× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 3f23b47564cfada12ca18f18f51215bf0e6747419249db1c3d71887e55a16b8a
File name: d9bf9f695433705dc4fc5986d170ba1f.docm
Detection ratio: 40 / 60
Analysis date: 2017-12-01 01:30:38 UTC ( 2 weeks, 2 days ago )
Antivirus Result Update
Ad-Aware Trojan.Agent.BLQQ 20171130
AegisLab Troj.Downloader.Msword!c 20171201
AhnLab-V3 W97M/Downloader 20171130
Antiy-AVL Trojan[Downloader]/MSWord.Agent.qj 20171201
Arcabit Trojan.Agent.BLQQ 20171201
Avast VBA:Downloader-JM [Trj] 20171201
AVG VBA:Downloader-JM [Trj] 20171201
Avira (no cloud) WM/Agent.327 20171201
Baidu VBA.Trojan-Downloader.Agent.gn 20171130
BitDefender Trojan.Agent.BLQQ 20171130
CAT-QuickHeal O97M.Dropper.GO 20171130
ClamAV Doc.Dropper.Agent-1403647 20171201
Comodo UnclassifiedMalware 20171201
Cyren PP97M/Donoff 20171201
DrWeb W97M.DownLoader.541 20171201
Emsisoft Trojan.Agent.BLQQ (B) 20171130
ESET-NOD32 VBA/TrojanDownloader.Agent.ZN 20171130
F-Prot New or modified PP97M/Donoff 20171201
F-Secure Trojan:W97M/MaliciousMacro.GEN 20171130
Fortinet WM/Agent!tr 20171201
GData Trojan.Agent.BLQQ 20171201
Ikarus Trojan-Downloader.VBA.Agent 20171130
Jiangmin WM/Downloader.Agent.qe 20171201
Kaspersky Trojan-Downloader.MSWord.Agent.qj 20171130
MAX malware (ai score=100) 20171201
McAfee Artemis!67655DF27597 20171201
McAfee-GW-Edition W97M/Downloader.all 20171201
Microsoft TrojanDownloader:O97M/Donoff 20171201
eScan Trojan.Agent.BLQQ 20171130
NANO-Antivirus Trojan.Script.PDF.dzxkwm 20171130
Panda W97M/Downloader 20171130
Qihoo-360 heur.macro.encodefeature.d 20171201
Rising Macro.Agent.ev (CLASSIC) 20171201
Sophos AV Troj/DocDl-WH 20171130
Symantec W97M.Downloader 20171130
Tencent Heur:Trojan.Script.Generic.7027138.0 20171201
TrendMicro W2KM_DRIDEX.SYN 20171201
TrendMicro-HouseCall Suspicious_GEN.F47V1028 20171201
ViRobot W97M.S.Downloader.49595 20171130
ZoneAlarm by Check Point Trojan-Downloader.MSWord.Agent.qj 20171201
Alibaba 20171130
ALYac 20171130
Avast-Mobile 20171130
Bkav 20171129
CMC 20171126
CrowdStrike Falcon (ML) 20171016
Cybereason 20171103
Cylance 20171201
eGambit 20171201
Endgame 20171130
Sophos ML 20170914
K7AntiVirus 20171130
K7GW 20171201
Kingsoft 20171201
Malwarebytes 20171201
nProtect 20171130
Palo Alto Networks (Known Signatures) 20171201
SentinelOne (Static ML) 20171113
SUPERAntiSpyware 20171130
Symantec Mobile Insight 20171130
TheHacker 20171130
TotalDefense 20171130
Trustlook 20171201
VBA32 20171130
VIPRE 20171130
Webroot 20171201
WhiteArmor 20171104
Yandex 20171120
Zillya 20171129
Zoner 20171201
The file being studied follows the Open XML file format! More specifically, it is a Office Open XML Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May perform operations with other files.
May copy a file.
May create additional files.
May attempt to create directories.
May create OLE objects.
Seems to contain deobfuscation code.
Macros and VBA code streams
[+] ThisDocument.cls word/vbaProject.bin VBA/ThisDocument 83 bytes
[+] Module2.bas word/vbaProject.bin VBA/Module2 10157 bytes
copy-file create-file obfuscated open-file
[+] Module1.bas word/vbaProject.bin VBA/Module1 2686 bytes
copy-file
[+] Module3.bas word/vbaProject.bin VBA/Module3 23403 bytes
copy-file create-dir create-ole handle-file obfuscated open-file write-file
Content types
bin
rels
xml
Package relationships
word/document.xml
docProps/app.xml
docProps/core.xml
Core document properties
dc:creator
1
cp:lastModifiedBy
1
cp:revision
2
dcterms:created
2015-08-05T06:30:00Z
dcterms:modified
2015-08-05T06:30:00Z
Application document properties
Template
Normal
TotalTime
0
Pages
1
Words
0
Characters
0
Application
Microsoft Office Word
DocSecurity
0
Lines
1
Paragraphs
1
ScaleCrop
false
vt:lpstr
\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435
vt:i4
1
Company
Home
LinksUpToDate
false
CharactersWithSpaces
0
SharedDoc
false
HyperlinksChanged
false
AppVersion
12.0000
Document languages
Language
Prevalence
ru-ru
2
ar-sa
1
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
1

