× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 2e2707e76d66b04114de866ac63e7adb6f588953e7a74d7d2492dc443be460a3
File name: Cash__Disbursement__Report.doc
Detection ratio: 16 / 60
Analysis date: 2018-09-06 10:43:38 UTC ( 6 months, 2 weeks ago ) View latest
Antivirus Result Update
Avira (no cloud) HEUR/Macro.Downloader.AMCA.Gen 20180906
Baidu VBA.Trojan-Downloader.Agent.dah 20180906
DrWeb W97M.DownLoader.2987 20180906
Endgame malicious (high confidence) 20180730
ESET-NOD32 VBA/TrojanDownloader.Agent.KGQ 20180906
Fortinet VBA/Agent.6AFB!tr.dldr 20180906
Ikarus Trojan-Downloader.VBA.Agent 20180906
McAfee-GW-Edition BehavesLike.Downloader.fl 20180906
Microsoft Trojan:O97M/Sonbokli.A!cl 20180906
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20180906
SentinelOne (Static ML) static engine - malicious 20180830
Symantec W97M.Downloader 20180906
TACHYON Trojan/W97M.Agent.Gen 20180906
TrendMicro HEUR_VBA.O2 20180906
ZoneAlarm by Check Point HEUR:Trojan-Downloader.Script.Generic 20180906
Zoner Probably W97Obfuscated 20180905
Ad-Aware 20180906
AegisLab 20180906
AhnLab-V3 20180906
Alibaba 20180713
ALYac 20180906
Antiy-AVL 20180906
Arcabit 20180906
Avast 20180906
Avast-Mobile 20180906
AVG 20180906
AVware 20180906
Babable 20180902
BitDefender 20180906
Bkav 20180905
CAT-QuickHeal 20180906
ClamAV 20180906
CMC 20180905
Comodo 20180905
CrowdStrike Falcon (ML) 20180202
Cybereason 20180308
Cylance 20180906
Cyren 20180906
eGambit 20180906
Emsisoft 20180906
F-Prot 20180906
F-Secure 20180906
GData 20180906
Sophos ML 20180717
Jiangmin 20180906
K7AntiVirus 20180906
K7GW 20180906
Kaspersky 20180906
Kingsoft 20180906
Malwarebytes 20180906
MAX 20180906
McAfee 20180906
eScan 20180906
Palo Alto Networks (Known Signatures) 20180906
Panda 20180905
Qihoo-360 20180906
Rising 20180906
Sophos AV 20180906
SUPERAntiSpyware 20180906
Symantec Mobile Insight 20180905
Tencent 20180906
TheHacker 20180904
TrendMicro-HouseCall 20180906
Trustlook 20180906
VBA32 20180906
VIPRE 20180906
ViRobot 20180906
Webroot 20180906
Yandex 20180905
Zillya 20180906
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
last_author
wbesco
creation_datetime
2018-09-06 13:14:00
template
Normal.dotm
author
RCIBP-PC
page_count
1
last_saved
2018-09-06 03:16:00
word_count
25423
application_name
Microsoft Office Word
edit_time
60
comments
Etiam posuere quam ac quam. Maecenas aliquet accumsan leo. Nullam dapibus fermentum ipsum. Etiam quis quam. Integer lacinia. Nulla est. Nulla turpis magna, cursus sit amet, suscipit a, interdum id, felis. Integer vulputate sem a nibh rutrum consequat. Maecenas lorem. Pellentesque pretium.
revision_number
2
keywords
lazy, left, mutating, none, nonmutating,optional, override, postfix, precedence, prefix, Protocol, required
title
UJCWWW
character_count
144913
code_page
Latin I
subject
IZROCFC
Document summary
byte_count
11000
company
--
characters_with_spaces
169997
line_count
1207
version
1048576
paragraph_count
339
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
6336
type_literal
stream
sid
13
name
\x01CompObj
size
114
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
2
name
1Table
size
22094
type_literal
stream
sid
1
name
Data
size
53196
type_literal
stream
sid
11
name
Macros/PROJECT
size
367
type_literal
stream
sid
12
name
Macros/PROJECTwm
size
41
type_literal
stream
sid
9
type
macro
name
Macros/VBA/ThisDocument
size
2526
type_literal
stream
sid
10
name
Macros/VBA/_VBA_PROJECT
size
2625
type_literal
stream
sid
8
name
Macros/VBA/dir
size
512
type_literal
stream
sid
3
name
WordDocument
size
235054
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 566 bytes
create-ole obfuscated
ExifTool file metadata
SharedDoc
No

Author
RCIBP-PC

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

LastModifiedBy
wbesco

HeadingPairs
Title, 1

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
169997

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2018:09:06 01:16:00

TitleOfParts
UJCWWW

Company
--

Title
UJCWWW

Characters
144913

CodePage
Windows Latin 1 (Western European)

RevisionNumber
2

MIMEType
application/msword

Words
25423

Lines
1207

CreateDate
2018:09:06 11:14:00

Bytes
11000

AppVersion
16.0

Security
None

Software
Microsoft Office Word

FileType
DOC

TotalEditTime
1 minute

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
339

Keywords
lazy, left, mutating, none, nonmutating,optional, override, postfix, precedence, prefix, Protocol, required

LastPrinted
0000:00:00 00:00:00

DocFlags
Has picture, 1Table, ExtChar

Subject
IZROCFC

File identification
MD5 ccc44f9ece151acc5d874732066f3327
SHA1 cec9f68cd79ddcd5b4d38fdfba768d71183fc2e9
SHA256 2e2707e76d66b04114de866ac63e7adb6f588953e7a74d7d2492dc443be460a3
ssdeep
6144:Fyfn1fVorQHVIPmJ8HmJ8HmJ8H8dMtLdWVmJxf3LfForQHVIPmJ8HmJ8HmJ8H8d0:uSDZBS9N

File size 324.5 KB ( 332288 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: UJCWWW, Subject: IZROCFC, Author: RCIBP-PC, Keywords: lazy, left, mutating, none, nonmutating,optional, override, postfix, precedence, prefix, Protocol, required, Comments: Etiam posuere quam ac quam. Maecenas aliquet accumsan leo. Nullam dapibus fermentum ipsum. Etiam quis quam. Integer lacinia. Nulla est. Nulla turpis magna, cursus sit amet, suscipit a, interdum id, felis. Integer vulputate sem a nibh rutrum consequat. Maecenas lorem. Pellentesque pretium., Template: Normal.dotm, Last Saved By: wbesco, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Wed Sep 05 12:14:00 2018, Last Saved Time/Date: Wed Sep 05 02:16:00 2018, Number of Pages: 1, Number of Words: 25423, Number of Characters: 144913, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated macros doc create-ole

VirusTotal metadata
First submission 2018-09-06 05:23:07 UTC ( 6 months, 2 weeks ago )
Last submission 2018-09-06 05:23:07 UTC ( 6 months, 2 weeks ago )
File names Cash__Disbursement__Report.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!