× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 4f7316cabb6f4298a992e560c71c43ab120d82fac8024ce5befb39d48dfae540
File name: IRS_Tax_Account_Transcript_doc.bin
Detection ratio: 21 / 59
Analysis date: 2018-12-05 23:27:59 UTC ( 1 month, 2 weeks ago ) View latest
Antivirus Result Update
Ad-Aware VB:Trojan.Agent.DKVN 20181205
Arcabit HEUR.VBA.Trojan.e 20181205
BitDefender VB:Trojan.Agent.DKVN 20181205
Emsisoft Trojan-Downloader.Macro.Generic.L (A) 20181205
Endgame malicious (high confidence) 20181108
ESET-NOD32 VBA/TrojanDownloader.Agent.LQM 20181205
F-Secure VB:Trojan.Agent.DKVN 20181205
Fortinet VBA/Agent.C997!tr.dldr 20181205
GData Macro.Trojan-Downloader.Shallow.S 20181205
Ikarus Trojan.VBA.Agent 20181205
MAX malware (ai score=86) 20181206
McAfee-GW-Edition BehavesLike.Downloader.cg 20181205
Microsoft Trojan:O97M/Sonbokli.A!cl 20181205
eScan VB:Trojan.Agent.DKVN 20181205
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20181205
SentinelOne (Static ML) static engine - malicious 20181011
Symantec ISB.Downloader!gen172 20181205
TACHYON Suspicious/W97M.Obfus.Gen.6 20181205
Tencent Heur.Macro.Generic.Gen.h 20181206
ZoneAlarm by Check Point UDS:DangerousObject.Multi.Generic 20181205
Zoner Probably W97Obfuscated 20181205
AegisLab 20181205
AhnLab-V3 20181205
Alibaba 20180921
ALYac 20181205
Antiy-AVL 20181205
Avast 20181205
Avast-Mobile 20181205
AVG 20181205
Avira (no cloud) 20181205
Babable 20180918
Baidu 20181205
Bkav 20181205
CAT-QuickHeal 20181205
ClamAV 20181205
CMC 20181205
Comodo 20181205
CrowdStrike Falcon (ML) 20180202
Cybereason 20180308
Cylance 20181206
Cyren 20181205
DrWeb 20181205
eGambit 20181206
F-Prot 20181205
Sophos ML 20181128
Jiangmin 20181205
K7AntiVirus 20181205
K7GW 20181205
Kaspersky 20181205
Kingsoft 20181206
Malwarebytes 20181205
McAfee 20181205
Palo Alto Networks (Known Signatures) 20181206
Panda 20181205
Qihoo-360 20181206
Rising 20181205
Sophos AV 20181205
SUPERAntiSpyware 20181205
Symantec Mobile Insight 20181204
TheHacker 20181202
Trapmine 20181205
TrendMicro 20181205
TrendMicro-HouseCall 20181205
Trustlook 20181206
VBA32 20181205
VIPRE 20181205
ViRobot 20181205
Webroot 20181206
Yandex 20181204
Zillya 20181204
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Summary
creation_datetime
2018-12-05 20:23:00
revision_number
1
page_count
1
word_count
5
last_saved
2018-12-05 20:23:00
template
Normal.dotm
application_name
Microsoft Office Word
character_count
33
code_page
Latin I
Document summary
line_count
1
characters_with_spaces
37
version
1048576
paragraph_count
1
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
3008
type_literal
stream
sid
17
name
\x01CompObj
size
114
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
2
name
1Table
size
9344
type_literal
stream
sid
1
name
Data
size
81766
type_literal
stream
sid
16
name
Macros/PROJECT
size
400
type_literal
stream
sid
15
name
Macros/PROJECTwm
size
41
type_literal
stream
sid
11
name
Macros/VBA/_VBA_PROJECT
size
8121
type_literal
stream
sid
13
name
Macros/VBA/__SRP_0
size
1194
type_literal
stream
sid
14
name
Macros/VBA/__SRP_1
size
102
type_literal
stream
sid
9
name
Macros/VBA/__SRP_2
size
304
type_literal
stream
sid
10
name
Macros/VBA/__SRP_3
size
103
type_literal
stream
sid
12
name
Macros/VBA/dir
size
515
type_literal
stream
sid
8
type
macro
name
Macros/VBA/vVkjwkvSXMdL
size
13560
type_literal
stream
sid
3
name
WordDocument
size
5166
Macros and VBA code streams
[+] vVkjwkvSXMdL.cls Macros/VBA/vVkjwkvSXMdL 7187 bytes
obfuscated run-file
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

HeadingPairs
Title, 1

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
37

CreateDate
2018:12:05 19:23:00

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2018:12:05 19:23:00

Characters
33

CodePage
Windows Latin 1 (Western European)

RevisionNumber
1

MIMEType
application/msword

Words
5

FileType
DOC

Lines
1

AppVersion
16.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
1

LastPrinted
0000:00:00 00:00:00

DocFlags
Has picture, 1Table, ExtChar

File identification
MD5 886f10c6cefd2711c078e23be17a1ac2
SHA1 f92003acf744a01a2fceddab9ac79826f32e8fda
SHA256 4f7316cabb6f4298a992e560c71c43ab120d82fac8024ce5befb39d48dfae540
ssdeep
1536:WFR81ooMDS034nC54nZrL4AkiuAMOkEEW/yEbzvadf+a9wq60WflV:88GhDS0o9zTGOZD6EbzCd7QV

File size 136.1 KB ( 139392 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Dec 04 19:23:00 2018, Last Saved Time/Date: Tue Dec 04 19:23:00 2018, Number of Pages: 1, Number of Words: 5, Number of Characters: 33, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated macros run-file doc

VirusTotal metadata
First submission 2018-12-05 22:33:05 UTC ( 1 month, 2 weeks ago )
Last submission 2018-12-06 03:24:16 UTC ( 1 month, 2 weeks ago )
File names emotet_e2_4f7316cabb6f4298a992e560c71c43ab120d82fac8024ce5befb39d48dfae540_2018-12-06__00:30:03.doc
IRS_Tax_Account_Transcript_doc.bin
Customer No 0309976.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!