× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 3f23b47564cfada12ca18f18f51215bf0e6747419249db1c3d71887e55a16b8a
File name: d9bf9f695433705dc4fc5986d170ba1f.docm
Detection ratio: 37 / 57
Analysis date: 2017-04-17 21:13:24 UTC ( 2 months, 1 week ago )
Antivirus Result Update
AegisLab Troj.Downloader.Msword!c 20170417
AhnLab-V3 W97M/Downloader 20170417
ALYac Trojan.Agent.BLQQ 20170417
Arcabit Trojan.Agent.BLQQ 20170417
Avast VBA:Downloader-JM [Trj] 20170417
AVG W97M/Generic 20170417
Avira (no cloud) WM/Agent.327 20170417
AVware LooksLike.Macro.Malware.g (v) 20170417
Baidu VBA.Trojan-Downloader.Agent.gn 20170417
BitDefender Trojan.Agent.BLQQ 20170417
CAT-QuickHeal O97M.Dropper.GO 20170417
ClamAV Doc.Dropper.Agent-1403647 20170417
Comodo UnclassifiedMalware 20170417
Cyren PP97M/Donoff 20170417
DrWeb W97M.DownLoader.541 20170418
Emsisoft Trojan.Agent.BLQQ (B) 20170417
ESET-NOD32 VBA/TrojanDownloader.Agent.ZN 20170417
F-Prot New or modified PP97M/Donoff 20170418
F-Secure Trojan:W97M/MaliciousMacro.GEN 20170418
Fortinet WM/Agent!tr 20170417
GData Trojan.Agent.BLQQ 20170418
Ikarus Trojan-Downloader.VBA.Agent 20170417
Jiangmin WM/Downloader.Agent.qe 20170417
Kaspersky Trojan-Downloader.MSWord.Agent.qj 20170418
McAfee W97M/Downloader.all 20170418
McAfee-GW-Edition W97M/Downloader.all 20170417
Microsoft TrojanDownloader:O97M/Donoff 20170417
NANO-Antivirus Trojan.Script.PDF.dzxkwm 20170416
Panda W97M/Downloader 20170417
Qihoo-360 heur.macro.encodefeature.d 20170418
Rising Heur.Macro.Downloader.e (classic) 20170417
Sophos Troj/DocDl-WH 20170417
Symantec W97M.Downloader 20170417
Tencent Word.Trojan-downloader.Agent.Wtxn 20170418
TrendMicro-HouseCall W2KM_DRIDEX.SYN 20170417
ViRobot W97M.S.Downloader.49595[h] 20170417
ZoneAlarm by Check Point Trojan-Downloader.MSWord.Agent.qj 20170417
Ad-Aware 20170417
Alibaba 20170417
Bkav 20170415
CMC 20170417
CrowdStrike Falcon (ML) 20170130
Endgame 20170413
Invincea 20170413
K7AntiVirus 20170417
K7GW 20170417
Kingsoft 20170418
Malwarebytes 20170417
eScan 20170418
nProtect 20170418
Palo Alto Networks (Known Signatures) 20170418
SentinelOne (Static ML) 20170330
SUPERAntiSpyware 20170418
Symantec Mobile Insight 20170414
TheHacker 20170416
TotalDefense 20170417
Trustlook 20170418
VBA32 20170417
VIPRE 20170418
Webroot 20170418
WhiteArmor 20170409
Yandex 20170417
Zillya 20170414
Zoner 20170417
The file being studied follows the Open XML file format! More specifically, it is a Office Open XML Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May perform operations with other files.
May copy a file.
May create additional files.
May attempt to create directories.
May create OLE objects.
Seems to contain deobfuscation code.
Macros and VBA code streams
[+] ThisDocument.cls word/vbaProject.bin VBA/ThisDocument 83 bytes
[+] Module2.bas word/vbaProject.bin VBA/Module2 10157 bytes
copy-file create-file obfuscated open-file
[+] Module1.bas word/vbaProject.bin VBA/Module1 2686 bytes
copy-file
[+] Module3.bas word/vbaProject.bin VBA/Module3 23403 bytes
copy-file create-dir create-ole handle-file obfuscated open-file write-file
Content types
bin
rels
xml
Package relationships
word/document.xml
docProps/app.xml
docProps/core.xml
Core document properties
dc:creator
1
cp:lastModifiedBy
1
cp:revision
2
dcterms:created
2015-08-05T06:30:00Z
dcterms:modified
2015-08-05T06:30:00Z
Application document properties
Template
Normal
TotalTime
0
Pages
1
Words
0
Characters
0
Application
Microsoft Office Word
DocSecurity
0
Lines
1
Paragraphs
1
ScaleCrop
false
vt:lpstr
\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435
vt:i4
1
Company
Home
LinksUpToDate
false
CharactersWithSpaces
0
SharedDoc
false
HyperlinksChanged
false
AppVersion
12.0000
Document languages
Language
Prevalence
ru-ru
2
ar-sa
1
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
1

