× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 0a5028c02d400477edc016c5907b1be43670a53ee59691841d7d97291b19a1ef
File name: 690UICEBVOFF735.docm
Detection ratio: 13 / 57
Analysis date: 2017-06-07 09:12:44 UTC ( 1 year, 10 months ago ) View latest
Antivirus Result Update
AhnLab-V3 WM/Downloader 20170606
Avira (no cloud) W97M/Agent.7510415 20170607
Cyren PP97M/Downldr 20170607
Emsisoft VB:Trojan.Valyria.556 (B) 20170607
F-Prot New or modified PP97M/Downldr 20170607
F-Secure Trojan:W97M/MaliciousMacro.GEN 20170607
Fortinet WM/Nemucod.0EFE!tr.dldr 20170607
GData VB:Trojan.Valyria.556 20170607
Ikarus Trojan-Downloader.VBA.Jaff 20170607
Kaspersky HEUR:Trojan-Downloader.Script.Generic 20170607
Panda VBS/Jenxcus.A 20170606
Qihoo-360 virus.office.obfuscated.1 20170607
ZoneAlarm by Check Point HEUR:Trojan-Downloader.Script.Generic 20170607
Ad-Aware 20170607
AegisLab 20170607
Alibaba 20170607
ALYac 20170607
Arcabit 20170607
Avast 20170607
AVG 20170606
AVware 20170607
Baidu 20170601
BitDefender 20170607
Bkav 20170607
CAT-QuickHeal 20170607
ClamAV 20170607
CMC 20170607
Comodo 20170607
CrowdStrike Falcon (ML) 20170420
DrWeb 20170607
Endgame 20170515
ESET-NOD32 20170607
Sophos ML 20170607
Jiangmin 20170607
K7AntiVirus 20170607
K7GW 20170607
Kingsoft 20170607
Malwarebytes 20170607
McAfee 20170607
McAfee-GW-Edition 20170606
Microsoft 20170607
eScan 20170607
NANO-Antivirus 20170607
nProtect 20170607
Palo Alto Networks (Known Signatures) 20170607
Rising 20170607
SentinelOne (Static ML) 20170516
Sophos AV 20170607
SUPERAntiSpyware 20170607
Symantec 20170607
Symantec Mobile Insight 20170606
Tencent 20170607
TheHacker 20170605
TotalDefense 20170607
TrendMicro-HouseCall 20170607
Trustlook 20170607
VBA32 20170606
VIPRE 20170607
ViRobot 20170607
Webroot 20170607
WhiteArmor 20170601
Yandex 20170606
Zillya 20170606
Zoner 20170607
The file being studied follows the Open XML file format! More specifically, it is a Office Open XML Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May perform operations with other files.
May create OLE objects.
May enumerate open windows.
Seems to contain deobfuscation code.
Seems to contain code to deceive researchers and automatic analysis systems.
Macros and VBA code streams
[+] ThisDocument.cls word/vbaProject.bin VBA/ThisDocument 20037 bytes
obfuscated open-file write-file
[+] Module1.bas word/vbaProject.bin VBA/Module1 7143 bytes
create-ole enum-windows obfuscated open-file
[+] Class1.cls word/vbaProject.bin VBA/Class1 820 bytes
obfuscated write-file
[+] Surre.cls word/vbaProject.bin VBA/Surre 320 bytes
[+] Module2.bas word/vbaProject.bin VBA/Module2 1655 bytes
exe-pattern create-ole
[+] Module3.bas word/vbaProject.bin VBA/Module3 26454 bytes
anti-analysis handle-file obfuscated open-file write-file
Content types
bin
rels
xml
Package relationships
word/document.xml
docProps/app.xml
docProps/core.xml
Core document properties
dc:creator
1
cp:lastModifiedBy
Derek
cp:revision
2
dcterms:created
2017-06-07T09:11:00Z
dcterms:modified
2017-06-07T09:11:00Z
cp:contentStatus
Microsoft.XMLHTTPTUCKEAdodb.streaMTUCKEshell.ApplicationTUCKEWscript.shellTUCKEProcessTUCKEGeTTUCKETeMPTUCKETypeTUCKEopenTUCKEwriteTUCKEresponseBodyTUCKEsavetofileTUCKE\\krivokor.exe
Application document properties
Template
Normal.dotm
TotalTime
1
Pages
1
Words
0
Characters
0
Application
Microsoft Office Word
DocSecurity
0
Lines
0
Paragraphs
0
ScaleCrop
false
vt:lpstr
Title
vt:i4
1
vt:lpstr
\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435
vt:i4
1
LinksUpToDate
false
CharactersWithSpaces
0
SharedDoc
false
HyperlinksChanged
false
AppVersion
15.0000
Document languages
Language
Prevalence
ru-ru
2
en-gb
1
en-us
1
ar-sa
1
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

