× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 557f761f59fb14c02d53c0336906eab0b2f5d1fed50178b169971e7302d847d7
File name: attachment20170823-17020-5y3sht.doc
Detection ratio: 4 / 60
Analysis date: 2017-08-23 10:27:06 UTC ( 1 year, 5 months ago ) View latest
Antivirus Result Update
Baidu VBA.Trojan-Downloader.Agent.bvj 20170823
Ikarus Win32.Outbreak 20170823
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20170823
Qihoo-360 virus.office.qexvmc.1095 20170823
Ad-Aware 20170823
AegisLab 20170823
AhnLab-V3 20170823
Alibaba 20170823
ALYac 20170823
Antiy-AVL 20170823
Arcabit 20170823
Avast 20170823
AVG 20170823
Avira (no cloud) 20170823
AVware 20170823
BitDefender 20170823
Bkav 20170823
CAT-QuickHeal 20170823
ClamAV 20170823
CMC 20170823
Comodo 20170823
CrowdStrike Falcon (ML) 20170804
Cylance 20170823
Cyren 20170823
DrWeb 20170823
Emsisoft 20170823
Endgame 20170821
ESET-NOD32 20170823
F-Prot 20170823
F-Secure 20170823
Fortinet 20170823
GData 20170823
Sophos ML 20170822
Jiangmin 20170823
K7AntiVirus 20170823
K7GW 20170821
Kaspersky 20170823
Kingsoft 20170823
Malwarebytes 20170823
MAX 20170823
McAfee 20170823
McAfee-GW-Edition 20170823
Microsoft 20170823
eScan 20170823
nProtect 20170823
Palo Alto Networks (Known Signatures) 20170823
Panda 20170822
Rising 20170823
SentinelOne (Static ML) 20170806
Sophos AV 20170823
SUPERAntiSpyware 20170823
Symantec 20170823
Symantec Mobile Insight 20170823
Tencent 20170823
TheHacker 20170821
TotalDefense 20170823
TrendMicro 20170823
TrendMicro-HouseCall 20170823
Trustlook 20170823
VBA32 20170823
VIPRE 20170823
ViRobot 20170823
Webroot 20170823
WhiteArmor 20170817
Yandex 20170823
Zillya 20170822
ZoneAlarm by Check Point 20170823
Zoner 20170823
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Summary
last_author
user
creation_datetime
2017-08-23 08:45:00
revision_number
3
author
Enpor Support
page_count
1
last_saved
2017-08-23 08:45:00
edit_time
60
word_count
30
template
Normal
application_name
Microsoft Office Word
character_count
176
code_page
Cyrillic
Document summary
line_count
1
characters_with_spaces
205
version
786432
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
8448
type_literal
stream
sid
20
name
\x01CompObj
size
121
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
2
name
1Table
size
7172
type_literal
stream
sid
1
name
Data
size
4096
type_literal
stream
sid
19
name
Macros/PROJECT
size
608
type_literal
stream
sid
18
name
Macros/PROJECTwm
size
95
type_literal
stream
sid
16
name
Macros/UserForm1/\x01CompObj
size
97
type_literal
stream
sid
17
name
Macros/UserForm1/\x03VBFrame
size
291
type_literal
stream
sid
14
name
Macros/UserForm1/f
size
171
type_literal
stream
sid
15
name
Macros/UserForm1/o
size
104
type_literal
stream
sid
9
type
macro
name
Macros/VBA/Module1
size
5043
type_literal
stream
sid
8
type
macro
name
Macros/VBA/ThisDocument
size
1091
type_literal
stream
sid
10
type
macro (only attributes)
name
Macros/VBA/UserForm1
size
1160
type_literal
stream
sid
11
name
Macros/VBA/_VBA_PROJECT
size
3473
type_literal
stream
sid
12
name
Macros/VBA/dir
size
841
type_literal
stream
sid
3
name
WordDocument
size
4096
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 29 bytes
[+] Module1.bas Macros/VBA/Module1 1749 bytes
obfuscated run-file
ExifTool file metadata
SharedDoc
No

Author
Enpor Support

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

LastModifiedBy
user

HeadingPairs
Title, 1

Identification
Word 8.0

Template
Normal

CharCountWithSpaces
205

CreateDate
2017:08:23 07:45:00

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Office Word 97-2003 Document

ModifyDate
2017:08:23 07:45:00

Characters
176

CodePage
Windows Cyrillic

RevisionNumber
3

MIMEType
application/msword

Words
30

FileType
DOC

Lines
1

AppVersion
12.0

Security
None

Software
Microsoft Office Word

TotalEditTime
1 minute

Pages
1

ScaleCrop
No

CompObjUserTypeLen
39

FileTypeExtension
doc

Paragraphs
1

LastPrinted
0000:00:00 00:00:00

DocFlags
Has picture, 1Table, ExtChar

File identification
MD5 3058ccc4ce12c9cdf952b7ce2cdc257d
SHA1 cc07a4df38680c746f1941736a132982710e96a3
SHA256 557f761f59fb14c02d53c0336906eab0b2f5d1fed50178b169971e7302d847d7
ssdeep
384:ctmWbTczWzTruSFyGcS2rNoRJQpyYi71O5eX0jOR4lOH+WhfsM0gnDCpotQi009n:1z4+SCr1yYi7ESdqOeWn0gkebF

File size 42.0 KB ( 43008 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1251, Author: Enpor Support, Template: Normal, Last Saved By: user, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Tue Aug 22 07:45:00 2017, Last Saved Time/Date: Tue Aug 22 07:45:00 2017, Number of Pages: 1, Number of Words: 30, Number of Characters: 176, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated macros run-file attachment doc

VirusTotal metadata
First submission 2017-08-23 09:02:14 UTC ( 1 year, 5 months ago )
Last submission 2018-05-08 11:30:29 UTC ( 9 months, 2 weeks ago )
File names 3058ccc4ce12c9cdf952b7ce2cdc257d.doc
attachment20170823-17020-5y3sht.doc
Ref72381821.doc
Ref72381821.doc_201708230935v7N9Z9NW005067
557f761f59fb14c02d53c0336906eab0b2f5d1fed50178b169971e7302d847d7.doc.000
Ref72381821.doc
__substg1.0_37010102
cc07a4df38680c746f1941736a132982710e96a3
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!