× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 3782f96c6d9f3136651da208465fa939313b7e4f21bdc4ef10c05926e0428a65
Detection ratio: 10 / 58
Analysis date: 2018-03-28 10:48:54 UTC ( 1 year ago ) View latest
Antivirus Result Update
AegisLab Vba.Downloader.Fse!c 20180328
Avast VBA:Downloader-FSE [Trj] 20180328
AVG VBA:Downloader-FSE [Trj] 20180328
Baidu VBA.Trojan-Downloader.Agent.cny 20180328
F-Secure Trojan:W97M/Nastjencro.A 20180328
Fortinet VBA/Agent.YPEZ!tr.dldr 20180328
Ikarus Win32.Outbreak 20180328
Qihoo-360 Win32/Trojan.Downloader.8eb 20180328
Tencent Macro.Trojan.Dropperd.Auto 20180328
ZoneAlarm by Check Point HEUR:Trojan-Downloader.Script.Generic 20180328
Ad-Aware 20180328
AhnLab-V3 20180328
Alibaba 20180328
ALYac 20180328
Antiy-AVL 20180328
Arcabit 20180328
Avast-Mobile 20180328
Avira (no cloud) 20180328
AVware 20180328
BitDefender 20180328
Bkav 20180328
CAT-QuickHeal 20180327
ClamAV 20180328
CMC 20180328
Comodo 20180328
CrowdStrike Falcon (ML) 20170201
Cybereason None
Cylance 20180328
Cyren 20180328
DrWeb 20180328
eGambit 20180328
Emsisoft 20180328
Endgame 20180316
ESET-NOD32 20180328
F-Prot 20180328
GData 20180328
Sophos ML 20180121
Jiangmin 20180328
K7AntiVirus 20180328
K7GW 20180328
Kaspersky 20180328
Kingsoft 20180328
Malwarebytes 20180328
MAX 20180328
McAfee 20180328
McAfee-GW-Edition 20180328
Microsoft 20180328
eScan 20180328
NANO-Antivirus 20180328
nProtect 20180328
Palo Alto Networks (Known Signatures) 20180328
Panda 20180327
Rising 20180328
SentinelOne (Static ML) 20180225
Sophos AV 20180328
SUPERAntiSpyware 20180328
Symantec 20180328
Symantec Mobile Insight 20180311
TheHacker 20180327
TrendMicro 20180328
TrendMicro-HouseCall 20180328
Trustlook 20180328
VBA32 20180328
VIPRE 20180328
ViRobot 20180328
WhiteArmor 20180324
Yandex 20180328
Zillya 20180328
Zoner 20180327
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
last_author
Longer
creation_datetime
2018-03-28 10:32:00
revision_number
2
author
Longer
page_count
1
last_saved
2018-03-28 10:43:00
edit_time
300
word_count
34
template
Normal.dotm
application_name
Microsoft Office Word
character_count
198
code_page
Latin I
Document summary
line_count
1
characters_with_spaces
231
version
786432
paragraph_count
1
code_page
-535
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
14016
type_literal
stream
sid
33
name
\x01CompObj
size
160
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
2
name
1Table
size
6717
type_literal
stream
sid
1
name
Data
size
5912
type_literal
stream
sid
16
name
Macros/PROJECT
size
664
type_literal
stream
sid
22
name
Macros/PROJECTwm
size
203
type_literal
stream
sid
14
type
macro
name
Macros/VBA/ThisDocument
size
1311
type_literal
stream
sid
15
name
Macros/VBA/_VBA_PROJECT
size
5153
type_literal
stream
sid
9
type
macro
name
Macros/VBA/alrboro2
size
4663
type_literal
stream
sid
12
type
macro
name
Macros/VBA/asampalassa
size
5635
type_literal
stream
sid
8
name
Macros/VBA/dir
size
1032
type_literal
stream
sid
10
type
macro (only attributes)
name
Macros/VBA/dlmjhecx
size
1186
type_literal
stream
sid
13
type
macro
name
Macros/VBA/subscripting
size
2353
type_literal
stream
sid
11
type
macro
name
Macros/VBA/wordapollo
size
1841
type_literal
stream
sid
20
name
Macros/dlmjhecx/\x01CompObj
size
97
type_literal
stream
sid
21
name
Macros/dlmjhecx/\x03VBFrame
size
290
type_literal
stream
sid
18
name
Macros/dlmjhecx/f
size
547
type_literal
stream
sid
19
name
Macros/dlmjhecx/o
size
776
type_literal
stream
sid
31
name
Macros/subscripting/\x01CompObj
size
97
type_literal
stream
sid
32
name
Macros/subscripting/\x03VBFrame
size
296
type_literal
stream
sid
29
name
Macros/subscripting/f
size
555
type_literal
stream
sid
30
name
Macros/subscripting/o
size
784
type_literal
stream
sid
26
name
Macros/wordapollo/\x01CompObj
size
97
type_literal
stream
sid
27
name
Macros/wordapollo/\x03VBFrame
size
294
type_literal
stream
sid
24
name
Macros/wordapollo/f
size
327
type_literal
stream
sid
25
name
Macros/wordapollo/o
size
444
type_literal
stream
sid
3
name
WordDocument
size
4096
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 148 bytes
[+] alrboro2.bas Macros/VBA/alrboro2 2015 bytes
obfuscated
[+] asampalassa.bas Macros/VBA/asampalassa 2493 bytes
[+] subscripting.frm Macros/VBA/subscripting 464 bytes
create-ole
[+] wordapollo.frm Macros/VBA/wordapollo 376 bytes
ExifTool file metadata
SharedDoc
No

Author
Longer

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

LastModifiedBy
Longer

HeadingPairs
, 1

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
231

CreateDate
2018:03:28 09:32:00

Word97
No

LanguageCode
English (US)

ModifyDate
2018:03:28 09:43:00

Characters
198

CodePage
Unicode (UTF-8)

RevisionNumber
2

MIMEType
application/msword

Words
34

FileType
DOC

Lines
1

AppVersion
12.0

Security
None

Software
Microsoft Office Word

TotalEditTime
5 minutes

Pages
1

ScaleCrop
No

CompObjUserTypeLen
0

FileTypeExtension
doc

Paragraphs
1

LastPrinted
0000:00:00 00:00:00

DocFlags
Has picture, 1Table, ExtChar

Compressed bundles
File identification
MD5 72a546259753c4f976aae1dcd3b176f5
SHA1 3ab6818789fe3574de05f5ba7a9a95cf0cd8e710
SHA256 3782f96c6d9f3136651da208465fa939313b7e4f21bdc4ef10c05926e0428a65
ssdeep
768:QneKCBC0MK8aVpIEgcTQV6IzWgSpapbhp:CtIdJeYk0sSEJh

File size 62.0 KB ( 63488 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Longer, Template: Normal.dotm, Last Saved By: Longer, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 05:00, Create Time/Date: Tue Mar 27 09:32:00 2018, Last Saved Time/Date: Tue Mar 27 09:43:00 2018, Number of Pages: 1, Number of Words: 34, Number of Characters: 198, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated macros create-ole attachment doc

VirusTotal metadata
First submission 2018-03-28 10:32:06 UTC ( 1 year ago )
Last submission 2018-11-20 09:03:19 UTC ( 5 months ago )
File names 2018-03-28-Word-doc-with-macro-for-Trickbot.doc
SecureMessage.doc
Malware_MSOLE2_3782f96c6d9f3136651da208465fa939313b7e4f21bdc4ef10c05926e0428a65
481f30c87491418f5acfb54b502056af97032611
3782f96c6d9f3136651da208465fa939313b.doc
PO
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!