× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 358087e8d96e739f87410a091aff4c19bd11867de7f817442f7729b653e3e749
File name: Sarah-Resume.doc
Detection ratio: 7 / 57
Analysis date: 2017-04-12 05:08:06 UTC ( 1 year, 10 months ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan.e 20170412
AVware LooksLike.Macro.Malware.gen!d2 (v) 20170410
Kaspersky HEUR:Trojan.Script.Agent.gen 20170412
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20170412
TrendMicro-HouseCall Suspicious_GEN.F47V0412 20170412
VIPRE LooksLike.Macro.Malware.gen!d2 (v) 20170412
ZoneAlarm by Check Point HEUR:Trojan.Script.Agent.gen 20170412
Ad-Aware 20170412
AegisLab 20170411
AhnLab-V3 20170411
Alibaba 20170412
ALYac 20170412
Antiy-AVL 20170412
Avast 20170412
AVG 20170412
Avira (no cloud) 20170412
Baidu 20170411
BitDefender 20170412
Bkav 20170411
CAT-QuickHeal 20170411
ClamAV 20170411
CMC 20170412
Comodo 20170412
CrowdStrike Falcon (ML) 20170130
Cyren 20170412
DrWeb 20170412
Emsisoft 20170412
Endgame 20170411
ESET-NOD32 20170412
F-Prot 20170412
F-Secure 20170412
Fortinet 20170412
GData 20170412
Ikarus 20170411
Sophos ML 20170203
Jiangmin 20170412
K7AntiVirus 20170411
K7GW 20170412
Kingsoft 20170412
Malwarebytes 20170412
McAfee 20170412
McAfee-GW-Edition 20170412
Microsoft 20170411
eScan 20170412
nProtect 20170412
Palo Alto Networks (Known Signatures) 20170412
Panda 20170411
Qihoo-360 20170412
Rising 20170412
SentinelOne (Static ML) 20170330
Sophos AV 20170412
SUPERAntiSpyware 20170412
Symantec 20170411
Symantec Mobile Insight 20170412
Tencent 20170412
TheHacker 20170410
TotalDefense 20170410
TrendMicro 20170412
Trustlook 20170412
VBA32 20170410
ViRobot 20170412
Webroot 20170412
WhiteArmor 20170409
Yandex 20170411
Zillya 20170411
Zoner 20170412
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
Automatically runs commands or instructions when the file is opened.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Summary
last_author
Matt
creation_datetime
2017-04-11 15:15:00
revision_number
11
author
gbjyalvsumwzd
page_count
1
last_saved
2017-04-11 20:56:00
edit_time
2640
word_count
15
template
Normal
application_name
Microsoft Office Word
character_count
87
code_page
Latin I
Document summary
line_count
1
characters_with_spaces
101
version
917504
paragraph_count
1
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
9728
type_literal
stream
sid
23
name
\x01CompObj
size
114
type_literal
stream
sid
4
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
3
name
\x05SummaryInformation
size
416
type_literal
stream
sid
1
name
1Table
size
7577
type_literal
stream
sid
19
name
Macros/Hammy/\x01CompObj
size
97
type_literal
stream
sid
20
name
Macros/Hammy/\x03VBFrame
size
288
type_literal
stream
sid
17
name
Macros/Hammy/f
size
90
type_literal
stream
sid
18
name
Macros/Hammy/o
size
368
type_literal
stream
sid
21
name
Macros/PROJECT
size
590
type_literal
stream
sid
22
name
Macros/PROJECTwm
size
89
type_literal
stream
sid
12
type
macro (only attributes)
name
Macros/VBA/Hammy
size
1175
type_literal
stream
sid
13
type
macro
name
Macros/VBA/NewMacros
size
8597
type_literal
stream
sid
14
type
macro (only attributes)
name
Macros/VBA/ThisDocument
size
938
type_literal
stream
sid
15
name
Macros/VBA/_VBA_PROJECT
size
3663
type_literal
stream
sid
11
name
Macros/VBA/dir
size
860
type_literal
stream
sid
7
name
MsoDataStore/S\xc6B\xd4J\xc8N\xd9\xc6UW\xc63F\xc8P0\xd9DN\xcdA==/Item
size
218
type_literal
stream
sid
8
name
MsoDataStore/S\xc6B\xd4J\xc8N\xd9\xc6UW\xc63F\xc8P0\xd9DN\xcdA==/Properties
size
341
type_literal
stream
sid
2
name
WordDocument
size
4096
Macros and VBA code streams
[+] NewMacros.bas Macros/VBA/NewMacros 5279 bytes
auto-open obfuscated run-file
ExifTool file metadata
SharedDoc
No

Author
gbjyalvsumwzd

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
Matt

HeadingPairs
Title, 1

Template
Normal

CharCountWithSpaces
101

CreateDate
2017:04:11 14:15:00

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2017:04:11 19:56:00

Characters
87

CodePage
Windows Latin 1 (Western European)

RevisionNumber
11

MIMEType
application/msword

Words
15

FileType
DOC

Lines
1

AppVersion
14.0

Security
None

Software
Microsoft Office Word

TotalEditTime
44.0 minutes

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
1

Compressed bundles
File identification
MD5 1812739c86b05d08f3f4b8d3eae37ab2
SHA1 f98b8afced13f06e1cb004cb10b933e4a2fff31e
SHA256 358087e8d96e739f87410a091aff4c19bd11867de7f817442f7729b653e3e749
ssdeep
768:FkcDAxz99pP6uuLJPNhfqOUDFNgaFiAp2:FNDA3zxaJPNtqOUDFNp

File size 42.5 KB ( 43520 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: gbjyalvsumwzd, Template: Normal, Last Saved By: Matt, Revision Number: 11, Name of Creating Application: Microsoft Office Word, Total Editing Time: 44:00, Create Time/Date: Mon Apr 10 14:15:00 2017, Last Saved Time/Date: Mon Apr 10 19:56:00 2017, Number of Pages: 1, Number of Words: 15, Number of Characters: 87, Security: 0

TrID Microsoft Word document (35.9%)
Microsoft Excel sheet (33.7%)
Microsoft Word document (old ver.) (21.3%)
Generic OLE2 / Multistream Compound File (8.9%)
Tags
obfuscated macros run-file auto-open doc

VirusTotal metadata
First submission 2017-04-12 05:08:06 UTC ( 1 year, 10 months ago )
Last submission 2017-04-13 03:00:44 UTC ( 1 year, 10 months ago )
File names Sarah-Resume.doc123
Sarah-Resume.doc
Sarah-Resume.doc
malware_downloader_from_185.165.29.36 (76)
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!