× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 34fc30a2186fcdab2701153db4bc36c20d3e8cf99f18e9cad7b454cbcfa142ff
File name: 9ece9d4bc177b95cb4e0c7d322b5c9a6
Detection ratio: 9 / 55
Analysis date: 2016-09-30 09:11:19 UTC ( 2 years, 6 months ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan.d 20160930
Baidu VBA.Trojan-Downloader.Agent.ath 20160930
F-Secure Trojan:W97M/MaliciousMacro.GEN 20160930
Fortinet WM/Agent.BRC!tr.dldr 20160930
McAfee W97M/Downloader.boj 20160930
Panda VBS/Jenxcus.A 20160929
Qihoo-360 virus.office.obfuscated.1 20160930
Rising Heur.Macro.Downloader.d (classic) 20160930
Tencent Macro.Trojan.Dropperd.Auto 20160930
Ad-Aware 20160930
AegisLab 20160930
AhnLab-V3 20160930
Alibaba 20160930
ALYac 20160930
Antiy-AVL 20160930
Avast 20160930
AVG 20160930
Avira (no cloud) 20160930
AVware 20160930
BitDefender 20160930
Bkav 20160930
CAT-QuickHeal 20160930
ClamAV 20160930
CMC 20160930
Comodo 20160930
Cyren 20160930
DrWeb 20160930
Emsisoft 20160930
ESET-NOD32 20160930
F-Prot 20160926
GData 20160930
Ikarus 20160930
Jiangmin 20160930
K7AntiVirus 20160930
K7GW 20160930
Kaspersky 20160930
Kingsoft 20160930
Malwarebytes 20160930
McAfee-GW-Edition 20160929
Microsoft 20160930
eScan 20160930
NANO-Antivirus 20160930
nProtect 20160930
Sophos AV 20160930
SUPERAntiSpyware 20160930
Symantec 20160930
TheHacker 20160930
TrendMicro 20160930
TrendMicro-HouseCall 20160930
VBA32 20160929
VIPRE 20160930
ViRobot 20160930
Yandex 20160929
Zillya 20160929
Zoner 20160930
The file being studied follows the Open XML file format! More specifically, it is a Office Open XML Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May perform operations with other files.
May try to run other files, shell commands or applications.
May create OLE objects.
May enumerate open windows.
Seems to contain deobfuscation code.
Macros and VBA code streams
[+] ThisDocument.cls word/vbaProject.bin VBA/ThisDocument 44 bytes
[+] Module1.bas word/vbaProject.bin VBA/Module1 10201 bytes
exe-pattern url-pattern create-ole enum-windows handle-file obfuscated open-file run-file write-file
Content types
bin
rels
xml
Package relationships
word/document.xml
docProps/app.xml
docProps/core.xml
Core document properties
dc:creator
1
cp:lastModifiedBy
1
cp:revision
2
dcterms:created
2016-09-30T06:04:00Z
dcterms:modified
2016-09-30T06:04:00Z
Application document properties
Template
Normal.dotm
TotalTime
0
Pages
1
Words
0
Characters
0
Application
Microsoft Office Word
DocSecurity
0
Lines
0
Paragraphs
0
ScaleCrop
false
vt:lpstr
\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435
vt:i4
1
LinksUpToDate
false
CharactersWithSpaces
0
SharedDoc
false
HyperlinksChanged
false
AppVersion
16.0000
Document languages
Language
Prevalence
ru-ru
2
en-us
1
ar-sa
1
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
1

HeadingPairs
, 1

ZipFileName
[Content_Types].xml

Template
Normal.dotm

ZipRequiredVersion
20

ModifyDate
2016:09:30 06:04:00Z

ZipCRC
0x7aec387e

Words
0

ScaleCrop
No

RevisionNumber
2

MIMEType
application/vnd.ms-word.document.macroEnabled

ZipBitFlag
0x0006

CreateDate
2016:09:30 06:04:00Z

Lines
0

AppVersion
16.0

ZipUncompressedSize
1453

ZipCompressedSize
391

Characters
0

CharactersWithSpaces
0

DocSecurity
None

ZipModifyDate
1980:01:01 00:00:00

FileType
DOCM

Application
Microsoft Office Word

TotalEditTime
0

ZipCompression
Deflated

Pages
1

Creator
1

FileTypeExtension
docm

Paragraphs
0

The file being studied is a compressed stream! Details about the compressed contents follow.
Contained files
Compression metadata
Contained files
14
Uncompressed size
80501
Highest datetime
1980-01-01 00:00:00
Lowest datetime
1980-01-01 00:00:00
Contained files by extension
xml
10
bin
1
Contained files by type
XML
13
Microsoft Office
1
Compressed bundles
File identification
MD5 c5dfadeff8990a2dad9f6e6e322fecb0
SHA1 78dd86656f3ada4e1cc301765163091c83b2c955
SHA256 34fc30a2186fcdab2701153db4bc36c20d3e8cf99f18e9cad7b454cbcfa142ff
ssdeep
384:/imtBYp29cxV4Ln/5Ntye2/UxcG8bAnyHhYFWSdrvI5EwLfxl1OiCHXBJb:/LfcMft/czAn8IdrSrLfxl1Wz

File size 26.3 KB ( 26974 bytes )
File type Office Open XML Document
Magic literal
Zip archive data, at least v2.0 to extract

TrID Word Microsoft Office Open XML Format document (with Macro) (53.0%)
Word Microsoft Office Open XML Format document (23.9%)
Open Packaging Conventions container (17.8%)
ZIP compressed archive (4.0%)
PrintFox/Pagefox bitmap (var. P) (1.0%)
Tags
obfuscated open-file enum-windows exe-pattern handle-file url-pattern run-file macros docx attachment write-file create-ole

VirusTotal metadata
First submission 2016-09-30 09:11:19 UTC ( 2 years, 6 months ago )
Last submission 2016-12-02 13:53:21 UTC ( 2 years, 4 months ago )
File names Receipt 650-66607.doc
Receipt 92-337.doc
9ece9d4bc177b95cb4e0c7d322b5c9a6
Receipt 89398-321634.doc
Receipt48-200.doc
Receipt 496-707.doc
Receipt 84-5987.doc
Receipt 7645-148.doc
Receipt 56445-411922.doc
de1047ce5b64227ab9e1b8a602cb0a4f
Receipt 33059-706.doc
mime006.doc
Receipt 650-66607.doc
Receipt 0636-824.doc
Receipt 65245-394.doc
Receipt13388-73272.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!