× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 1d0c9c9f9ccf9a37ac22bc0638e1b2a1349e61b04fa366418a7a74c2b13ab251
File name: BookingConfirmation_61429_a9c32xv4@tamagothi.de.doc
Detection ratio: 31 / 52
Analysis date: 2016-12-15 11:59:07 UTC ( 10 months, 1 week ago ) View latest
Antivirus Result Update
Ad-Aware W97m.Downloader.EWQ 20161215
AegisLab HERU.VBA.8okc 20161215
AhnLab-V3 VBA/Malma 20161215
ALYac W97m.Downloader.EWO 20161215
Antiy-AVL Trojan[Downloader]/MSWord.Agent.cfa 20161215
Arcabit W97m.Downloader.EWQ 20161215
AVG W97M/Downloader 20161215
Avira (no cloud) W2000M/Dldr.Agent.AM.112570 20161215
BitDefender W97m.Downloader.EWQ 20161215
ClamAV Xls.Dropper.Agent-1889576 20161215
Cyren PP97M/Agent 20161215
DrWeb W97M.DownLoader.1325 20161215
Emsisoft W97m.Downloader.EWQ (B) 20161215
ESET-NOD32 VBA/TrojanDownloader.Agent.CFA 20161215
F-Prot New or modified PP97M/Agent 20161215
F-Secure Trojan:W97M/MaliciousMacro.GEN 20161215
Fortinet Malware_Generic.P0 20161215
GData W97m.Downloader.EWQ 20161215
Kaspersky HEUR:Trojan-Downloader.Script.Generic 20161215
McAfee W97M/Downloader.brv 20161215
McAfee-GW-Edition W97M/Downloader.brv 20161215
Microsoft TrojanDownloader:O97M/Donoff 20161215
eScan W97m.Downloader.EWQ 20161215
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20161215
Panda VBS/Jenxcus.A 20161214
Qihoo-360 virus.office.obfuscated.1 20161215
Rising Trojan.DL-Generic/Macro!1.A4C9 (classic) 20161215
Sophos AV Troj/DocDl-GDO 20161215
Symantec W97M.Downloader.M 20161215
Tencent Macro.Trojan.Dropperd.Auto 20161215
TrendMicro-HouseCall W2KM_LO.F7D92464 20161215
Alibaba 20161215
Avast 20161215
AVware 20161215
Baidu 20161207
CAT-QuickHeal 20161215
CMC 20161215
Comodo 20161215
CrowdStrike Falcon (ML) 20161024
Sophos ML 20161202
Jiangmin 20161215
K7AntiVirus 20161215
K7GW 20161215
Kingsoft 20161215
Malwarebytes 20161215
nProtect 20161215
SUPERAntiSpyware 20161215
TheHacker 20161214
Trustlook 20161215
VBA32 20161215
VIPRE 20161215
ViRobot 20161215
WhiteArmor 20161212
Yandex 20161214
Zillya 20161214
Zoner 20161215
The file being studied follows the Open XML file format! More specifically, it is a Office Open XML Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May perform operations with other files.
May try to run other files, shell commands or applications.
May create OLE objects.
Seems to contain deobfuscation code.
Macros and VBA code streams
[+] ThisDocument.cls word/vbaProject.bin VBA/ThisDocument 774 bytes
[+] Module1.bas word/vbaProject.bin VBA/Module1 751 bytes
obfuscated run-file
[+] Module2.bas word/vbaProject.bin VBA/Module2 3872 bytes
exe-pattern create-ole handle-file obfuscated open-file write-file
[+] Module3.bas word/vbaProject.bin VBA/Module3 1796 bytes
obfuscated
[+] Module4.bas word/vbaProject.bin VBA/Module4 574 bytes
Content types
bin
rels
xml
Package relationships
word/document.xml
docProps/app.xml
docProps/core.xml
Core document properties
creator
1
lastModifiedBy
1
revision
2
created
2016-12-14T08:42:00Z
modified
2016-12-14T08:42:00Z
Application document properties
Template
Normal.dotm
TotalTime
0
Pages
1
Words
0
Characters
0
Application
Microsoft Office Word
DocSecurity
0
Lines
0
Paragraphs
0
ScaleCrop
false
LinksUpToDate
false
CharactersWithSpaces
0
SharedDoc
false
HyperlinksChanged
false
AppVersion
16.0000
Document languages
Language
Prevalence
ru-ru
2
en-us
1
ar-sa
1
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
1

