× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 3801181d5eec749898527ebc4279741acbc9f82c8aa72f8be272031d67eea76b
Detection ratio: 19 / 59
Analysis date: 2018-04-26 01:22:45 UTC ( 9 months, 3 weeks ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan.e 20180426
AVware LooksLike.Macro.Malware.k (v) 20180425
Baidu VBA.Trojan-Downloader.Agent.cjw 20180425
ESET-NOD32 VBA/TrojanDownloader.Agent.HXK 20180425
Fortinet VBA/Agent.HXK!tr.dldr 20180426
Ikarus Win32.Outbreak 20180425
Kaspersky HEUR:Trojan.Script.Agent.gen 20180425
MAX malware (ai score=93) 20180426
McAfee-GW-Edition BehavesLike.Downloader.cg 20180425
Microsoft Trojan:Script/Cloxer.A!cl 20180426
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20180425
nProtect Suspicious/W97M.Obfus.Gen 20180426
Qihoo-360 virus.office.qexvmc.1095 20180426
Symantec W97M.Downloader 20180425
TrendMicro HEUR_VBA.O.ELBP 20180425
TrendMicro-HouseCall Suspicious_GEN.F47V0425 20180425
VIPRE LooksLike.Macro.Malware.k (v) 20180425
ZoneAlarm by Check Point HEUR:Trojan.Script.Agent.gen 20180425
Zoner Probably W97Shell 20180425
Ad-Aware 20180425
AegisLab 20180425
AhnLab-V3 20180425
Alibaba 20180425
ALYac 20180425
Antiy-AVL 20180418
Avast 20180425
Avast-Mobile 20180425
AVG 20180425
Avira (no cloud) 20180425
Babable 20180406
BitDefender 20180425
Bkav 20180424
CAT-QuickHeal 20180425
ClamAV 20180425
CMC 20180425
Comodo 20180425
CrowdStrike Falcon (ML) 20180418
Cybereason None
Cylance 20180426
Cyren 20180425
DrWeb 20180425
eGambit 20180426
Emsisoft 20180425
Endgame 20180403
F-Prot 20180426
F-Secure 20180425
GData 20180425
Sophos ML 20180121
Jiangmin 20180426
K7AntiVirus 20180425
K7GW 20180426
Kingsoft 20180426
Malwarebytes 20180425
McAfee 20180425
eScan 20180425
Palo Alto Networks (Known Signatures) 20180426
Panda 20180425
Rising 20180425
SentinelOne (Static ML) 20180225
Sophos AV 20180425
SUPERAntiSpyware 20180425
Symantec Mobile Insight 20180424
Tencent 20180426
TheHacker 20180425
Trustlook 20180426
VBA32 20180425
ViRobot 20180425
Webroot 20180426
Yandex 20180425
Zillya 20180425
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Summary
creation_datetime
2018-04-25 13:31:00
author
Luselyqiha
title
Luselyqi
page_count
1
last_saved
2018-04-25 13:31:00
revision_number
1
application_name
Microsoft Office Word
character_count
1
template
Normal.dotm
code_page
Latin I
subject
Luselyqiha
Document summary
category
Luselyqiha
line_count
1
company
Luse
characters_with_spaces
1
version
1048576
paragraph_count
1
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
5440
type_literal
stream
sid
20
name
\x01CompObj
size
114
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
332
type_literal
stream
sid
4
name
\x05SummaryInformation
size
428
type_literal
stream
sid
2
name
1Table
size
7802
type_literal
stream
sid
1
name
Data
size
22226
type_literal
stream
sid
18
name
Macros/PROJECT
size
554
type_literal
stream
sid
19
name
Macros/PROJECTwm
size
155
type_literal
stream
sid
15
type
macro
name
Macros/VBA/TLhmRtLsZKTd
size
5653
type_literal
stream
sid
16
name
Macros/VBA/_VBA_PROJECT
size
25697
type_literal
stream
sid
9
name
Macros/VBA/__SRP_0
size
1502
type_literal
stream
sid
10
name
Macros/VBA/__SRP_1
size
196
type_literal
stream
sid
11
name
Macros/VBA/__SRP_2
size
736
type_literal
stream
sid
12
name
Macros/VBA/__SRP_3
size
379
type_literal
stream
sid
8
name
Macros/VBA/dir
size
709
type_literal
stream
sid
14
type
macro
name
Macros/VBA/mwDGZqQwAEmu
size
10827
type_literal
stream
sid
17
type
macro
name
Macros/VBA/wqndOzOXBIjjt
size
19597
type_literal
stream
sid
13
type
macro
name
Macros/VBA/zBaGXUmUEz
size
31155
type_literal
stream
sid
3
name
WordDocument
size
4096
Macros and VBA code streams
[+] TLhmRtLsZKTd.cls Macros/VBA/TLhmRtLsZKTd 2108 bytes
obfuscated
[+] wqndOzOXBIjjt.bas Macros/VBA/wqndOzOXBIjjt 11245 bytes
exe-pattern obfuscated
[+] zBaGXUmUEz.bas Macros/VBA/zBaGXUmUEz 18139 bytes
obfuscated run-file
[+] mwDGZqQwAEmu.bas Macros/VBA/mwDGZqQwAEmu 5964 bytes
obfuscated
ExifTool file metadata
Category
Luselyqiha

