× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 4ee8e43085eaef3a6b0c2a69a161ca5f6ee547d8a31d2980f1ddd50a88673a45
File name: emotet_e2_4ee8e43085eaef3a6b0c2a69a161ca5f6ee547d8a31d2980f1ddd50...
Detection ratio: 22 / 60
Analysis date: 2018-12-05 05:39:12 UTC ( 1 month, 2 weeks ago ) View latest
Antivirus Result Update
Ad-Aware VB:Trojan.VBA.Agent.ABR 20181205
Arcabit HEUR.VBA.Trojan.e 20181205
BitDefender VB:Trojan.VBA.Agent.ABR 20181205
Emsisoft VB:Trojan.VBA.Agent.ABR (B) 20181205
Endgame malicious (high confidence) 20181108
ESET-NOD32 VBA/TrojanDownloader.Agent.LQE 20181205
F-Secure VB:Trojan.Agent.DKSU 20181204
Fortinet VBA/Agent.LPT!tr.dldr 20181205
GData Macro.Trojan-Downloader.Shallow.S 20181204
Ikarus Trojan.VBA.Agent 20181204
MAX malware (ai score=89) 20181205
McAfee W97M/Downloader.ga 20181204
McAfee-GW-Edition BehavesLike.Downloader.cg 20181204
Microsoft Trojan:O97M/Vigorf.A 20181204
eScan VB:Trojan.VBA.Agent.ABR 20181205
Qihoo-360 virus.office.qexvmc.1075 20181205
SentinelOne (Static ML) static engine - malicious 20181011
Symantec Trojan.Gen.2 20181205
TACHYON Suspicious/W97M.Obfus.Gen.6 20181204
Tencent Heur.Macro.Generic.Gen.h 20181205
ZoneAlarm by Check Point UDS:DangerousObject.Multi.Generic 20181205
Zoner Probably W97Obfuscated 20181205
AegisLab 20181205
AhnLab-V3 20181204
Alibaba 20180921
ALYac 20181205
Antiy-AVL 20181205
Avast 20181205
Avast-Mobile 20181204
AVG 20181205
Avira (no cloud) 20181205
Babable 20180918
Baidu 20181204
Bkav 20181203
CAT-QuickHeal 20181204
ClamAV 20181203
CMC 20181204
Comodo 20181205
CrowdStrike Falcon (ML) 20181022
Cybereason 20180225
Cylance 20181205
Cyren 20181205
DrWeb 20181205
eGambit 20181205
F-Prot 20181205
Sophos ML 20181128
Jiangmin 20181204
K7AntiVirus 20181204
K7GW 20181204
Kaspersky 20181204
Kingsoft 20181205
Malwarebytes 20181204
NANO-Antivirus 20181205
Palo Alto Networks (Known Signatures) 20181205
Panda 20181204
Rising 20181205
Sophos AV 20181205
SUPERAntiSpyware 20181128
Symantec Mobile Insight 20181204
TheHacker 20181202
TotalDefense 20181205
Trapmine 20181128
TrendMicro 20181205
TrendMicro-HouseCall 20181205
Trustlook 20181205
VBA32 20181204
VIPRE None
ViRobot 20181205
Webroot 20181205
Yandex 20181204
Zillya 20181204
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Summary
creation_datetime
2018-12-04 23:37:00
revision_number
1
page_count
1
word_count
5
last_saved
2018-12-04 23:37:00
template
Normal.dotm
application_name
Microsoft Office Word
character_count
34
code_page
Latin I
Document summary
line_count
1
characters_with_spaces
38
version
1048576
paragraph_count
1
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
2944
type_literal
stream
sid
17
name
\x01CompObj
size
114
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
2
name
1Table
size
9318
type_literal
stream
sid
1
name
Data
size
81766
type_literal
stream
sid
16
name
Macros/PROJECT
size
390
type_literal
stream
sid
15
name
Macros/PROJECTwm
size
35
type_literal
stream
sid
11
name
Macros/VBA/_VBA_PROJECT
size
9627
type_literal
stream
sid
13
name
Macros/VBA/__SRP_0
size
1192
type_literal
stream
sid
14
name
Macros/VBA/__SRP_1
size
102
type_literal
stream
sid
9
name
Macros/VBA/__SRP_2
size
304
type_literal
stream
sid
10
name
Macros/VBA/__SRP_3
size
103
type_literal
stream
sid
12
name
Macros/VBA/dir
size
510
type_literal
stream
sid
8
type
macro
name
Macros/VBA/jiQRQjsicS
size
14604
type_literal
stream
sid
3
name
WordDocument
size
5166
Macros and VBA code streams
[+] jiQRQjsicS.cls Macros/VBA/jiQRQjsicS 9037 bytes
obfuscated run-file
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

HeadingPairs
Title, 1

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
38

CreateDate
2018:12:04 22:37:00

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2018:12:04 22:37:00

Characters
34

CodePage
Windows Latin 1 (Western European)

RevisionNumber
1

MIMEType
application/msword

Words
5

FileType
DOC

Lines
1

AppVersion
16.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
1

LastPrinted
0000:00:00 00:00:00

DocFlags
Has picture, 1Table, ExtChar

File identification
MD5 34e564d74b4dcc57220b4668b1554cc5
SHA1 06e4e336a43704f15e46ffdb4f5f6728c707a6c5
SHA256 4ee8e43085eaef3a6b0c2a69a161ca5f6ee547d8a31d2980f1ddd50a88673a45
ssdeep
1536:181ooMDS034nC54nZrL4AkiuAMOkEEW/yEbzvadf+a9wEWeafGL8w5CV+9:18GhDS0o9zTGOZD6EbzCdXW2YjW

File size 137.8 KB ( 141056 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Dec 03 22:37:00 2018, Last Saved Time/Date: Mon Dec 03 22:37:00 2018, Number of Pages: 1, Number of Words: 5, Number of Characters: 34, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated macros run-file doc

VirusTotal metadata
First submission 2018-12-05 01:19:43 UTC ( 1 month, 2 weeks ago )
Last submission 2018-12-05 05:39:12 UTC ( 1 month, 2 weeks ago )
File names emotet_e2_4ee8e43085eaef3a6b0c2a69a161ca5f6ee547d8a31d2980f1ddd50a88673a45_2018-12-05__03:20:02.doc
Record of Account Transcript.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!