× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 5021e4e92c54684fb05cd1a1a17c53d9cf8f821ebc5ab06767fdab23298c1e47
Detection ratio: 15 / 59
Analysis date: 2017-08-17 11:26:30 UTC ( 1 year, 8 months ago ) View latest
Antivirus Result Update
AhnLab-V3 WM/Downloader 20170817
Arcabit HEUR.VBA.Trojan.d 20170817
Avira (no cloud) W2000M/Agent.4758318 20170817
Baidu VBA.Trojan-Downloader.Agent.bpu 20170817
CAT-QuickHeal O97m.Trickbot.A 20170817
Fortinet WM/Agent.AP!tr.dldr 20170817
Kaspersky HEUR:Trojan-Downloader.Script.Generic 20170817
McAfee W97M/Downloader.cfb 20170817
McAfee-GW-Edition W97M/Downloader.cfb 20170817
NANO-Antivirus Trojan.Script.ExpKit.ertduu 20170817
Panda VBS/Jenxcus.A 20170817
Qihoo-360 virus.office.obfuscated.1 20170817
TrendMicro HEUR_VBA.O2 20170817
TrendMicro-HouseCall W2KM_JA.1B2CDC20 20170817
ZoneAlarm by Check Point HEUR:Trojan-Downloader.Script.Generic 20170817
Ad-Aware 20170817
AegisLab 20170817
Alibaba 20170817
ALYac 20170817
Antiy-AVL 20170817
Avast 20170817
AVG 20170817
AVware 20170817
BitDefender 20170817
Bkav 20170817
ClamAV 20170817
CMC 20170817
Comodo 20170817
CrowdStrike Falcon (ML) 20170804
Cylance 20170817
Cyren 20170817
DrWeb 20170817
Emsisoft 20170817
Endgame 20170721
ESET-NOD32 20170817
F-Prot 20170817
F-Secure 20170817
GData 20170817
Ikarus 20170817
Sophos ML 20170817
Jiangmin 20170817
K7AntiVirus 20170817
K7GW 20170817
Kingsoft 20170817
Malwarebytes 20170817
MAX 20170817
Microsoft 20170817
eScan 20170817
nProtect 20170817
Palo Alto Networks (Known Signatures) 20170817
Rising 20170817
SentinelOne (Static ML) 20170806
Sophos AV 20170817
SUPERAntiSpyware 20170817
Symantec 20170817
Symantec Mobile Insight 20170816
Tencent 20170817
TheHacker 20170817
Trustlook 20170817
VBA32 20170817
VIPRE 20170817
ViRobot 20170817
Webroot 20170817
WhiteArmor 20170817
Yandex 20170815
Zillya 20170817
Zoner 20170817
The file being studied follows the Open XML file format! More specifically, it is a Office Open XML Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May create OLE objects.
Seems to contain deobfuscation code.
Macros and VBA code streams
[+] ThisDocument.cls word/vbaProject.bin VBA/ThisDocument 1135 bytes
[+] Rape.cls word/vbaProject.bin VBA/Rape 1671 bytes
write-file
[+] Class1.cls word/vbaProject.bin VBA/Class1 7915 bytes
obfuscated
[+] OXIPL.cls word/vbaProject.bin VBA/OXIPL 335 bytes
[+] Module1.bas word/vbaProject.bin VBA/Module1 167 bytes
[+] Module2.bas word/vbaProject.bin VBA/Module2 20179 bytes
create-ole obfuscated open-file write-file
Content types
bin
rels
xml
Package relationships
word/document.xml
docProps/app.xml
docProps/core.xml
Core document properties
dc:creator
1
cp:lastModifiedBy
1
cp:revision
2
dcterms:created
2017-08-17T10:49:00Z
dcterms:modified
2017-08-17T10:49:00Z
cp:contentStatus
Microsoft.XMLHTTPFURRYAdodb.streaMFURRYshell.ApplicationFURRYWscript.shellFURRYProcessFURRYGeTFURRYTeMPFURRYTypeFURRYopenFURRYwriteFURRYresponseBodyFURRYsavetofileFURRY\\agraba.exe
Application document properties
Template
Normal.dotm
TotalTime
0
Pages
1
Words
0
Characters
0
Application
Microsoft Office Word
DocSecurity
0
Lines
0
Paragraphs
0
ScaleCrop
false
vt:lpstr
\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435
vt:i4
1
LinksUpToDate
false
CharactersWithSpaces
0
SharedDoc
false
HyperlinksChanged
false
AppVersion
16.0000
Document languages
Language
Prevalence
ru-ru
2
en-us
1
ar-sa
1
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
1

HeadingPairs
, 1

ZipFileName
[Content_Types].xml

Template
Normal.dotm

ZipRequiredVersion
20

ModifyDate
2017:08:17 10:49:00Z

ZipCRC
0x7aec387e

Words
0

ScaleCrop
No

RevisionNumber
2

MIMEType
application/vnd.ms-word.document.macroEnabled

ZipBitFlag
0x0006

CreateDate
2017:08:17 10:49:00Z

Lines
0

AppVersion
16.0

ZipUncompressedSize
1453

ZipCompressedSize
391

Characters
0

CharactersWithSpaces
0

DocSecurity
None

ZipModifyDate
1980:01:01 00:00:00

FileType
DOCM

Application
Microsoft Office Word

TotalEditTime
0

ZipCompression
Deflated

Pages
1

Creator
1

FileTypeExtension
docm

Paragraphs
0

ContentStatus
Microsoft.XMLHTTPFURRYAdodb.streaMFURRYshell.ApplicationFURRYWscript.shellFURRYProcessFURRYGeTFURRYTeMPFURRYTypeFURRYopenFURRYwriteFURRYresponseBodyFURRYsavetofileFURRY\agraba.exe

The file being studied is a compressed stream! Details about the compressed contents follow.
Contained files
Compression metadata
Contained files
14
Uncompressed size
133452
Highest datetime
1980-01-01 00:00:00
Lowest datetime
1980-01-01 00:00:00
Contained files by extension
xml
10
bin
1
Contained files by type
XML
13
Microsoft Office
1
File identification
MD5 4710a1865f88a8bf8990c42af4f2ec18
SHA1 d34901b116838eb24a83c399ba77029667df1cc5
SHA256 5021e4e92c54684fb05cd1a1a17c53d9cf8f821ebc5ab06767fdab23298c1e47
ssdeep
768:/LEaowvPaaRbwOCtPNOcAsOQbe0O7OUl3JvJh/rv2TE6/tKSrLfxl1EpTH:oaowvyaRbHUNbsDlLrL6/nLfxu

File size 48.5 KB ( 49626 bytes )
File type Office Open XML Document
Magic literal
Zip archive data, at least v2.0 to extract

TrID Word Microsoft Office Open XML Format document (with Macro) (53.0%)
Word Microsoft Office Open XML Format document (23.9%)
Open Packaging Conventions container (17.8%)
ZIP compressed archive (4.0%)
PrintFox/Pagefox bitmap (var. P) (1.0%)
Tags
obfuscated open-file docx macros attachment write-file create-ole

VirusTotal metadata
First submission 2017-08-17 11:25:13 UTC ( 1 year, 8 months ago )
Last submission 2017-08-25 20:25:11 UTC ( 1 year, 7 months ago )
File names 337280.doc
440130.docx
3d3e78b1f128aed9b54d045228bd2e9773ef2fc2
__substg1.0_37010102
d34901b116838eb24a83c399ba77029667df1cc5
521052.doc_201708171205v7HC58fG006337
784060.doc
446335.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!