× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 2c88a946b50144bc3a8d0ad503b4ab4d66a8d078835a50db18981a150ae9e129
File name: Status-zu-Sendung-278059554288.doc
Detection ratio: 15 / 59
Analysis date: 2018-12-05 12:10:12 UTC ( 1 month, 2 weeks ago ) View latest
Antivirus Result Update
AegisLab Trojan.MSWord.Generic.4!c 20181205
Arcabit HEUR.VBA.Trojan.e 20181205
Endgame malicious (high confidence) 20181108
GData Macro.Trojan-Downloader.Shallow.S 20181205
Ikarus Trojan.VBA.Agent 20181204
McAfee W97M/Downloader.ga 20181205
McAfee-GW-Edition BehavesLike.Downloader.cg 20181205
Microsoft Trojan:O97M/Sonbokli.A!cl 20181205
Qihoo-360 virus.office.qexvmc.1075 20181205
SentinelOne (Static ML) static engine - malicious 20181011
Symantec ISB.Downloader!gen172 20181205
TACHYON Suspicious/W97M.Obfus.Gen.6 20181205
Tencent Heur.Macro.Generic.Gen.h 20181205
ZoneAlarm by Check Point UDS:DangerousObject.Multi.Generic 20181205
Zoner Probably W97Obfuscated 20181205
Ad-Aware 20181205
AhnLab-V3 20181205
Alibaba 20180921
ALYac 20181205
Antiy-AVL 20181205
Avast 20181205
Avast-Mobile 20181205
AVG 20181205
Avira (no cloud) 20181205
Babable 20180918
Baidu 20181205
BitDefender 20181205
Bkav 20181203
CAT-QuickHeal 20181205
ClamAV 20181203
CMC 20181204
Comodo 20181205
CrowdStrike Falcon (ML) 20180202
Cybereason 20180308
Cylance 20181205
Cyren 20181205
DrWeb 20181205
eGambit 20181205
Emsisoft 20181205
ESET-NOD32 20181205
F-Prot 20181205
F-Secure 20181205
Fortinet 20181205
Sophos ML 20181128
Jiangmin 20181205
K7AntiVirus 20181205
K7GW 20181205
Kaspersky 20181204
Kingsoft 20181205
Malwarebytes 20181205
MAX 20181205
eScan 20181205
NANO-Antivirus 20181205
Palo Alto Networks (Known Signatures) 20181205
Panda 20181204
Rising 20181205
Sophos AV 20181205
SUPERAntiSpyware 20181205
Symantec Mobile Insight 20181204
TheHacker 20181202
Trapmine 20181128
TrendMicro 20181205
TrendMicro-HouseCall 20181205
Trustlook 20181205
VBA32 20181205
VIPRE 20181205
ViRobot 20181205
Webroot 20181205
Yandex 20181204
Zillya 20181204
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Summary
creation_datetime
2018-12-05 09:20:00
revision_number
1
page_count
1
word_count
3
last_saved
2018-12-05 09:20:00
template
Normal.dotm
application_name
Microsoft Office Word
character_count
18
code_page
Latin I
Document summary
line_count
1
characters_with_spaces
20
version
1048576
paragraph_count
1
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
3008
type_literal
stream
sid
17
name
\x01CompObj
size
114
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
2
name
1Table
size
9325
type_literal
stream
sid
1
name
Data
size
81766
type_literal
stream
sid
16
name
Macros/PROJECT
size
403
type_literal
stream
sid
15
name
Macros/PROJECTwm
size
47
type_literal
stream
sid
11
name
Macros/VBA/_VBA_PROJECT
size
7176
type_literal
stream
sid
13
name
Macros/VBA/__SRP_0
size
1196
type_literal
stream
sid
14
name
Macros/VBA/__SRP_1
size
102
type_literal
stream
sid
9
name
Macros/VBA/__SRP_2
size
304
type_literal
stream
sid
10
name
Macros/VBA/__SRP_3
size
103
type_literal
stream
sid
12
name
Macros/VBA/dir
size
523
type_literal
stream
sid
8
type
macro
name
Macros/VBA/fqccqJYYpXCuhi
size
11503
type_literal
stream
sid
3
name
WordDocument
size
5166
Macros and VBA code streams
[+] fqccqJYYpXCuhi.cls Macros/VBA/fqccqJYYpXCuhi 5959 bytes
obfuscated run-file
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

HeadingPairs
Title, 1

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
20

CreateDate
2018:12:05 08:20:00

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2018:12:05 08:20:00

Characters
18

CodePage
Windows Latin 1 (Western European)

RevisionNumber
1

MIMEType
application/msword

Words
3

FileType
DOC

Lines
1

AppVersion
16.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
1

LastPrinted
0000:00:00 00:00:00

DocFlags
Has picture, 1Table, ExtChar

File identification
MD5 4117809fd33842a801bfcdb55809f269
SHA1 1aff054d8747b5f0076f34211ea85a7dd2497acc
SHA256 2c88a946b50144bc3a8d0ad503b4ab4d66a8d078835a50db18981a150ae9e129
ssdeep
1536:c81ooMDS034nC54nZrL4AkiuAMOkEEW/yEbzvadf+a9xv8PhcdU2:c8GhDS0o9zTGOZD6EbzCdjucdU2

File size 141.3 KB ( 144640 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Dec 04 08:20:00 2018, Last Saved Time/Date: Tue Dec 04 08:20:00 2018, Number of Pages: 1, Number of Words: 3, Number of Characters: 18, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated macros run-file attachment doc

VirusTotal metadata
First submission 2018-12-05 10:46:31 UTC ( 1 month, 2 weeks ago )
Last submission 2018-12-11 04:29:47 UTC ( 1 month, 1 week ago )
File names 2018_12Informationen_betreffend_Transaktion.doc
RE037021_0.doc
2018_12_3538002248.doc
Invoice.doc
Status-zu-Sendung-278059554288.doc
RE04432-75.doc
emotet_e2_2c88a946b50144bc3a8d0ad503b4ab4d66a8d078835a50db18981a150ae9e129_2018-12-05__12:05:28.doc
05_12_2018.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!