× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 555f375a68280e8741675857cf6e3620ce754acd058377a65b93640911ab4ec5
File name: emotet_e1_555f375a68280e8741675857cf6e3620ce754acd058377a65b93640...
Detection ratio: 39 / 60
Analysis date: 2019-02-27 01:16:30 UTC ( 1 month, 3 weeks ago ) View latest
Antivirus Result Update
Ad-Aware VB:Trojan.VBA.Agent.AFB 20190227
AhnLab-V3 W97M/Downloader 20190226
ALYac VB:Trojan.VBA.Agent.AFB 20190227
Antiy-AVL Trojan[Downloader]/MSOffice.Agent.mtg 20190227
Arcabit VB:Trojan.VBA.Agent.AFB 20190227
Avast Script:SNH-gen [Trj] 20190227
AVG Script:SNH-gen [Trj] 20190227
Avira (no cloud) VBA/Dldr.Agent.vzbqx 20190226
BitDefender VB:Trojan.VBA.Agent.AFB 20190227
CAT-QuickHeal W97M.Downloader.34299 20190225
ClamAV Doc.Downloader.Emotet-6861363-0 20190226
Cyren W97M/Agent.A 20190227
Emsisoft VB:Trojan.VBA.Agent.AFB (B) 20190227
Endgame malicious (high confidence) 20190215
ESET-NOD32 VBA/TrojanDownloader.Agent.MTG 20190227
F-Prot W97M/Agent.A 20190227
Fortinet VBA/Agent.DQBD!tr.dldr 20190227
GData Macro.Trojan.Agent.AKS 20190227
Ikarus Trojan-Downloader.VBA.Agent 20190226
K7AntiVirus Trojan ( 00536d111 ) 20190226
K7GW Trojan ( 00536d111 ) 20190227
Kaspersky HEUR:Trojan.MSOffice.SAgent.gen 20190227
MAX malware (ai score=85) 20190227
McAfee W97M/Downloader.gw 20190227
McAfee-GW-Edition BehavesLike.Downloader.dg 20190226
Microsoft TrojanDownloader:O97M/Obfuse.DG 20190227
eScan VB:Trojan.VBA.Agent.AFB 20190227
Panda O97M/Downloader 20190226
Qihoo-360 Win32/Trojan.3b4 20190227
SentinelOne (Static ML) static engine - malicious 20190203
Sophos AV Troj/DocDl-RZV 20190227
Symantec Trojan.Gen.2 20190226
TACHYON Suspicious/W97M.Obfus.Gen.6 20190227
Tencent Win32.Trojan-downloader.Agent.Ljaj 20190227
TrendMicro Trojan.W97M.POWLOAD.TIHAOHBQ 20190227
TrendMicro-HouseCall Trojan.W97M.POWLOAD.TIHAOHBQ 20190227
ViRobot DOC.Z.Agent.289792.X 20190226
ZoneAlarm by Check Point HEUR:Trojan.MSOffice.SAgent.gen 20190227
Zoner Probably W97Obfuscated 20190227
Acronis 20190222
AegisLab 20190227
Alibaba 20180921
Avast-Mobile 20190226
Babable 20180918
Baidu 20190215
Bkav 20190226
CMC 20190226
Comodo 20190227
CrowdStrike Falcon (ML) 20190212
Cybereason 20190109
Cylance 20190227
DrWeb 20190227
eGambit 20190227
F-Secure 20190227
Sophos ML 20181128
Jiangmin 20190227
Kingsoft 20190227
Malwarebytes 20190227
NANO-Antivirus 20190227
Palo Alto Networks (Known Signatures) 20190227
Rising 20190227
SUPERAntiSpyware 20190220
Symantec Mobile Insight 20190220
TheHacker 20190225
TotalDefense 20190226
Trapmine 20190123
Trustlook 20190227
VBA32 20190226
VIPRE 20190226
Webroot 20190227
Yandex 20190226
Zillya 20190226
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to hide the viewer or other applications.
Seems to contain deobfuscation code.
Summary
creation_datetime
2019-02-18 11:15:00
revision_number
1
page_count
1
word_count
1
last_saved
2019-02-18 11:15:00
template
Normal.dotm
application_name
Microsoft Office Word
character_count
7
code_page
Latin I
Document summary
line_count
1
characters_with_spaces
7
version
1048576
paragraph_count
1
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
4160
type_literal
stream
sid
18
name
\x01CompObj
size
114
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
2
name
1Table
size
7518
type_literal
stream
sid
1
name
Data
size
129889
type_literal
stream
sid
17
name
Macros/PROJECT
size
420
type_literal
stream
sid
16
name
Macros/PROJECTwm
size
53
type_literal
stream
sid
8
type
macro (only attributes)
name
Macros/VBA/J7836927
size
1106
type_literal
stream
sid
11
type
macro
name
Macros/VBA/K3__0_9
size
85402
type_literal
stream
sid
12
name
Macros/VBA/_VBA_PROJECT
size
42792
type_literal
stream
sid
14
name
Macros/VBA/__SRP_0
size
1223
type_literal
stream
sid
15
name
Macros/VBA/__SRP_1
size
106
type_literal
stream
sid
9
name
Macros/VBA/__SRP_2
size
220
type_literal
stream
sid
10
name
Macros/VBA/__SRP_3
size
66
type_literal
stream
sid
13
name
Macros/VBA/dir
size
557
type_literal
stream
sid
3
name
WordDocument
size
4096
Macros and VBA code streams
[+] K3__0_9.bas Macros/VBA/K3__0_9 50730 bytes
hide-app obfuscated
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

HeadingPairs
Title, 1

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
7

CreateDate
2019:02:18 10:15:00

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2019:02:18 10:15:00

Characters
7

CodePage
Windows Latin 1 (Western European)

RevisionNumber
1

MIMEType
application/msword

Words
1

FileType
DOC

Lines
1

AppVersion
16.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
1

LastPrinted
0000:00:00 00:00:00

DocFlags
Has picture, 1Table, ExtChar

File identification
MD5 3295e2acc2f6e81eb30158619bc83341
SHA1 3cb9e6a8e1aaaceccbb2f17cc2b7281e26288365
SHA256 555f375a68280e8741675857cf6e3620ce754acd058377a65b93640911ab4ec5
ssdeep
6144:PG5/BnVfRFJ7KK9aHScdX9znGUEW1ZT+TveVmhjdtSm5:P2n9R/lA5dX9znGUESZTuveWdtSm5

File size 283.0 KB ( 289792 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sun Feb 17 10:15:00 2019, Last Saved Time/Date: Sun Feb 17 10:15:00 2019, Number of Pages: 1, Number of Words: 1, Number of Characters: 7, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated macros hide-app doc

VirusTotal metadata
First submission 2019-02-18 14:52:40 UTC ( 2 months ago )
Last submission 2019-02-18 22:02:57 UTC ( 2 months ago )
File names emotet_e1_555f375a68280e8741675857cf6e3620ce754acd058377a65b93640911ab4ec5_2019-02-18__145007.doc
PU425524699.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!