× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 1969f5bc5be1db820eff204504ba53efbf9ecd63a9b4af0b3f545586aec847ca
File name: resume.doc
Detection ratio: 13 / 55
Analysis date: 2017-05-31 11:04:17 UTC ( 1 year, 10 months ago ) View latest
Antivirus Result Update
AhnLab-V3 W97M/Downloader 20170531
Arcabit HEUR.VBA.Trojan.e 20170531
AVware LooksLike.Macro.Malware.gen!d2 (v) 20170531
ESET-NOD32 VBA/TrojanDownloader.Agent.DIA 20170531
Fortinet WM/Agent.28E6!tr.dldr 20170531
Kaspersky HEUR:Trojan.Script.Agent.gen 20170531
Microsoft Trojan:O97M/Madeba.A!det 20170531
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20170531
Sophos AV Troj/DocDl-JDI 20170531
TrendMicro W2KM_POWLOAD.AUSJPW 20170531
TrendMicro-HouseCall W2KM_POWLOAD.AUSJPW 20170531
VIPRE LooksLike.Macro.Malware.gen!d2 (v) 20170531
ZoneAlarm by Check Point HEUR:Trojan.Script.Agent.gen 20170531
Ad-Aware 20170531
AegisLab 20170531
Alibaba 20170531
ALYac 20170530
Avast 20170531
AVG 20170531
Avira (no cloud) 20170531
Baidu 20170527
BitDefender 20170531
CAT-QuickHeal 20170531
ClamAV 20170531
CMC 20170531
Comodo 20170531
CrowdStrike Falcon (ML) 20170420
Cyren 20170531
DrWeb 20170531
Emsisoft 20170531
Endgame 20170515
F-Prot 20170531
F-Secure 20170531
GData 20170531
Ikarus 20170531
Sophos ML 20170519
Jiangmin 20170531
K7AntiVirus 20170531
K7GW 20170531
Kingsoft 20170531
Malwarebytes 20170531
McAfee 20170531
McAfee-GW-Edition 20170531
eScan 20170531
nProtect 20170531
Palo Alto Networks (Known Signatures) 20170531
Panda 20170530
Qihoo-360 20170531
Rising 20170531
SentinelOne (Static ML) 20170516
SUPERAntiSpyware 20170531
Symantec 20170531
Symantec Mobile Insight 20170531
Tencent 20170531
TheHacker 20170528
TotalDefense 20170531
Trustlook 20170531
VBA32 20170531
ViRobot 20170531
Webroot 20170531
WhiteArmor 20170524
Yandex 20170530
Zillya 20170530
Zoner 20170531
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Summary
last_author
admin
creation_datetime
2017-05-30 11:24:00
author
jeuduwlquiuh
title
Read please
page_count
1
last_saved
2017-05-30 11:24:00
revision_number
2
application_name
Microsoft Office Word
character_count
1
template
Normal.dotm
code_page
Cyrillic
subject
Information
Document summary
byte_count
87552
company
home
characters_with_spaces
1
line_count
1
version
1048576
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
8704
type_literal
stream
size
114
name
\x01CompObj
sid
21
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
5
type_literal
stream
size
436
name
\x05SummaryInformation
sid
4
type_literal
stream
size
7475
name
1Table
sid
2
type_literal
stream
size
63842
name
Data
sid
1
type_literal
stream
size
529
name
Macros/PROJECT
sid
20
type_literal
stream
size
137
name
Macros/PROJECTwm
sid
19
type_literal
stream
size
11101
type
macro
name
Macros/VBA/DR3zrvT
sid
14
type_literal
stream
size
5292
type
macro
name
Macros/VBA/Fup1zmhqa
sid
13
type_literal
stream
size
1127
type
macro (only attributes)
name
Macros/VBA/ThisDocument
sid
8
type_literal
stream
size
10200
name
Macros/VBA/_VBA_PROJECT
sid
15
type_literal
stream
size
1880
name
Macros/VBA/__SRP_0
sid
17
type_literal
stream
size
206
name
Macros/VBA/__SRP_1
sid
18
type_literal
stream
size
348
name
Macros/VBA/__SRP_2
sid
9
type_literal
stream
size
106
name
Macros/VBA/__SRP_3
sid
10
type_literal
stream
size
708
name
Macros/VBA/dir
sid
16
type_literal
stream
size
2694
type
macro
name
Macros/VBA/gAqP2
sid
11
type_literal
stream
size
29133
type
macro
name
Macros/VBA/u6SEV0H
sid
12
type_literal
stream
size
4096
name
WordDocument
sid
3
Macros and VBA code streams
[+] gAqP2.bas Macros/VBA/gAqP2 869 bytes
[+] u6SEV0H.bas Macros/VBA/u6SEV0H 13156 bytes
[+] Fup1zmhqa.bas Macros/VBA/Fup1zmhqa 2113 bytes
run-file
[+] DR3zrvT.bas Macros/VBA/DR3zrvT 4834 bytes
obfuscated
ExifTool file metadata
SharedDoc
No

Author
jeuduwlquiuh

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
admin

HeadingPairs
, 1

Template
Normal.dotm

CharCountWithSpaces
1

CreateDate
2017:05:30 10:24:00

CompObjUserType
???????? Microsoft Word 97-2003

ModifyDate
2017:05:30 10:24:00

Company
home

Title
Read please

Characters
1

CodePage
Windows Cyrillic

RevisionNumber
2

MIMEType
application/msword

Words
0

Bytes
87552

FileType
DOC

Lines
1

AppVersion
16.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
1

Subject
Information

Compressed bundles
File identification
MD5 33a97f0e45222d5910b2b8589482bedb
SHA1 f4dae27d157d7d601765d3426fff04b5f82d115b
SHA256 1969f5bc5be1db820eff204504ba53efbf9ecd63a9b4af0b3f545586aec847ca
ssdeep
3072:Gou9YlI6eHSxu05u6zEHD5+kQfGefTlwah6I:s9E3BFgDdQfGerl

File size 151.5 KB ( 155136 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Title: Read please, Subject: Information, Author: jeuduwlquiuh, Template: Normal.dotm, Last Saved By: admin, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon May 29 10:24:00 2017, Last Saved Time/Date: Mon May 29 10:24:00 2017, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated macros run-file doc

VirusTotal metadata
First submission 2017-05-31 11:04:17 UTC ( 1 year, 10 months ago )
Last submission 2017-05-31 11:53:57 UTC ( 1 year, 10 months ago )
File names ZYKLON MALICIOUS DOC DOWNLOADER
resume.doc
resume.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!