× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 406047bbbad09cafeb623eb2c1057441ae6db7f19f630acf9a02f9c48e7f40a7
File name: SecureMessage.doc
Detection ratio: 5 / 55
Analysis date: 2017-05-02 11:33:15 UTC ( 1 year, 8 months ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan.e 20170502
Fortinet WM/Agent.DCU!tr.dldr 20170502
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20170502
Qihoo-360 virus.office.qexvmc.1075 20170502
Tencent Macro.Trojan.Dropperx.Auto 20170502
Ad-Aware 20170502
AegisLab 20170502
AhnLab-V3 20170502
Alibaba 20170502
ALYac 20170502
Antiy-AVL 20170502
Avast 20170502
AVG 20170502
Avira (no cloud) 20170502
AVware 20170502
Baidu 20170502
BitDefender 20170502
Bkav 20170428
CAT-QuickHeal 20170502
ClamAV 20170502
Comodo 20170502
CrowdStrike Falcon (ML) 20170130
Cyren 20170502
DrWeb 20170502
Emsisoft 20170502
Endgame 20170419
ESET-NOD32 20170502
F-Prot 20170502
F-Secure 20170502
GData 20170502
Ikarus 20170502
Sophos ML 20170413
Jiangmin 20170502
K7AntiVirus 20170502
K7GW 20170426
Kaspersky 20170502
Kingsoft 20170502
Malwarebytes 20170502
McAfee 20170502
McAfee-GW-Edition 20170501
Microsoft 20170502
eScan 20170502
nProtect 20170502
Palo Alto Networks (Known Signatures) 20170502
Panda 20170501
Rising 20170502
SentinelOne (Static ML) 20170330
Sophos AV 20170502
SUPERAntiSpyware 20170502
Symantec 20170501
Symantec Mobile Insight 20170502
TheHacker 20170429
TrendMicro 20170502
TrendMicro-HouseCall 20170502
Trustlook 20170502
VBA32 20170502
VIPRE 20170502
ViRobot 20170502
Webroot 20170502
WhiteArmor 20170502
Yandex 20170428
Zillya 20170428
ZoneAlarm by Check Point 20170502
Zoner 20170502
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Summary
last_author
user
creation_datetime
2017-05-02 11:14:00
revision_number
3
author
Accounting
page_count
1
last_saved
2017-05-02 11:15:00
edit_time
60
word_count
114
template
Normal
application_name
Microsoft Office Word
character_count
655
code_page
Cyrillic
Document summary
line_count
5
characters_with_spaces
768
version
786432
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
12416
type_literal
stream
sid
20
name
\x01CompObj
size
121
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
2
name
1Table
size
7375
type_literal
stream
sid
1
name
Data
size
10221
type_literal
stream
sid
16
name
Macros/Form0/\x01CompObj
size
97
type_literal
stream
sid
17
name
Macros/Form0/\x03VBFrame
size
288
type_literal
stream
sid
14
name
Macros/Form0/f
size
395
type_literal
stream
sid
15
name
Macros/Form0/o
size
648
type_literal
stream
sid
19
name
Macros/PROJECT
size
541
type_literal
stream
sid
18
name
Macros/PROJECTwm
size
83
type_literal
stream
sid
10
type
macro (only attributes)
name
Macros/VBA/Form0
size
1196
type_literal
stream
sid
9
type
macro
name
Macros/VBA/Module1
size
3219
type_literal
stream
sid
8
type
macro
name
Macros/VBA/ThisDocument
size
1195
type_literal
stream
sid
11
name
Macros/VBA/_VBA_PROJECT
size
3398
type_literal
stream
sid
12
name
Macros/VBA/dir
size
830
type_literal
stream
sid
3
name
WordDocument
size
5166
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 50 bytes
[+] Module1.bas Macros/VBA/Module1 942 bytes
obfuscated run-file
ExifTool file metadata
SharedDoc
No

Author
Accounting

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

LastModifiedBy
user

HeadingPairs
Title, 1

Identification
Word 8.0

Template
Normal

CharCountWithSpaces
768

CreateDate
2017:05:02 10:14:00

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Office Word 97-2003 Document

ModifyDate
2017:05:02 10:15:00

Characters
655

CodePage
Windows Cyrillic

RevisionNumber
3

MIMEType
application/msword

Words
114

FileType
DOC

Lines
5

AppVersion
12.0

Security
None

Software
Microsoft Office Word

TotalEditTime
1.0 minutes

Pages
1

ScaleCrop
No

CompObjUserTypeLen
39

FileTypeExtension
doc

Paragraphs
1

DocFlags
Has picture, 1Table, ExtChar

Compressed bundles
File identification
MD5 d8da30f5918ee22b1b0a184da66efada
SHA1 23353d523290c286b2f768571f2cea5b3b50ff86
SHA256 406047bbbad09cafeb623eb2c1057441ae6db7f19f630acf9a02f9c48e7f40a7
ssdeep
768:MRu3xDUL7efMpbV6rUIAoIdxiXqiRNiVZQR98:jxDqqfYb8YBWqsis

File size 48.5 KB ( 49664 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1251, Author: Accounting, Template: Normal, Last Saved By: user, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Mon May 01 10:14:00 2017, Last Saved Time/Date: Mon May 01 10:15:00 2017, Number of Pages: 1, Number of Words: 114, Number of Characters: 655, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated macros run-file attachment doc

VirusTotal metadata
First submission 2017-05-02 11:25:42 UTC ( 1 year, 8 months ago )
Last submission 2018-05-06 14:30:53 UTC ( 8 months, 2 weeks ago )
File names a18e1dd5f5b73c84d78e91e2931808c9
6037dd06d44eb9a6bfc81f6bda6ea23c
trickbot downloader (4)
SecureMessage.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!