× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 1f595dee4cd691174acf1898b62248cfd37aeebdad65c580f4c983277381b7d1
File name: Statement_SE8743.docm
Detection ratio: 8 / 58
Analysis date: 2017-04-07 08:23:57 UTC ( 1 year, 10 months ago ) View latest
Antivirus Result Update
Baidu VBA.Trojan-Downloader.Agent.bae 20170406
F-Secure Trojan-Downloader:W97M/Dridex.Z 20170407
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20170407
Panda O97M/Downloader 20170406
Qihoo-360 virus.office.obfuscated.1 20170407
Rising Heur.Macro.Downloader.d (classic) 20170407
TrendMicro HEUR_VBA.O2 20170407
ZoneAlarm by Check Point HEUR:Trojan-Downloader.Script.Generic 20170407
Ad-Aware 20170407
AegisLab 20170407
AhnLab-V3 20170407
Alibaba 20170407
ALYac 20170407
Antiy-AVL 20170407
Arcabit 20170407
Avast 20170407
AVG 20170407
Avira (no cloud) 20170407
AVware 20170407
BitDefender 20170407
CAT-QuickHeal 20170407
ClamAV 20170407
CMC 20170407
Comodo 20170407
CrowdStrike Falcon (ML) 20170130
Cyren 20170407
DrWeb 20170407
Emsisoft 20170407
Endgame 20170407
ESET-NOD32 20170407
F-Prot 20170407
Fortinet 20170407
GData 20170407
Ikarus 20170407
Sophos ML 20170203
Jiangmin 20170407
K7AntiVirus 20170407
K7GW 20170407
Kaspersky 20170407
Kingsoft 20170407
Malwarebytes 20170407
McAfee 20170407
McAfee-GW-Edition 20170407
Microsoft 20170407
eScan 20170407
nProtect 20170407
Palo Alto Networks (Known Signatures) 20170407
SentinelOne (Static ML) 20170330
Sophos AV 20170407
SUPERAntiSpyware 20170407
Symantec 20170406
Symantec Mobile Insight 20170406
Tencent 20170407
TheHacker 20170406
TotalDefense 20170407
TrendMicro-HouseCall 20170407
Trustlook 20170407
VBA32 20170406
VIPRE 20170407
ViRobot 20170407
Webroot 20170407
WhiteArmor 20170327
Yandex 20170406
Zillya 20170406
Zoner 20170407
The file being studied follows the Open XML file format! More specifically, it is a Office Open XML Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May perform operations with other files.
May inadvertently save the existing workbook.
May create OLE objects.
Seems to contain deobfuscation code.
Macros and VBA code streams
[+] ThisDocument.cls word/vbaProject.bin VBA/ThisDocument 144 bytes
obfuscated
[+] Module1.bas word/vbaProject.bin VBA/Module1 3735 bytes
obfuscated open-file write-file
[+] Module2.bas word/vbaProject.bin VBA/Module2 4451 bytes
exe-pattern create-ole handle-file obfuscated open-file write-file
[+] Module3.bas word/vbaProject.bin VBA/Module3 1748 bytes
exe-pattern create-ole open-file save-workbook
[+] Rhhhh.cls word/vbaProject.bin VBA/Rhhhh 493 bytes
obfuscated
Content types
bin
rels
png
xml
Package relationships
word/document.xml
docProps/app.xml
docProps/core.xml
Core document properties
dc:title
Rqavewbu
dc:creator
Bydxa Arsuqxex
cp:lastModifiedBy
1
cp:revision
2
dcterms:created
2017-04-07T08:04:00Z
dcterms:modified
2017-04-07T08:04:00Z
Application document properties
Template
Normal.dotm
TotalTime
0
Pages
1
Words
0
Characters
1
Application
Microsoft Office Word
DocSecurity
0
Lines
1
Paragraphs
1
ScaleCrop
false
LinksUpToDate
false
CharactersWithSpaces
1
SharedDoc
false
HyperlinksChanged
false
AppVersion
16.0000
Document languages
Language
Prevalence
ru-ru
3
en-us
1
ar-sa
1
ExifTool file metadata
SharedDoc
No

Title
Rqavewbu

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
1

Application
Microsoft Office Word

ZipFileName
[Content_Types].xml

Template
Normal.dotm

ZipRequiredVersion
20

ModifyDate
2017:04:07 08:04:00Z

ZipCRC
0x3f450766

Words
0

ScaleCrop
No

RevisionNumber
2

MIMEType
application/vnd.ms-word.document.macroEnabled

ZipBitFlag
0x0006

CreateDate
2017:04:07 08:04:00Z

Lines
1

AppVersion
16.0

ZipUncompressedSize
1503

ZipCompressedSize
399

Characters
1

CharactersWithSpaces
1

DocSecurity
None

ZipModifyDate
1980:01:01 00:00:00

FileType
DOCM

Creator
Bydxa Arsuqxex

TotalEditTime
0

ZipCompression
Deflated

Pages
1

FileTypeExtension
docm

Paragraphs
1

The file being studied is a compressed stream! Details about the compressed contents follow.
Contained files
Compression metadata
Contained files
15
Uncompressed size
148532
Highest datetime
1980-01-01 00:00:00
Lowest datetime
1980-01-01 00:00:00
Contained files by extension
xml
10
bin
1
png
1
Contained files by type
XML
13
Microsoft Office
1
PNG
1
File identification
MD5 f86627a03c89d7494bb3b6ca28aa6348
SHA1 fd96b00b332b2bc40fbc54ae531f881ce00e7074
SHA256 1f595dee4cd691174acf1898b62248cfd37aeebdad65c580f4c983277381b7d1
ssdeep
1536:NO/wxFdTpigPmnZOs1hlZ/CAlcrehCt6GMKuIiAiiT9HvV:Cwx/N1O4wloAlf8thX+xipt

File size 79.7 KB ( 81599 bytes )
File type Office Open XML Document
Magic literal
Zip archive data, at least v2.0 to extract

TrID Word Microsoft Office Open XML Format document (with Macro) (53.0%)
Word Microsoft Office Open XML Format document (23.9%)
Open Packaging Conventions container (17.8%)
ZIP compressed archive (4.0%)
PrintFox/Pagefox bitmap (var. P) (1.0%)
Tags
obfuscated open-file exe-pattern handle-file save-workbook macros docx write-file create-ole

VirusTotal metadata
First submission 2017-04-07 08:23:57 UTC ( 1 year, 10 months ago )
Last submission 2018-05-30 05:31:49 UTC ( 8 months, 3 weeks ago )
File names MALICIOUS DOC
DRIDEX DOC DOWLOADER
1f595dee4cd691174acf1898b62248cfd37aeebdad65c580f4c983277381b7d1.doc
Statement_SE8743.docm
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!