SharedDoc
No

Author
Luselyqiha

CodePage
Windows Latin 1 (Western European)

System
Windows

LinksUpToDate
No

HeadingPairs
Title, 1

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
1

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2018:04:25 12:31:00

Company
Luse

Title
Luselyqi

Characters
1

HyperlinksChanged
No

RevisionNumber
1

MIMEType
application/msword

Words
0

CreateDate
2018:04:25 12:31:00

Lines
1

AppVersion
16.0

Security
None

Software
Microsoft Office Word

FileType
DOC

TotalEditTime
0

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

Warning
Truncated property list

FileTypeExtension
doc

Paragraphs
1

DocFlags
Has picture, 1Table, ExtChar

Subject
Luselyqiha

File identification
MD5 84a0515a277eab1f03254ff4f1664517
SHA1 24780fd57a2f486846c810d758a615bb06c9b8d8
SHA256 3801181d5eec749898527ebc4279741acbc9f82c8aa72f8be272031d67eea76b
ssdeep
1536:bte093E/MSQS7WL2Gz4IM+ah5zKsDiPZzFWpMLCt1OEJ5XRsLXQdreEUYp6VlPM1:fZSFY8VGwmwk5xR/oNQpXsF

File size 145.0 KB ( 148480 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Luselyqi, Subject: Luselyqiha, Author: Luselyqiha, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Apr 24 12:31:00 2018, Last Saved Time/Date: Tue Apr 24 12:31:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated macros run-file exe-pattern doc

VirusTotal metadata
First submission 2018-04-25 12:58:47 UTC ( 9 months, 3 weeks ago )
Last submission 2018-05-15 04:44:17 UTC ( 9 months, 1 week ago )
File names Outstanding Invoices.doc
Invoice #18285570.doc
Service Report (23188).doc
Question.doc
Invoice for you.doc
Invoice Number 372183.doc
312-04-552667-467 & 312-04-552667-631.doc
Paid Invoices.doc
Invoice Number 74571.doc
680-47-440153-611 & 680-47-440153-177.doc
Invoice.doc
Invoices Overdue.doc
Need to send the attachment.doc
Past Due Invoices.doc
ACH form.doc
Document needed.doc
Fwd: ACH form.doc
245-65-402483-756 & 245-65-402483-387.doc
Service Invoice.doc
981-09-528930-186 & 981-09-528930-319.doc
Invoice receipt.doc
Inv 09107 - PO #1R293732.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!