× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 3f23b47564cfada12ca18f18f51215bf0e6747419249db1c3d71887e55a16b8a
File name: d9bf9f695433705dc4fc5986d170ba1f.docm
Detection ratio: 37 / 60
Analysis date: 2017-08-12 02:02:37 UTC ( 1 week ago )
Antivirus Result Update
AegisLab Troj.Downloader.Msword!c 20170812
AhnLab-V3 W97M/Downloader 20170811
Antiy-AVL Trojan[Downloader]/MSWord.Agent.qj 20170812
Arcabit Trojan.Agent.BLQQ 20170812
Avast VBA:Downloader-JM [Trj] 20170811
AVG VBA:Downloader-JM [Trj] 20170811
Avira (no cloud) WM/Agent.327 20170811
AVware LooksLike.Macro.Malware.g (v) 20170812
Baidu VBA.Trojan-Downloader.Agent.gn 20170811
BitDefender Trojan.Agent.BLQQ 20170812
CAT-QuickHeal O97M.Dropper.GO 20170811
ClamAV Doc.Dropper.Agent-1403647 20170812
Comodo UnclassifiedMalware 20170812
Cyren PP97M/Donoff 20170812
DrWeb W97M.DownLoader.541 20170812
Emsisoft Trojan.Agent.BLQQ (B) 20170812
ESET-NOD32 VBA/TrojanDownloader.Agent.ZN 20170811
F-Prot New or modified PP97M/Donoff 20170812
F-Secure Trojan:W97M/MaliciousMacro.GEN 20170812
Fortinet WM/Agent!tr 20170812
GData Trojan.Agent.BLQQ 20170812
Ikarus Trojan-Downloader.VBA.Agent 20170811
Jiangmin WM/Downloader.Agent.qe 20170812
Kaspersky Trojan-Downloader.MSWord.Agent.qj 20170812
MAX malware (ai score=85) 20170812
McAfee W97M/Downloader.all 20170812
McAfee-GW-Edition W97M/Downloader.all 20170811
Microsoft TrojanDownloader:O97M/Donoff 20170812
NANO-Antivirus Trojan.Script.PDF.dzxkwm 20170812
Panda W97M/Downloader 20170811
Qihoo-360 heur.macro.encodefeature.d 20170812
Rising Heur.Macro.Downloader.e (classic) 20170812
Sophos AV Troj/DocDl-WH 20170811
Symantec W97M.Downloader 20170811
Tencent Word.Trojan-downloader.Agent.Wtxn 20170812
ViRobot W97M.S.Downloader.49595 20170811
ZoneAlarm by Check Point Trojan-Downloader.MSWord.Agent.qj 20170812
Ad-Aware 20170812
Alibaba 20170811
ALYac 20170812
Bkav 20170811
CMC 20170811
CrowdStrike Falcon (ML) 20170804
Cylance 20170812
Endgame 20170721
Sophos ML 20170607
K7AntiVirus 20170811
K7GW 20170811
Kingsoft 20170812
Malwarebytes 20170812
eScan 20170812
nProtect 20170812
Palo Alto Networks (Known Signatures) 20170812
SentinelOne (Static ML) 20170806
SUPERAntiSpyware 20170812
Symantec Mobile Insight 20170811
TheHacker 20170810
TotalDefense 20170811
TrendMicro 20170812
TrendMicro-HouseCall 20170812
Trustlook 20170812
VBA32 20170811
VIPRE 20170812
Webroot 20170812
WhiteArmor 20170731
Yandex 20170807
Zillya 20170811
Zoner 20170812
The file being studied follows the Open XML file format! More specifically, it is a Office Open XML Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May perform operations with other files.
May copy a file.
May create additional files.
May attempt to create directories.
May create OLE objects.
Seems to contain deobfuscation code.
Macros and VBA code streams
[+] ThisDocument.cls word/vbaProject.bin VBA/ThisDocument 83 bytes
[+] Module2.bas word/vbaProject.bin VBA/Module2 10157 bytes
copy-file create-file obfuscated open-file
[+] Module1.bas word/vbaProject.bin VBA/Module1 2686 bytes
copy-file
[+] Module3.bas word/vbaProject.bin VBA/Module3 23403 bytes
copy-file create-dir create-ole handle-file obfuscated open-file write-file
Content types
bin
rels
xml
Package relationships
word/document.xml
docProps/app.xml
docProps/core.xml
Core document properties
dc:creator
1
cp:lastModifiedBy
1
cp:revision
2
dcterms:created
2015-08-05T06:30:00Z
dcterms:modified
2015-08-05T06:30:00Z
Application document properties
Template
Normal
TotalTime
0
Pages
1
Words
0
Characters
0
Application
Microsoft Office Word
DocSecurity
0
Lines
1
Paragraphs
1
ScaleCrop
false
vt:lpstr
\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435
vt:i4
1
Company
Home
LinksUpToDate
false
CharactersWithSpaces
0
SharedDoc
false
HyperlinksChanged
false
AppVersion
12.0000
Document languages
Language
Prevalence
ru-ru
2
ar-sa
1
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
1