TitlesOfParts
,

LinksUpToDate
No

LastModifiedBy
Derek

HeadingPairs
Title, 1, , 1

ZipFileName
[Content_Types].xml

Template
Normal.dotm

ZipRequiredVersion
20

ModifyDate
2017:06:07 09:11:00Z

ZipCRC
0x7aec387e

Words
0

ScaleCrop
No

RevisionNumber
2

MIMEType
application/vnd.ms-word.document.macroEnabled

ZipBitFlag
0x0006

CreateDate
2017:06:07 09:11:00Z

Lines
0

AppVersion
15.0

ZipUncompressedSize
1453

ZipCompressedSize
391

Characters
0

CharactersWithSpaces
0

DocSecurity
None

ZipModifyDate
1980:01:01 00:00:00

FileType
DOCM

Application
Microsoft Office Word

TotalEditTime
1 minute

ZipCompression
Deflated

Pages
1

Creator
1

FileTypeExtension
docm

Paragraphs
0

ContentStatus
Microsoft.XMLHTTPTUCKEAdodb.streaMTUCKEshell.ApplicationTUCKEWscript.shellTUCKEProcessTUCKEGeTTUCKETeMPTUCKETypeTUCKEopenTUCKEwriteTUCKEresponseBodyTUCKEsavetofileTUCKE\krivokor.exe

The file being studied is a compressed stream! Details about the compressed contents follow.
Contained files
Compression metadata
Contained files
14
Uncompressed size
160397
Highest datetime
1980-01-01 00:00:00
Lowest datetime
1980-01-01 00:00:00
Contained files by extension
xml
10
bin
1
Contained files by type
XML
13
Microsoft Office
1
Compressed bundles
File identification
MD5 9479dd52ee07dff074b57850dc8c0ea8
SHA1 b9d7f11b02e4f0bb1642fdb23efef45d57632627
SHA256 0a5028c02d400477edc016c5907b1be43670a53ee59691841d7d97291b19a1ef
ssdeep
1536:zyVWyLPkD0ouEeXpPxb+Tx5Wqk9VchBKneH:KdPkwpPx0zAVchB5H

File size 57.8 KB ( 59162 bytes )
File type Office Open XML Document
Magic literal
Zip archive data, at least v2.0 to extract

TrID Word Microsoft Office Open XML Format document (with Macro) (53.0%)
Word Microsoft Office Open XML Format document (23.9%)
Open Packaging Conventions container (17.8%)
ZIP compressed archive (4.0%)
PrintFox/Pagefox bitmap (var. P) (1.0%)
Tags
obfuscated open-file enum-windows handle-file exe-pattern docx macros write-file anti-analysis create-ole

VirusTotal metadata
First submission 2017-06-07 09:12:44 UTC ( 1 year, 10 months ago )
Last submission 2017-06-07 09:12:44 UTC ( 1 year, 10 months ago )
File names 690UICEBVOFF735.docm
690UICEBVOFF735.docm
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!