× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 527339f1c1a81f49bff0ff827aedb3ead8b2fbe0470d3af7fe1bb317c5123593
File name: efax42542153_2425.doc
Detection ratio: 5 / 58
Analysis date: 2017-08-16 11:32:12 UTC ( 1 year, 6 months ago ) View latest
Antivirus Result Update
ESET-NOD32 a variant of Generik.DKIACLZ 20170816
Ikarus Win32.Outbreak 20170816
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20170816
Qihoo-360 virus.office.qexvmc.1090 20170816
Tencent Macro.Trojan.Dropperx.Auto 20170816
Ad-Aware 20170816
AegisLab 20170816
AhnLab-V3 20170816
Alibaba 20170816
ALYac 20170816
Antiy-AVL 20170816
Arcabit 20170816
Avast 20170816
AVG 20170816
Avira (no cloud) 20170816
AVware 20170816
Baidu 20170816
BitDefender 20170816
Bkav 20170816
CAT-QuickHeal 20170816
ClamAV 20170816
CMC 20170816
Comodo 20170816
CrowdStrike Falcon (ML) 20170804
Cylance 20170816
Cyren 20170816
DrWeb 20170816
Emsisoft 20170816
Endgame 20170721
F-Prot 20170816
F-Secure 20170816
Fortinet 20170816
GData 20170816
Sophos ML 20170607
Jiangmin 20170816
K7AntiVirus 20170816
K7GW 20170816
Kaspersky 20170816
Kingsoft 20170816
Malwarebytes 20170816
MAX 20170816
McAfee 20170816
McAfee-GW-Edition 20170816
Microsoft 20170815
eScan 20170816
nProtect 20170816
Palo Alto Networks (Known Signatures) 20170816
Panda 20170816
Rising 20170816
SentinelOne (Static ML) 20170806
Sophos AV 20170816
SUPERAntiSpyware 20170816
Symantec 20170816
Symantec Mobile Insight 20170815
TheHacker 20170816
TrendMicro 20170816
TrendMicro-HouseCall 20170816
Trustlook 20170816
VBA32 20170816
VIPRE 20170816
ViRobot 20170816
Webroot 20170816
WhiteArmor 20170815
Yandex 20170815
Zillya 20170816
ZoneAlarm by Check Point 20170816
Zoner 20170816
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Summary
last_author
user
creation_datetime
2017-08-16 08:54:00
revision_number
3
author
user
page_count
1
last_saved
2017-08-16 08:55:00
edit_time
120
template
Normal
application_name
Microsoft Office Word
character_count
1
code_page
Cyrillic
Document summary
line_count
1
company
machine
characters_with_spaces
1
version
786432
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
8704
type_literal
stream
sid
20
name
\x01CompObj
size
121
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
2
name
1Table
size
6972
type_literal
stream
sid
1
name
Data
size
43881
type_literal
stream
sid
19
name
Macros/PROJECT
size
596
type_literal
stream
sid
18
name
Macros/PROJECTwm
size
95
type_literal
stream
sid
16
name
Macros/UserForm1/\x01CompObj
size
97
type_literal
stream
sid
17
name
Macros/UserForm1/\x03VBFrame
size
288
type_literal
stream
sid
14
name
Macros/UserForm1/f
size
235
type_literal
stream
sid
15
name
Macros/UserForm1/o
size
152
type_literal
stream
sid
9
type
macro
name
Macros/VBA/Module1
size
5345
type_literal
stream
sid
8
type
macro
name
Macros/VBA/ThisDocument
size
1097
type_literal
stream
sid
10
type
macro
name
Macros/VBA/UserForm1
size
1315
type_literal
stream
sid
11
name
Macros/VBA/_VBA_PROJECT
size
3493
type_literal
stream
sid
12
name
Macros/VBA/dir
size
843
type_literal
stream
sid
3
name
WordDocument
size
4096
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 31 bytes
[+] Module1.bas Macros/VBA/Module1 1752 bytes
obfuscated run-file
[+] UserForm1.frm Macros/VBA/UserForm1 35 bytes
ExifTool file metadata
SharedDoc
No

Author
user

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

LastModifiedBy
user

HeadingPairs
Title, 1

Identification
Word 8.0

Template
Normal

CharCountWithSpaces
1

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Office Word 97-2003 Document

ModifyDate
2017:08:16 07:55:00

Company
machine

Characters
1

CodePage
Windows Cyrillic

RevisionNumber
3

MIMEType
application/msword

Words
0

CreateDate
2017:08:16 07:54:00

Lines
1

AppVersion
12.0

Security
None

Software
Microsoft Office Word

FileType
DOC

TotalEditTime
2.0 minutes

Pages
1

ScaleCrop
No

CompObjUserTypeLen
39

FileTypeExtension
doc

Paragraphs
1

DocFlags
Has picture, 1Table, ExtChar

File identification
MD5 bc7fdd7e6f4d3298704a13c523e6aaff
SHA1 852b067d630a9d384bae30ad4d78f246266f9935
SHA256 527339f1c1a81f49bff0ff827aedb3ead8b2fbe0470d3af7fe1bb317c5123593
ssdeep
768:SMbW///Pzm8AaT2y8DeQmN+hx/idAhHIPJGwlsB3a1ROockSrVbwywdcx+HtYzKw:SMbWv7m8HTpIjJscwupa1ROfkKVXgjw

File size 81.5 KB ( 83456 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1251, Author: user, Template: Normal, Last Saved By: user, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Tue Aug 15 07:54:00 2017, Last Saved Time/Date: Tue Aug 15 07:55:00 2017, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated macros run-file attachment doc

VirusTotal metadata
First submission 2017-08-16 09:23:42 UTC ( 1 year, 6 months ago )
Last submission 2018-05-08 12:30:11 UTC ( 9 months, 2 weeks ago )
File names efax42542153_2425.doc
efax42542153_2425.doc
__substg1.0_37010102
binary (25)
efax42542153_2425.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!