× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 4cabdde381330a3d91951513382f05825e9b1329f3133d0d4028279f2a5ff849
File name: bc2176f3c31b8e8482228acbc89579be.doc
Detection ratio: 36 / 60
Analysis date: 2017-12-29 16:55:06 UTC ( 1 year, 3 months ago ) View latest
Antivirus Result Update
Ad-Aware VB:Trojan.Valyria.1126 20171225
AegisLab Troj.Script.Agent!c 20171229
AhnLab-V3 W97M/Downloader 20171229
ALYac VB:Trojan.Valyria.1126 20171229
Antiy-AVL Trojan[Downloader]/MSOffice.Agent.fwk 20171229
Arcabit VB:Trojan.Valyria.D466 20171229
Avast Other:Malware-gen [Trj] 20171229
AVG Other:Malware-gen [Trj] 20171229
Avira (no cloud) VBA/Dldr.Agent.cglkh 20171229
Baidu VBA.Trojan-Downloader.Agent.chs 20171227
BitDefender VB:Trojan.Valyria.1126 20171229
ClamAV Doc.Macro.Obfuscation-6397033-2 20171229
Cyren Trojan.RSWB-9 20171229
DrWeb W97M.DownLoader.2343 20171229
Emsisoft VB:Trojan.Valyria.1126 (B) 20171229
ESET-NOD32 VBA/TrojanDownloader.Agent.FWK 20171229
F-Prot New or modified W97M/Agent 20171229
F-Secure VB:Trojan.Valyria.1126 20171229
Fortinet VBA/Agent.BI!tr 20171229
GData VB:Trojan.Valyria.1126 20171229
Ikarus Trojan-Downloader.VBA.Agent 20171229
Kaspersky HEUR:Trojan.Script.Agent.gen 20171229
McAfee W97M/Downloader.cke 20171229
McAfee-GW-Edition W97M/Downloader.cke 20171229
Microsoft TrojanDownloader:O97M/Donoff 20171229
eScan VB:Trojan.Valyria.1126 20171229
NANO-Antivirus Trojan.Script.ExpKit.ewdptp 20171229
Panda O97M/Downloader 20171229
Qihoo-360 virus.office.qexvmc.1080 20171229
Rising Downloader.Donoff!8.36C (TOPIS:UkDIWyMaSGF) 20171229
Sophos AV Troj/DocDl-LWX 20171229
Symantec W97M.Downloader 20171228
TrendMicro W2KM_POWLOAD.AUSJWF 20171229
TrendMicro-HouseCall W2KM_Powload.SMALYTET 20171229
ViRobot W97M.S.Downloader.176640.A 20171229
ZoneAlarm by Check Point HEUR:Trojan.Script.Agent.gen 20171229
Alibaba 20171229
Avast-Mobile 20171229
AVware 20171229
Bkav 20171229
CAT-QuickHeal 20171229
CMC 20171229
Comodo 20171228
CrowdStrike Falcon (ML) 20171016
Cybereason None
Cylance 20171229
eGambit 20171229
Endgame 20171130
Sophos ML 20170914
Jiangmin 20171229
K7AntiVirus 20171229
K7GW 20171229
Kingsoft 20171229
Malwarebytes 20171229
MAX 20171229
nProtect 20171229
Palo Alto Networks (Known Signatures) 20171229
SentinelOne (Static ML) 20171224
SUPERAntiSpyware 20171229
Symantec Mobile Insight 20171228
Tencent 20171229
TheHacker 20171229
TotalDefense 20171229
Trustlook 20171229
VBA32 20171229
VIPRE 20171229
Webroot 20171229
WhiteArmor 20171226
Yandex 20171225
Zillya 20171229
Zoner 20171229
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Summary
creation_datetime
2017-12-14 18:05:00
revision_number
1
author
AHAbwbCZ
page_count
1
last_saved
2017-12-14 18:05:00
word_count
1
template
Normal.dotm
application_name
Microsoft Office Word
character_count
11
code_page
Latin I
Document summary
line_count
1
characters_with_spaces
11
version
1048576
paragraph_count
1
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
3008
type_literal
stream
sid
16
name
\x01CompObj
size
114
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
412
type_literal
stream
sid
2
name
1Table
size
6967
type_literal
stream
sid
1
name
Data
size
8968
type_literal
stream
sid
15
name
Macros/PROJECT
size
516
type_literal
stream
sid
14
name
Macros/PROJECTwm
size
137
type_literal
stream
sid
10
type
macro
name
Macros/VBA/JVQzTYPzUwTcU
size
35696
type_literal
stream
sid
8
type
macro (only attributes)
name
Macros/VBA/ThisDocument
size
924
type_literal
stream
sid
12
name
Macros/VBA/_VBA_PROJECT
size
12333
type_literal
stream
sid
13
name
Macros/VBA/dir
size
689
type_literal
stream
sid
9
type
macro
name
Macros/VBA/rWMpvVU
size
33332
type_literal
stream
sid
11
type
macro
name
Macros/VBA/zIFOrJcuD
size
57184
type_literal
stream
sid
3
name
WordDocument
size
4096
Macros and VBA code streams
[+] rWMpvVU.bas Macros/VBA/rWMpvVU 18777 bytes
exe-pattern obfuscated run-file
[+] JVQzTYPzUwTcU.bas Macros/VBA/JVQzTYPzUwTcU 20494 bytes
[+] zIFOrJcuD.bas Macros/VBA/zIFOrJcuD 33322 bytes
ExifTool file metadata
SharedDoc
No

