× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 3f23b47564cfada12ca18f18f51215bf0e6747419249db1c3d71887e55a16b8a
File name: d9bf9f695433705dc4fc5986d170ba1f.docm
Detection ratio: 36 / 57
Analysis date: 2017-09-29 01:57:20 UTC ( 3 weeks, 1 day ago )
Antivirus Result Update
AegisLab Troj.Downloader.Msword!c 20170929
AhnLab-V3 W97M/Downloader 20170929
Antiy-AVL Trojan[Downloader]/MSWord.Agent.qj 20170929
Arcabit Trojan.Agent.BLQQ 20170929
Avast VBA:Downloader-JM [Trj] 20170929
AVG VBA:Downloader-JM [Trj] 20170929
Avira (no cloud) WM/Agent.327 20170929
AVware LooksLike.Macro.Malware.g (v) 20170929
Baidu VBA.Trojan-Downloader.Agent.gn 20170928
BitDefender Trojan.Agent.BLQQ 20170929
CAT-QuickHeal O97M.Dropper.GO 20170928
ClamAV Doc.Dropper.Agent-1403647 20170928
Comodo UnclassifiedMalware 20170928
Cyren PP97M/Donoff 20170929
DrWeb W97M.DownLoader.541 20170929
Emsisoft Trojan.Agent.BLQQ (B) 20170929
ESET-NOD32 VBA/TrojanDownloader.Agent.ZN 20170929
F-Prot New or modified PP97M/Donoff 20170929
F-Secure Trojan:W97M/MaliciousMacro.GEN 20170929
Ikarus Trojan-Downloader.VBA.Agent 20170928
Jiangmin WM/Downloader.Agent.qe 20170929
Kaspersky Trojan-Downloader.MSWord.Agent.qj 20170929
MAX malware (ai score=85) 20170929
McAfee W97M/Downloader.all 20170929
McAfee-GW-Edition W97M/Downloader.all 20170929
Microsoft TrojanDownloader:O97M/Donoff 20170929
NANO-Antivirus Trojan.Script.PDF.dzxkwm 20170929
Panda W97M/Downloader 20170928
Qihoo-360 heur.macro.encodefeature.d 20170929
Sophos AV Troj/DocDl-WH 20170928
Symantec W97M.Downloader 20170928
Tencent Heur:Trojan.Script.Generic.7027138.0 20170929
TrendMicro W2KM_DRIDEX.SYN 20170929
TrendMicro-HouseCall W2KM_DRIDEX.SYN 20170929
ViRobot W97M.S.Downloader.49595 20170928
ZoneAlarm by Check Point Trojan-Downloader.MSWord.Agent.qj 20170929
Ad-Aware 20170929
Alibaba 20170911
ALYac 20170929
Avast-Mobile 20170928
CMC 20170928
CrowdStrike Falcon (ML) 20170804
Cylance 20170929
Endgame 20170821
Fortinet 20170929
Sophos ML 20170914
K7AntiVirus 20170928
K7GW 20170929
Kingsoft 20170929
Malwarebytes 20170929
eScan 20170929
nProtect 20170929
Palo Alto Networks (Known Signatures) 20170929
SentinelOne (Static ML) 20170806
SUPERAntiSpyware 20170928
Symantec Mobile Insight 20170928
TheHacker 20170928
TotalDefense 20170928
Trustlook 20170929
VBA32 20170928
VIPRE 20170929
WhiteArmor 20170927
Yandex 20170908
Zillya 20170928
Zoner 20170929
The file being studied follows the Open XML file format! More specifically, it is a Office Open XML Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May perform operations with other files.
May copy a file.
May create additional files.
May attempt to create directories.
May create OLE objects.
Seems to contain deobfuscation code.
Macros and VBA code streams
[+] ThisDocument.cls word/vbaProject.bin VBA/ThisDocument 83 bytes
[+] Module2.bas word/vbaProject.bin VBA/Module2 10157 bytes
copy-file create-file obfuscated open-file
[+] Module1.bas word/vbaProject.bin VBA/Module1 2686 bytes
copy-file
[+] Module3.bas word/vbaProject.bin VBA/Module3 23403 bytes
copy-file create-dir create-ole handle-file obfuscated open-file write-file
Content types
bin
rels
xml
Package relationships
word/document.xml
docProps/app.xml
docProps/core.xml
Core document properties
dc:creator
1
cp:lastModifiedBy
1
cp:revision
2
dcterms:created
2015-08-05T06:30:00Z
dcterms:modified
2015-08-05T06:30:00Z
Application document properties
Template
Normal
TotalTime
0
Pages
1
Words
0
Characters
0
Application
Microsoft Office Word
DocSecurity
0
Lines
1
Paragraphs
1
ScaleCrop
false
vt:lpstr
\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435
vt:i4
1
Company
Home
LinksUpToDate
false
CharactersWithSpaces
0
SharedDoc
false
HyperlinksChanged
false
AppVersion
12.0000
Document languages
Language
Prevalence
ru-ru
2
ar-sa
1
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
1

