× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 1348b42e0ccc4f14ec10579975acd11e98337f2e2ce2cb7e7d8aa53240fcc95b
File name: email_message.doc.txt
Detection ratio: 33 / 55
Analysis date: 2015-06-30 10:54:20 UTC ( 3 years, 8 months ago ) View latest
Antivirus Result Update
Ad-Aware W97M.Downloader.SJ 20150630
AhnLab-V3 W97M/Dropper 20150630
ALYac W97M.Downloader.SJ 20150630
Arcabit W97M.Downloader.SJ 20150630
Avast VBA:Downloader-FJ [Trj] 20150630
AVG Generic13_c.YBO 20150630
Avira (no cloud) W97M/Downloader.SJ 20150630
AVware Trojan.OOXML.Generic.a (v) 20150630
BitDefender W97M.Downloader.SJ 20150630
Comodo TrojWare.MSWord.Agent.~A 20150630
Cyren PP97M/DropExe.C.gen 20150630
DrWeb W97M.MulDrop.53 20150630
Emsisoft W97M.Downloader.SJ (B) 20150630
ESET-NOD32 VBS/TrojanDropper.Agent.NCV 20150630
F-Prot PP97M/DropExe.C.gen 20150630
F-Secure W97M.Downloader.SJ 20150630
Fortinet WM/Agent!tr 20150630
GData W97M.Downloader.SJ 20150630
Ikarus Trojan-Downloader.VBA.Agent 20150630
Kaspersky Trojan-Downloader.MSWord.Agent.nf 20150630
McAfee W97M/Dropper.n 20150630
McAfee-GW-Edition W97M/Dropper.n 20150630
Microsoft TrojanDropper:VBS/Fareit 20150630
eScan W97M.Downloader.SJ 20150630
nProtect W97M.Downloader.SJ 20150630
Qihoo-360 macro.office.07vba.gen.307e 20150630
Sophos AV Troj/DocDrop-EX 20150630
Symantec W97M.Downloader 20150630
Tencent Word.Trojan-downloader.Agent.Hoom 20150630
TrendMicro W2KM_BARTALEX.R 20150630
TrendMicro-HouseCall W2KM_BARTALEX.R 20150630
VIPRE Trojan.OOXML.Generic.a (v) 20150630
ViRobot W97M.S.Downloader.171691[h] 20150630
AegisLab 20150630
Yandex 20150629
Alibaba 20150630
Antiy-AVL 20150630
Baidu-International 20150630
Bkav 20150629
ByteHero 20150630
CAT-QuickHeal 20150630
ClamAV 20150630
Jiangmin 20150629
K7AntiVirus 20150630
K7GW 20150630
Kingsoft 20150630
Malwarebytes 20150630
NANO-Antivirus 20150630
Panda 20150630
Rising 20150630
SUPERAntiSpyware 20150630
TheHacker 20150630
VBA32 20150630
Zillya 20150630
Zoner 20150630
The file being studied follows the Open XML file format! More specifically, it is a Office Open XML Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May create additional files.
May try to run other files, shell commands or applications.
May create OLE objects.
Seems to contain deobfuscation code.
Macros and VBA code streams
[+] ThisDocument.cls word/vbaProject.bin VBA/ThisDocument 2114 bytes
exe-pattern create-file create-ole obfuscated run-file
[+] NewMacros.bas word/vbaProject.bin VBA/NewMacros 2267 bytes
exe-pattern create-file create-ole obfuscated run-file
[+] UserForm1.frm word/vbaProject.bin VBA/UserForm1 38 bytes
Content types
bin
rels
xml
Package relationships
word/document.xml
docProps/app.xml
docProps/core.xml
Core document properties
dc:creator
my
cp:lastModifiedBy
my
cp:revision
18
dcterms:created
2015-06-24T11:31:00Z
dcterms:modified
2015-06-24T12:41:00Z
Application document properties
Template
Normal.dotm
TotalTime
14
Pages
1
Words
72
Characters
378
Application
Microsoft Office Word
DocSecurity
0
Lines
3
Paragraphs
1
ScaleCrop
false
LinksUpToDate
false
CharactersWithSpaces
449
SharedDoc
false
HyperlinksChanged
false
AppVersion
12.0000
Document languages
Language
Prevalence
ru-ru
3
ja-jp
1
en-us
1
ar-sa
1
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
my

Application
Microsoft Office Word

ZipFileName
[Content_Types].xml

Template
Normal.dotm

ZipRequiredVersion
20

ModifyDate
2015:06:24 12:41:00Z

ZipCRC
0x44161d52

Words
72

ScaleCrop
No

RevisionNumber
18

MIMEType
application/vnd.ms-word.document.macroEnabled

ZipBitFlag
0x0006

CreateDate
2015:06:24 11:31:00Z

Lines
3

AppVersion
12.0

ZipUncompressedSize
1586

ZipCompressedSize
424

Characters
378

CharactersWithSpaces
449

DocSecurity
None

ZipModifyDate
1980:01:01 00:00:00

FileType
DOCM

Creator
my

TotalEditTime
14 minutes

ZipCompression
Deflated

Pages
1

FileTypeExtension
docm

Paragraphs
1

The file being studied is a compressed stream! Details about the compressed contents follow.
Contained files
Compression metadata
Contained files
15
Uncompressed size
312860
Highest datetime
1980-01-01 00:00:00
Lowest datetime
1980-01-01 00:00:00
Contained files by extension
xml
11
bin
1
Contained files by type
XML
14
Microsoft Office
1
Compressed bundles
File identification
MD5 26185bf0c06d8419c09c76a0959d2b85
SHA1 c26b37b7c5839f03b20cbf5bf291d4645b00c08b
SHA256 1348b42e0ccc4f14ec10579975acd11e98337f2e2ce2cb7e7d8aa53240fcc95b
ssdeep
3072:qWkBUFeKlM55zwe9qt4QthF1jP8vNAnCSYgQdTgVa1umyhOS6oDuUPvtez+ApAgu:XkqhM5XqRXT6NjyQNgVaEsWua4HuY2

File size 167.7 KB ( 171691 bytes )
File type Office Open XML Document
Magic literal
Zip archive data, at least v2.0 to extract

TrID Word Microsoft Office Open XML Format document (with Macro) (53.0%)
Word Microsoft Office Open XML Format document (23.9%)
Open Packaging Conventions container (17.8%)
ZIP compressed archive (4.0%)
PrintFox/Pagefox bitmap (var. P) (1.0%)
Tags
obfuscated run-file exe-pattern create-file docx macros attachment create-ole

VirusTotal metadata
First submission 2015-06-24 13:40:15 UTC ( 3 years, 9 months ago )
Last submission 2016-04-26 23:13:38 UTC ( 2 years, 10 months ago )
File names email_message.doc
20150624.email_message.doc
26185BF0C06D8419C09C76A0959D2B85 - doc
email_messagevirus.doc
attachment.c26b37b7c5839f03b20cbf5bf291d4645b00c08b.doc
do not open this email_message.doc
16354bd4c91bcb1d05fb865607ac3676
email_message 18.40.54.doc
email_message.doc
email_message.doc
VIRUS.email_message.doc
email_message.doc.txt
email_message-1.doc
email_message.docx
0003_.b64.zip
email_message.cccc
spam.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!