× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 4c4580f7b858d06afd0eb9505cca1d5a5ae9600682ac485a267335797deb8a6b
File name: N5OSUHX.docm
Detection ratio: 13 / 59
Analysis date: 2017-05-12 04:09:04 UTC ( 1 year, 7 months ago ) View latest
Antivirus Result Update
Avira (no cloud) W2000M/Agent.0446414 20170511
Baidu VBA.Trojan-Downloader.Agent.bae 20170503
CAT-QuickHeal O97M.Downloader.AJK 20170511
F-Secure Trojan-Downloader:W97M/Dridex.Z 20170512
Ikarus Trojan-Downloader.VBA.Agent 20170511
Microsoft TrojanDownloader:O97M/Donoff 20170512
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20170512
Qihoo-360 virus.office.obfuscated.1 20170512
Rising Heur.Macro.Downloader.d (classic) 20170512
Symantec W97M.Downloader 20170511
TrendMicro W2KM_LO.B3C9E4B5 20170512
TrendMicro-HouseCall W2KM_LO.B3C9E4B5 20170512
ZoneAlarm by Check Point HEUR:Trojan-Downloader.Script.Generic 20170512
Ad-Aware 20170512
AegisLab 20170512
AhnLab-V3 20170512
Alibaba 20170512
ALYac 20170512
Antiy-AVL 20170512
Arcabit 20170512
Avast 20170512
AVG 20170512
AVware 20170512
BitDefender 20170512
Bkav 20170511
ClamAV 20170511
CMC 20170511
Comodo 20170512
CrowdStrike Falcon (ML) 20170130
Cyren 20170512
DrWeb 20170512
Emsisoft 20170512
Endgame 20170503
ESET-NOD32 20170512
F-Prot 20170512
Fortinet 20170512
GData 20170512
Sophos ML 20170413
Jiangmin 20170510
K7AntiVirus 20170511
K7GW 20170512
Kaspersky 20170512
Kingsoft 20170512
Malwarebytes 20170512
McAfee 20170512
McAfee-GW-Edition 20170511
eScan 20170512
nProtect 20170512
Palo Alto Networks (Known Signatures) 20170512
Panda 20170511
SentinelOne (Static ML) 20170330
Sophos AV 20170512
SUPERAntiSpyware 20170511
Symantec Mobile Insight 20170511
Tencent 20170512
TheHacker 20170508
TotalDefense 20170511
Trustlook 20170512
VBA32 20170511
VIPRE 20170512
ViRobot 20170512
Webroot 20170512
WhiteArmor 20170502
Yandex 20170510
Zillya 20170511
Zoner 20170512
The file being studied follows the Open XML file format! More specifically, it is a Office Open XML Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May perform operations with other files.
May create OLE objects.
May enumerate open windows.
Seems to contain deobfuscation code.
Macros and VBA code streams
[+] ThisDocument.cls word/vbaProject.bin VBA/ThisDocument 80 bytes
[+] Cooper.cls word/vbaProject.bin VBA/Cooper 259 bytes
[+] Module3.bas word/vbaProject.bin VBA/Module3 4074 bytes
exe-pattern create-ole
[+] Module1.bas word/vbaProject.bin VBA/Module1 974 bytes
handle-file obfuscated open-file write-file
[+] Module2.bas word/vbaProject.bin VBA/Module2 1956 bytes
obfuscated
[+] Module4.bas word/vbaProject.bin VBA/Module4 2988 bytes
create-ole enum-windows obfuscated open-file
Content types
bin
rels
jpg
xml
Package relationships
word/document.xml
docProps/app.xml
docProps/core.xml
Core document properties
dc:creator
2
cp:lastModifiedBy
1
cp:revision
2
dcterms:created
2017-05-11T20:49:00Z
dcterms:modified
2017-05-11T20:49:00Z
Application document properties
Template
Normal.dotm
TotalTime
0
Pages
2
Words
1
Characters
6
Application
Microsoft Office Word
DocSecurity
0
Lines
1
Paragraphs
1
ScaleCrop
false
vt:lpstr
\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435
vt:i4
1
LinksUpToDate
false
CharactersWithSpaces
6
SharedDoc
false
HyperlinksChanged
false
AppVersion
16.0000
Document languages
Language
Prevalence
ru-ru
3
en-us
1
ar-sa
1
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
1

HeadingPairs
, 1

ZipFileName
[Content_Types].xml

Template
Normal.dotm

ZipRequiredVersion
20

ModifyDate
2017:05:11 20:49:00Z

ZipCRC
0x2d551a4d

Words
1

ScaleCrop
No

RevisionNumber
2

MIMEType
application/vnd.ms-word.document.macroEnabled

ZipBitFlag
0x0006

CreateDate
2017:05:11 20:49:00Z

Lines
1

AppVersion
16.0

ZipUncompressedSize
1504

ZipCompressedSize
400

Characters
6

CharactersWithSpaces
6

DocSecurity
None

ZipModifyDate
1980:01:01 00:00:00

FileType
DOCM

Application
Microsoft Office Word

TotalEditTime
0

ZipCompression
Deflated

Pages
2

Creator
2

FileTypeExtension
docm

Paragraphs
1

The file being studied is a compressed stream! Details about the compressed contents follow.
Contained files
Compression metadata
Contained files
15
Uncompressed size
142972
Highest datetime
1980-01-01 00:00:00
Lowest datetime
1980-01-01 00:00:00
Contained files by extension
xml
10
bin
1
jpg
1
Contained files by type
XML
13
Microsoft Office
1
JPG
1
File identification
MD5 9af80fcfc8e2c0c78cdfab84584eafe4
SHA1 5c222168eba4e7567b0399caa9653a90f25c7e5a
SHA256 4c4580f7b858d06afd0eb9505cca1d5a5ae9600682ac485a267335797deb8a6b
ssdeep
1536:i4yqYR100hGSjoemr/3lypPpHSNZetooifW09lZbR73v:cFR10m7Hmj3lypVSNZetookW0P7

File size 73.2 KB ( 74972 bytes )
File type Office Open XML Document
Magic literal
Zip archive data, at least v2.0 to extract

TrID Word Microsoft Office Open XML Format document (with Macro) (53.0%)
Word Microsoft Office Open XML Format document (23.9%)
Open Packaging Conventions container (17.8%)
ZIP compressed archive (4.0%)
PrintFox/Pagefox bitmap (var. P) (1.0%)
Tags
obfuscated open-file enum-windows exe-pattern handle-file docx macros write-file create-ole

VirusTotal metadata
First submission 2017-05-12 04:09:04 UTC ( 1 year, 7 months ago )
Last submission 2017-05-12 04:09:04 UTC ( 1 year, 7 months ago )
File names N5OSUHX.docm
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!