Application
Microsoft Office Word

ZipFileName
[Content_Types].xml

Template
Normal

CreateDate
2015:08:05 06:30:00Z

ZipRequiredVersion
20

ModifyDate
2015:08:05 06:30:00Z

ZipCRC
0xc1a32581

Company
Home

Words
0

ScaleCrop
No

RevisionNumber
2

MIMEType
application/vnd.ms-word.document.macroEnabled

ZipBitFlag
0x0006

FileType
DOCM

Lines
1

AppVersion
12.0

ZipUncompressedSize
1453

ZipCompressedSize
406

Characters
0

CharactersWithSpaces
0

DocSecurity
None

ZipModifyDate
1980:01:01 00:00:00

HeadingPairs
, 1

TotalEditTime
0

ZipCompression
Deflated

Pages
1

Creator
1

FileTypeExtension
docm

Paragraphs
1

The file being studied is a compressed stream! Details about the compressed contents follow.
Contained files
Compression metadata
Contained files
14
Uncompressed size
115574
Highest datetime
1980-01-01 00:00:00
Lowest datetime
1980-01-01 00:00:00
Contained files by extension
xml
10
bin
1
Contained files by type
XML
13
Microsoft Office
1
Compressed bundles
File identification
MD5 d9bf9f695433705dc4fc5986d170ba1f
SHA1 9ace0b70ca10970c6252f14a6f37002eb9df4bee
SHA256 3f23b47564cfada12ca18f18f51215bf0e6747419249db1c3d71887e55a16b8a
ssdeep
768:M/fqZPywgx7jXNYU3nLp1vbih33Vkfq/Ccbb1awVshArMNF50o4SKCtTEZQTdC:M/6EpLDb41k0Cs1ak4N4JaEWT4

File size 48.4 KB ( 49595 bytes )
File type Office Open XML Document
Magic literal
Zip archive data, at least v2.0 to extract

TrID Word Microsoft Office Open XML Format document (with Macro) (53.6%)
Word Microsoft Office Open XML Format document (24.2%)
Open Packaging Conventions container (18.0%)
ZIP compressed archive (4.1%)
Tags
obfuscated open-file create-dir handle-file copy-file create-file docx macros attachment write-file create-ole

VirusTotal metadata
First submission 2015-08-05 07:29:11 UTC ( 2 years, 4 months ago )
Last submission 2016-05-04 21:57:26 UTC ( 1 year, 7 months ago )
File names be105e7559eb11a1aff55ffecb7eb022
e64b827d8be8eee081490c028e53a0f4
d9bf9f695433705dc4fc5986d170ba1f.docm
378bcf1d3337def7c92b60397f7ade68
73c0d2ebd0a5099b77a87866cca2078d
5-OFCOM_REN04_20150715_0976659.docm
OFCOM_REN04_20150715_0976659.docm
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!