Application
Microsoft Office Word

ZipFileName
[Content_Types].xml

Template
Normal

CreateDate
2015:08:05 06:30:00Z

ZipRequiredVersion
20

ModifyDate
2015:08:05 06:30:00Z

ZipCRC
0xc1a32581

Company
Home

Words
0

ScaleCrop
No

RevisionNumber
2

MIMEType
application/vnd.ms-word.document.macroEnabled

ZipBitFlag
0x0006

FileType
DOCM

Lines
1

AppVersion
12.0

ZipUncompressedSize
1453

ZipCompressedSize
406

Characters
0

CharactersWithSpaces
0

DocSecurity
None

ZipModifyDate
1980:01:01 00:00:00

HeadingPairs
, 1

TotalEditTime
0

ZipCompression
Deflated

Pages
1

Creator
1

FileTypeExtension
docm

Paragraphs
1

The file being studied is a compressed stream! Details about the compressed contents follow.
Contained files
Compression metadata
Contained files
14
Uncompressed size
115574
Highest datetime
1980-01-01 00:00:00
Lowest datetime
1980-01-01 00:00:00
Contained files by extension
xml
10
bin
1
Contained files by type
XML
13
Microsoft Office
1
Compressed bundles
File identification
MD5 d9bf9f695433705dc4fc5986d170ba1f
SHA1 9ace0b70ca10970c6252f14a6f37002eb9df4bee
SHA256 3f23b47564cfada12ca18f18f51215bf0e6747419249db1c3d71887e55a16b8a
ssdeep
768:M/fqZPywgx7jXNYU3nLp1vbih33Vkfq/Ccbb1awVshArMNF50o4SKCtTEZQTdC:M/6EpLDb41k0Cs1ak4N4JaEWT4

File size 48.4 KB ( 49595 bytes )
File type Office Open XML Document
Magic literal
Zip archive data, at least v2.0 to extract

TrID Word Microsoft Office Open XML Format document (with Macro) (53.6%)
Word Microsoft Office Open XML Format document (24.2%)
Open Packaging Conventions container (18.0%)
ZIP compressed archive (4.1%)
Tags
obfuscated open-file create-dir handle-file copy-file create-file docx macros attachment write-file create-ole

VirusTotal metadata
First submission 2015-08-05 07:29:11 UTC ( 2 years, 2 months ago )
Last submission 2016-05-04 21:57:26 UTC ( 1 year, 5 months ago )
File names be105e7559eb11a1aff55ffecb7eb022
e64b827d8be8eee081490c028e53a0f4
d9bf9f695433705dc4fc5986d170ba1f.docm
378bcf1d3337def7c92b60397f7ade68
73c0d2ebd0a5099b77a87866cca2078d
5-OFCOM_REN04_20150715_0976659.docm
OFCOM_REN04_20150715_0976659.docm
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!