted VBA Macros and, if observed, MS-OFORM variables/data are added to the knowledge base for usage in later parsing of the Macros
Link:
https://research.acce.ciphertechsolutions.com/results/fdf5dc24-d689-4aa6-adbe-d7fab3cb7369/
Malware family:
n/a
ID:
1
File name:
_e113acf5df0303c2e1c59e52daee010c9a876f34811dbfecf21cba7f82ee12be.xls
Verdict:
Malicious activity
Analysis date:
2026-02-27 03:12:05 UTC
Tags:
macros macros-on-open auto-reg autoit
Link:
https://app.any.run/tasks/d806d240-2558-4e35-a01c-72fccae2b225

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
False
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54802/
Detection(s):
TwinWave.EvilDoc.StringBuilderInTheAirTonight.M2.20210602.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DidntIBlowYourMindThisTime.20210922.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a10b24c950ab5d9ab1fbcc
Tags:
office macro micro
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/e113acf5df0303c2e1c59e52daee010c9a876f34811dbfecf21cba7f82ee12be/results/dashboard
Behaviour
BlacklistAPI detected
Document image
Image:
Download PNG
Document image
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
macros macros-on-open obfuscated
Link:
https://www.filescan.io/uploads/69a10b2197feb4afd65e48b0/reports/ca613839-e3aa-4a07-9e2c-7c16df000893/overview
Verdict:
Malicious
Labled as:
Msoffice/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e113acf5df0303c2e1c59e52daee010c9a876f34811dbfecf21cba7f82ee12be
Gathering data
Verdict:
Malicious
File Type:
xls
Detections:
PDM:Exploit.Win32.Generic Trojan-Downloader.VBS.SLoad.sb Trojan.MSOffice.Stratos.wsnt HEUR:Trojan-Dropper.MSOffice.SDrop.gen Trojan.Win32.Autoit.sb Trojan-Downloader.JS.SLoad.sb HEUR:Trojan-Downloader.VBS.SLoad.gen Trojan-Downloader.AutoIt.TCP.C&C Trojan-Downloader.MSOffice.SLoad.sb Trojan-Downloader.JS.Cryptoload.sb Trojan.Win32.Agent.sb HEUR:Trojan.VBS.Agent.gen Trojan-Dropper.MSOffice.SDrop.sb HEUR:Trojan-Dropper.Script.Generic HEUR:Trojan.Script.Generic HEUR:Trojan.Script.Agent.gen Trojan.MSOffice.SAgent.sb Trojan.MSIL.Dnoper.sb Trojan-PSW.Win32.Stealer.sb PDM:Trojan.Win32.Generic Trojan-Dropper.JS.SDrop.sb Trojan.MSOffice.Agent.sb HEUR:Trojan-Downloader.Script.Generic not-a-virus:RiskTool.Win32.Agent.bosz not-a-virus:RiskTool.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/e113acf5df0303c2e1c59e52daee010c9a876f34811dbfecf21cba7f82ee12be/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1875747
Signature
Antivirus detection for dropped file
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with hexadecimal encoded strings
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document exploit detected (creates forbidden files)
Document exploit detected (process start blacklist hit)
Microsoft Office drops suspicious files
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office process queries suspicious COM object (likely to drop second stage)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Potential malicious VBS script found (has network functionality)
Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1875747 Sample: Confirmaci_n de pago.xls Startdate: 27/02/2026 Architecture: WINDOWS Score: 100 52 sbstorage.cfd 2->52 54 centos.linkpc.net 2->54 56 12 other IPs or domains 2->56 76 Suricata IDS alerts for network traffic 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 Potential malicious VBS script found (has network functionality) 2->80 82 17 other signatures 2->82 10 EXCEL.EXE 187 54 2->10         started        15 Defender.exe 1 2->15         started        17 Defender.exe 1 2->17         started        signatures3 process4 dnsIp5 60 mr-b01.tm-azurefd.net 150.171.109.113, 443, 49727 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 10->60 62 mr-z01.tm-azurefd.net 150.171.109.118, 443, 49747, 49748 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 10->62 64 52.110.2.166, 443, 49722 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 10->64 44 C:\Users\user\...\Confirmaci_n de pago.xls, Composite 10->44 dropped 46 C:\Users\Public\6TDCIUQ07JCD.vbs, ASCII 10->46 dropped 94 Document exploit detected (creates forbidden files) 10->94 96 Office process queries suspicious COM object (likely to drop second stage) 10->96 98 Microsoft Office drops suspicious files 10->98 19 wscript.exe 16 10->19         started        24 splwow64.exe 10->24         started        100 Antivirus detection for dropped file 15->100 102 Multi AV Scanner detection for dropped file 15->102 104 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->104 106 Switches to a custom stack to bypass stack traces 15->106 file6 signatures7 process8 dnsIp9 58 sbstorage.cfd 142.171.127.243, 49731, 80 MTS-ASNCA Canada 19->58 38 C:\Users\user\AppData\Local\...\Chrome[1].js, ASCII 19->38 dropped 40 C:\Users\Public\B2EVUPWKIP63.js, ASCII 19->40 dropped 86 System process connects to network (likely due to code injection or exploit) 19->86 88 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->88 90 WScript reads language and country specific registry keys (likely country aware script) 19->90 26 wscript.exe 1 2 19->26         started        file10 signatures11 process12 file13 42 C:\Users\user\AppData\Local\...\Filname.exe, PE32 26->42 dropped 92 WScript reads language and country specific registry keys (likely country aware script) 26->92 30 Filname.exe 2 4 26->30         started        signatures14 process15 dnsIp16 66 centos.linkpc.net 195.177.94.66, 4000, 49750 DINET-ASRU Ukraine 30->66 48 C:\Users\user\AppData\...\Defender.exe, PE32 30->48 dropped 50 C:\Users\user\AppData\Local\Temp\TCIXWK.vbs, ASCII 30->50 dropped 68 Antivirus detection for dropped file 30->68 70 Multi AV Scanner detection for dropped file 30->70 72 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 30->72 74 3 other signatures 30->74 35 wscript.exe 30->35         started        file17 signatures18 process19 signatures20 84 Windows Scripting host queries suspicious COM object (likely to drop second stage) 35->84
Score:
100%
Verdict:
Malware
File Type:
OFFICE
Link:
https://malprob.io/report/e113acf5df0303c2e1c59e52daee010c9a876f34811dbfecf21cba7f82ee12be
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e113acf5df0303c2e1c59e52daee010c9a876f34811dbfecf21cba7f82ee12be/
Verdict:
Malicious
Threat:
Family.LODA
Link:
https://tip.neiki.dev/file/e113acf5df0303c2e1c59e52daee010c9a876f34811dbfecf21cba7f82ee12be
Threat name:
Document-Excel.Exploit.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-02-26 15:14:17 UTC
File Type:
Document
Extracted files:
27
AV detection:
9 of 24 (37.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ej2z5o7amb4fyoftzjnv3qbbsnio3zuqeo373hsds5h7axock7a._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution macro macro_on_action persistence
Link:
https://tria.ge/reports/260227-dn8xjshs2h/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
NTFS ADS
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
AutoIT Executable
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Badlisted process makes network request
Process spawned unexpected child process
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e113acf5df03/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/54802/

Comments