Application
Microsoft Office Word

ZipFileName
[Content_Types].xml

Template
Normal

CreateDate
2015:08:05 06:30:00Z

ZipRequiredVersion
20

ModifyDate
2015:08:05 06:30:00Z

ZipCRC
0xc1a32581

Company
Home

Words
0

ScaleCrop
No

RevisionNumber
2

MIMEType
application/vnd.ms-word.document.macroEnabled

ZipBitFlag
0x0006

FileType
DOCM

Lines
1

AppVersion
12.0

ZipUncompressedSize
1453

ZipCompressedSize
406

Characters
0

CharactersWithSpaces
0

DocSecurity
None

ZipModifyDate
1980:01:01 00:00:00

HeadingPairs
, 1

TotalEditTime
0

ZipCompression
Deflated

Pages
1

Creator
1

FileTypeExtension
docm

Paragraphs
1

The file being studied is a compressed stream! Details about the compressed contents follow.
Contained files
Compression metadata
Contained files
14
Uncompressed size
115574
Highest datetime
1980-01-01 00:00:00
Lowest datetime
1980-01-01 00:00:00
Contained files by extension
xml
10
bin
1
Contained files by type
XML
13
Microsoft Office
1
Compressed bundles
File identification
MD5 d9bf9f695433705dc4fc5986d170ba1f
SHA1 9ace0b70ca10970c6252f14a6f37002eb9df4bee
SHA256 3f23b47564cfada12ca18f18f51215bf0e6747419249db1c3d71887e55a16b8a
ssdeep
768:M/fqZPywgx7jXNYU3nLp1vbih33Vkfq/Ccbb1awVshArMNF50o4SKCtTEZQTdC:M/6EpLDb41k0Cs1ak4N4JaEWT4

File size 48.4 KB ( 49595 bytes )
File type Office Open XML Document
Magic literal
Zip archive data, at least v2.0 to extract

TrID Word Microsoft Office Open XML Format document (with Macro) (53.6%)
Word Microsoft Office Open XML Format document (24.2%)
Open Packaging Conventions container (18.0%)
ZIP compressed archive (4.1%)
Tags
obfuscated open-file create-dir handle-file copy-file create-file docx macros attachment write-file create-ole

VirusTotal metadata
First submission 2015-08-05 07:29:11 UTC ( 1 year, 10 months ago )
Last submission 2016-05-04 21:57:26 UTC ( 1 year, 1 month ago )
File names be105e7559eb11a1aff55ffecb7eb022
e64b827d8be8eee081490c028e53a0f4
d9bf9f695433705dc4fc5986d170ba1f.docm
378bcf1d3337def7c92b60397f7ade68
73c0d2ebd0a5099b77a87866cca2078d
5-OFCOM_REN04_20150715_0976659.docm
OFCOM_REN04_20150715_0976659.docm
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!