Author
AHAbwbCZ

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

HeadingPairs
Title, 1

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
11

CreateDate
2017:12:14 18:05:00

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2017:12:14 18:05:00

Characters
11

CodePage
Windows Latin 1 (Western European)

RevisionNumber
1

MIMEType
application/msword

Words
1

FileType
DOC

Lines
1

AppVersion
16.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
1

LastPrinted
0000:00:00 00:00:00

DocFlags
Has picture, 1Table, ExtChar

Compressed bundles
File identification
MD5 bc2176f3c31b8e8482228acbc89579be
SHA1 5ddcb727e3cb572f30d026993a47a8927bd72b55
SHA256 4cabdde381330a3d91951513382f05825e9b1329f3133d0d4028279f2a5ff849
ssdeep
3072:16WjC+jFN3dDe8O/2y+P6VIXA1kbC1yHL1iPnTN0IP9E/K:YOFN3xAMmiA1kt5ivxo

File size 172.5 KB ( 176640 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: AHAbwbCZ, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Dec 13 18:05:00 2017, Last Saved Time/Date: Wed Dec 13 18:05:00 2017, Number of Pages: 1, Number of Words: 1, Number of Characters: 11, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated macros run-file exe-pattern doc

VirusTotal metadata
First submission 2017-12-14 18:30:15 UTC ( 1 year, 4 months ago )
Last submission 2017-12-22 16:17:12 UTC ( 1 year, 3 months ago )
File names Outstanding Invoices.doc
Invoice Number 45137.doc
Order Confirmation.doc
CIDUR6-37480648874.doc
Invoice Number 77530.doc
Invoice# 2496600.doc
Invoice# 36336762.doc
Invoice.doc
Invoices Overdue.doc
Final Account.doc
Invoice Number 20743.doc
emotet doc (1)
a14eb8fc43c551d5bbad6d77f681f09132787e26
Invoice Number 895643.doc
Outstanding INVOICE QETI-2332784-700.doc
WNZ1-0340019058.doc
Overdue payment.doc
NYBLN6-0204526487.doc
Please send copy invoice.doc
Invoice Number 85630.doc
Invoices attached.doc
Invoice Number 559463.doc
Sales Invoice.doc
Awaiting for your confirmation.doc
bc2176f3c31b8e8482228acbc89579be.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!