Application
Microsoft Office Word

ZipFileName
[Content_Types].xml

Template
Normal

CreateDate
2015:08:05 06:30:00Z

ZipRequiredVersion
20

ModifyDate
2015:08:05 06:30:00Z

ZipCRC
0xc1a32581

Company
Home

Words
0

ScaleCrop
No

RevisionNumber
2

MIMEType
application/vnd.ms-word.document.macroEnabled

ZipBitFlag
0x0006

FileType
DOCM

Lines
1

AppVersion
12.0

ZipUncompressedSize
1453

ZipCompressedSize
406

Characters
0

CharactersWithSpaces
0

DocSecurity
None

ZipModifyDate
1980:01:01 00:00:00

HeadingPairs
, 1

TotalEditTime
0

ZipCompression
Deflated

Pages
1

Creator
1

FileTypeExtension
docm

Paragraphs
1

The file being studied is a compressed stream! Details about the compressed contents follow.
Contained files
Compression metadata
Contained files
14
Uncompressed size
115574
Highest datetime
1980-01-01 00:00:00
Lowest datetime
1980-01-01 00:00:00
Contained files by extension
xml
10
bin
1
Contained files by type
XML
13
Microsoft Office
1
Compressed bundles
File identification
MD5 d9bf9f695433705dc4fc5986d170ba1f
SHA1 9ace0b70ca10970c6252f14a6f37002eb9df4bee
SHA256 3f23b47564cfada12ca18f18f51215bf0e6747419249db1c3d71887e55a16b8a
ssdeep
768:M/fqZPywgx7jXNYU3nLp1vbih33Vkfq/Ccbb1awVshArMNF50o4SKCtTEZQTdC:M/6EpLDb41k0Cs1ak4N4JaEWT4

File size 48.4 KB ( 49595 bytes )
File type Office Open XML Document
Magic literal
Zip archive data, at least v2.0 to extract

TrID Word Microsoft Office Open XML Format document (with Macro) (53.6%)
Word Microsoft Office Open XML Format document (24.2%)
Open Packaging Conventions container (18.0%)
ZIP compressed archive (4.1%)
Tags
obfuscated open-file create-dir handle-file copy-file create-file docx macros attachment write-file create-ole

VirusTotal metadata
First submission 2015-08-05 07:29:11 UTC ( 2 years ago )
Last submission 2016-05-04 21:57:26 UTC ( 1 year, 3 months ago )
File names be105e7559eb11a1aff55ffecb7eb022
e64b827d8be8eee081490c028e53a0f4
d9bf9f695433705dc4fc5986d170ba1f.docm
378bcf1d3337def7c92b60397f7ade68
73c0d2ebd0a5099b77a87866cca2078d
5-OFCOM_REN04_20150715_0976659.docm
OFCOM_REN04_20150715_0976659.docm
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!