HeadingPairs
, 1

ZipFileName
[Content_Types].xml

Template
Normal.dotm

ZipRequiredVersion
20

ModifyDate
2016:12:14 08:42:00Z

ZipCRC
0x7aec387e

Words
0

ScaleCrop
No

RevisionNumber
2

MIMEType
application/vnd.ms-word.document.macroEnabled

ZipBitFlag
0x0006

CreateDate
2016:12:14 08:42:00Z

Lines
0

AppVersion
16.0

ZipUncompressedSize
1453

ZipCompressedSize
391

Characters
0

CharactersWithSpaces
0

DocSecurity
None

ZipModifyDate
1980:01:01 00:00:00

FileType
DOCM

Application
Microsoft Office Word

TotalEditTime
0

ZipCompression
Deflated

Pages
1

Creator
1

FileTypeExtension
docm

Paragraphs
0

The file being studied is a compressed stream! Details about the compressed contents follow.
Contained files
Compression metadata
Contained files
14
Uncompressed size
82015
Highest datetime
1980-01-01 00:00:00
Lowest datetime
1980-01-01 00:00:00
Contained files by extension
xml
10
bin
1
Contained files by type
XML
13
Microsoft Office
1
File identification
MD5 4765b5aea4e0475812f403d735d064ea
SHA1 3bd0d1305c06b60bfd1e6d2d241b5205978fe0d3
SHA256 1d0c9c9f9ccf9a37ac22bc0638e1b2a1349e61b04fa366418a7a74c2b13ab251
ssdeep
384:/imt4WmCPEEMxG8bJkAH+WssGv/kWhTavSw7dSdUnKI5EwLfxl1JLHXBJ6:/L43I8VBzCv/WvFIUnKSrLfxl1Vi

File size 26.4 KB ( 27012 bytes )
File type Office Open XML Document
Magic literal
Zip archive data, at least v2.0 to extract

TrID Word Microsoft Office Open XML Format document (with Macro) (65.4%)
Word Microsoft Office Open XML Format document (29.5%)
ZIP compressed archive (5.0%)
Tags
obfuscated open-file exe-pattern handle-file run-file macros docx attachment write-file create-ole

VirusTotal metadata
First submission 2016-12-14 13:01:06 UTC ( 10 months, 1 week ago )
Last submission 2016-12-23 09:52:27 UTC ( 10 months ago )
File names 69192b59ce5b31acddbce62d94acad1b
03919d766e215992fb6576ee6af481f0
0ce18e96a907be500b86c50243add357
fd80536397c8c245a10eb0b211619872
af1541b06aff1885f1e0c74b5bcec792
b8abb58e618ed8f8ca5b0c9376b52d6a
BookingConfirmation_51050_hewf@ghac.cn.doc
2799f67e075dbd6daf88653d8c810a5a
2bbd1975077797ac7a874dbd2255dba1
cc392d46e48ff84f7a6bfde9ab19648d
87693b9c6f62ad8e67dcbde5cb457bd8
308ed577280c518af8850668ec4e3d46
bc6ccdb78bffcb47852989922301087c
d7e519ebe2513c0419dcd736d10f487c
2880052e49b1167e0d58daef919c9ed7
278f1931d86af1196339e8ab37a25727
b11605f127d6f576cd70229ef41dbbcd
f87a17582699a49eb3ebd3d5ccd2c552
3f881855879b436cf25238056c4691ae
07ef6a27364bca3d9fbd2dd0492beedc
fe655d33c55da61a08cbab444baf7f4f
60e406ecf46b581fc66678683bfc51af
2172255fa51e238a10db598c0ca120d1
44eb808d93d15f4936f0e1683bbf9078
3463bd67e0669a48d5ae8c97420d781e
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!