× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 1810863a184a900ebfd24c94f4008ecae4c9ff4549d18af97ebb5d5e4ff877e3
File name: 20158878
Detection ratio: 22 / 60
Analysis date: 2018-12-05 04:11:18 UTC ( 5 months, 2 weeks ago ) View latest
Antivirus Result Update
Ad-Aware VB:Trojan.VBA.Agent.ABR 20181205
Arcabit HEUR.VBA.Trojan.e 20181205
BitDefender VB:Trojan.VBA.Agent.ABR 20181205
Emsisoft VB:Trojan.VBA.Agent.ABR (B) 20181204
Endgame malicious (high confidence) 20181108
ESET-NOD32 VBA/TrojanDownloader.Agent.LQE 20181205
F-Secure VB:Trojan.Agent.DKSU 20181204
Fortinet VBA/Agent.LPT!tr.dldr 20181204
GData Macro.Trojan-Downloader.Shallow.S 20181204
Ikarus Trojan.VBA.Agent 20181204
MAX malware (ai score=84) 20181205
McAfee W97M/Downloader.ga 20181204
McAfee-GW-Edition BehavesLike.Downloader.cg 20181204
Microsoft Trojan:O97M/Sonbokli.A!cl 20181204
eScan VB:Trojan.VBA.Agent.ABR 20181205
Qihoo-360 virus.office.qexvmc.1075 20181205
SentinelOne (Static ML) static engine - malicious 20181011
Symantec ISB.Downloader!gen172 20181205
TACHYON Suspicious/W97M.Obfus.Gen.6 20181204
Tencent Heur.Macro.Generic.Gen.h 20181205
ZoneAlarm by Check Point UDS:DangerousObject.Multi.Generic 20181205
Zoner Probably W97Obfuscated 20181205
AegisLab 20181205
AhnLab-V3 20181204
Alibaba 20180921
ALYac 20181205
Antiy-AVL 20181205
Avast 20181205
Avast-Mobile 20181204
AVG 20181205
Avira (no cloud) 20181205
Babable 20180918
Baidu 20181204
Bkav 20181203
CAT-QuickHeal 20181204
ClamAV 20181203
CMC 20181204
Comodo 20181204
CrowdStrike Falcon (ML) 20181022
Cybereason 20180308
Cylance 20181205
Cyren 20181204
DrWeb 20181204
eGambit 20181205
F-Prot 20181204
Sophos ML 20181128
Jiangmin 20181204
K7AntiVirus 20181204
K7GW 20181204
Kaspersky 20181204
Kingsoft 20181205
Malwarebytes 20181204
NANO-Antivirus 20181205
Palo Alto Networks (Known Signatures) 20181205
Panda 20181204
Rising 20181205
Sophos AV 20181205
SUPERAntiSpyware 20181128
Symantec Mobile Insight 20181204
TheHacker 20181202
TotalDefense 20181205
Trapmine 20181128
TrendMicro 20181205
TrendMicro-HouseCall 20181205
Trustlook 20181205
VBA32 20181204
VIPRE 20181205
ViRobot 20181205
Webroot 20181205
Yandex 20181204
Zillya 20181204
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Summary
creation_datetime
2018-12-04 23:37:00
revision_number
1
page_count
1
word_count
5
last_saved
2018-12-04 23:37:00
template
Normal.dotm
application_name
Microsoft Office Word
character_count
34
code_page
Latin I
Document summary
line_count
1
characters_with_spaces
38
version
1048576
paragraph_count
1
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
2944
type_literal
stream
sid
17
name
\x01CompObj
size
114
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
2
name
1Table
size
9318
type_literal
stream
sid
1
name
Data
size
81766
type_literal
stream
sid
16
name
Macros/PROJECT
size
390
type_literal
stream
sid
15
name
Macros/PROJECTwm
size
35
type_literal
stream
sid
11
name
Macros/VBA/_VBA_PROJECT
size
9627
type_literal
stream
sid
13
name
Macros/VBA/__SRP_0
size
1192
type_literal
stream
sid
14
name
Macros/VBA/__SRP_1
size
102
type_literal
stream
sid
9
name
Macros/VBA/__SRP_2
size
304
type_literal
stream
sid
10
name
Macros/VBA/__SRP_3
size
103
type_literal
stream
sid
12
name
Macros/VBA/dir
size
510
type_literal
stream
sid
8
type
macro
name
Macros/VBA/jiQRQjsicS
size
14604
type_literal
stream
sid
3
name
WordDocument
size
5166
Macros and VBA code streams
[+] jiQRQjsicS.cls Macros/VBA/jiQRQjsicS 9037 bytes
obfuscated run-file
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

HeadingPairs
Title, 1

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
38

CreateDate
2018:12:04 22:37:00

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2018:12:04 22:37:00

Characters
34

CodePage
Windows Latin 1 (Western European)

RevisionNumber
1

MIMEType
application/msword

Words
5

FileType
DOC

Lines
1

AppVersion
16.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
1

LastPrinted
0000:00:00 00:00:00

DocFlags
Has picture, 1Table, ExtChar

File identification
MD5 82244ce535ed13284ba6531ca85c2ef5
SHA1 40f1eb24216ab2ce0273015afeb0d9062ab60922
SHA256 1810863a184a900ebfd24c94f4008ecae4c9ff4549d18af97ebb5d5e4ff877e3
ssdeep
1536:181ooMDS034nC54nZrL4AkiuAMOkEEW/yEbzvadf+a9wEWeafGL8w5CV+9:18GhDS0o9zTGOZD6EbzCdXW2YjW

File size 145.5 KB ( 148992 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Dec 03 22:37:00 2018, Last Saved Time/Date: Mon Dec 03 22:37:00 2018, Number of Pages: 1, Number of Words: 5, Number of Characters: 34, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated macros run-file doc

VirusTotal metadata
First submission 2018-12-05 04:11:18 UTC ( 5 months, 2 weeks ago )
Last submission 2018-12-11 02:25:28 UTC ( 5 months, 2 weeks ago )
File names Invoice Confirmation CG6137.doc
emotet_e2_1810863a184a900ebfd24c94f4008ecae4c9ff4549d18af97ebb5d5e4ff877e3_2018-12-05__04:10:31.doc
Latest invoice - 050575.doc
FILE42549.doc
20158878
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!