× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 106b4d87576a07cc74f8ba9519d9730b50dc7309e69d0e7764822af981d98e61
File name: zbetcheckin_tracker_f8c4d4fbd544289236317aa384584670
Detection ratio: 15 / 54
Analysis date: 2019-02-18 19:40:57 UTC ( 2 months ago ) View latest
Antivirus Result Update
BitDefender VB:Trojan.VBA.Agent.AFB 20190218
Emsisoft VB:Trojan.VBA.Agent.AFB (B) 20190218
Endgame malicious (high confidence) 20190215
Fortinet VBA/Agent.MPF!tr.dldr 20190218
GData VB:Trojan.VBA.Agent.AFB 20190218
Ikarus Trojan-Downloader.VBA.Agent 20190218
K7AntiVirus Trojan ( 00536d111 ) 20190218
K7GW Trojan ( 00536d111 ) 20190218
McAfee W97M/Downloader.gw 20190218
McAfee-GW-Edition BehavesLike.Downloader.fg 20190218
eScan VB:Trojan.VBA.Agent.AFB 20190218
Qihoo-360 virus.office.qexvmc.1080 20190218
SentinelOne (Static ML) static engine - malicious 20190203
Symantec ISB.Downloader!gen80 20190218
ZoneAlarm by Check Point HEUR:Trojan-Downloader.Script.Generic 20190218
Acronis 20190213
Ad-Aware 20190218
AegisLab 20190218
AhnLab-V3 20190218
Alibaba 20180921
ALYac 20190218
Antiy-AVL 20190218
Arcabit 20190218
Avast 20190218
Avast-Mobile 20190218
AVG 20190218
Avira (no cloud) 20190218
Babable 20180917
Baidu 20190214
CAT-QuickHeal 20190218
ClamAV 20190218
CMC 20190218
Comodo 20190218
CrowdStrike Falcon (ML) 20181023
Cybereason 20190109
Cylance 20190218
Cyren 20190218
DrWeb 20190218
eGambit 20190218
ESET-NOD32 20190218
F-Secure 20190218
Sophos ML 20181128
Jiangmin 20190218
Kaspersky 20190218
Kingsoft 20190218
Malwarebytes 20190218
MAX 20190218
Microsoft 20190218
NANO-Antivirus 20190218
Palo Alto Networks (Known Signatures) 20190218
Panda 20190218
Rising 20190218
Sophos AV 20190218
SUPERAntiSpyware 20190213
Symantec Mobile Insight 20190206
TACHYON 20190217
Tencent 20190218
TheHacker 20190217
TotalDefense 20190218
Trapmine 20190123
Trustlook 20190218
VBA32 20190218
VIPRE 20190218
ViRobot 20190218
Webroot 20190218
Yandex 20190215
Zoner 20190218
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to hide the viewer or other applications.
Seems to contain deobfuscation code.
Summary
creation_datetime
2019-02-18 19:54:00
revision_number
1
page_count
1
last_saved
2019-02-18 19:54:00
template
Normal.dotm
application_name
Microsoft Office Word
character_count
3
code_page
Latin I
Document summary
line_count
1
characters_with_spaces
3
version
1048576
paragraph_count
1
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
4160
type_literal
stream
sid
18
name
\x01CompObj
size
114
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
2
name
1Table
size
7514
type_literal
stream
sid
1
name
Data
size
129889
type_literal
stream
sid
17
name
Macros/PROJECT
size
424
type_literal
stream
sid
16
name
Macros/PROJECTwm
size
44
type_literal
stream
sid
11
type
macro
name
Macros/VBA/O98_63
size
88412
type_literal
stream
sid
12
name
Macros/VBA/_VBA_PROJECT
size
44229
type_literal
stream
sid
14
name
Macros/VBA/__SRP_0
size
1220
type_literal
stream
sid
15
name
Macros/VBA/__SRP_1
size
106
type_literal
stream
sid
9
name
Macros/VBA/__SRP_2
size
220
type_literal
stream
sid
10
name
Macros/VBA/__SRP_3
size
66
type_literal
stream
sid
8
type
macro (only attributes)
name
Macros/VBA/c76189
size
1104
type_literal
stream
sid
13
name
Macros/VBA/dir
size
536
type_literal
stream
sid
3
name
WordDocument
size
4096
Macros and VBA code streams
[+] O98_63.bas Macros/VBA/O98_63 52556 bytes
hide-app obfuscated
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

HeadingPairs
Title, 1

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
3

CreateDate
2019:02:18 18:54:00

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2019:02:18 18:54:00

Characters
3

CodePage
Windows Latin 1 (Western European)

RevisionNumber
1

MIMEType
application/msword

Words
0

FileType
DOC

Lines
1

AppVersion
16.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
1

LastPrinted
0000:00:00 00:00:00

DocFlags
Has picture, 1Table, ExtChar

File identification
MD5 f8c4d4fbd544289236317aa384584670
SHA1 695853da104df69760fdfa95cdbe6378399d1a1e
SHA256 106b4d87576a07cc74f8ba9519d9730b50dc7309e69d0e7764822af981d98e61
ssdeep
6144:9G5/BnVfRFJ7KK9aHScdX9znGU/GxiBOZ+7zkSUUiU:92n9R/lA5dX9znGUuxipoSUUiU

File size 300.0 KB ( 307200 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sun Feb 17 18:54:00 2019, Last Saved Time/Date: Sun Feb 17 18:54:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 3, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated macros hide-app doc

VirusTotal metadata
First submission 2019-02-18 19:40:57 UTC ( 2 months ago )
Last submission 2019-02-18 22:02:31 UTC ( 2 months ago )
File names ZPXX8692988053330_022019.doc
VVJ912988952_022019.doc
46223773599.doc
QCKK7245003564_022019.doc
emotet_e1_106b4d87576a07cc74f8ba9519d9730b50dc7309e69d0e7764822af981d98e61_2019-02-18__194502.doc
67081487_022019.doc
zbetcheckin_tracker_f8c4d4fbd544289236317aa384584670
9249199712568-19.doc
C10546661_022019.doc
735457420863-19.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!