MassLogger is a spyware/stealer delivered via a malicious Word Document which exploits vulnerabilities (CVE-2017-11882 and CVE-2018-0802) in the equation editor allowing for takeover of control flow. Once one or both of these are exploited, a second stage payload is downloaded from a URL and stored locally in %appData% and subsequently executed. This payload is obfuscated with a packer and injects a newly created instance of Notepad.exe. This code establishes persistence via a VBS script in the Windows startup directory. It is at this point where the MassLogger malware actions become visible.
the malware collects information about the host machine using WMI queries and other techniques. Data collected includes OS, processor, video controller, and antivirus software. The next step involves keylogging in an attempts to steal information from web browsers, FTP clients, and email clients. This information is stored in a log file, bundled with a screenshot, zipped into an archive and sent via a URL. Though obfuscated, the behavior of MassLogger is distinctive enough to allow for recognition.