× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 65c861a58ff17e389c04f000ddabd5421765dd4bf5aac666e6aa1b4934b15d27
File name: URQTN6370102.doc
Detection ratio: 7 / 57
Analysis date: 2017-07-27 05:17:30 UTC ( 1 year, 6 months ago ) View latest
Antivirus Result Update
AegisLab Troj.Downloader.Script!c 20170727
Arcabit HEUR.VBA.Trojan.e 20170727
Kaspersky HEUR:Trojan-Downloader.Script.Generic 20170727
Qihoo-360 virus.office.qexvmc.1090 20170727
TrendMicro W2KM_DLOADR.YYSZC 20170727
TrendMicro-HouseCall W2KM_DLOADR.YYSZC 20170727
ZoneAlarm by Check Point HEUR:Trojan-Downloader.Script.Generic 20170727
Ad-Aware 20170727
AhnLab-V3 20170726
Alibaba 20170727
ALYac 20170727
Antiy-AVL 20170727
Avast 20170727
AVG 20170727
Avira (no cloud) 20170726
AVware 20170721
Baidu 20170727
BitDefender 20170727
Bkav 20170726
CAT-QuickHeal 20170726
ClamAV 20170727
CMC 20170727
Comodo 20170727
CrowdStrike Falcon (ML) 20170710
Cylance 20170727
Cyren 20170727
DrWeb 20170727
Emsisoft 20170727
Endgame 20170721
ESET-NOD32 20170727
F-Prot 20170727
F-Secure 20170727
Fortinet 20170727
GData 20170727
Ikarus 20170726
Sophos ML 20170607
Jiangmin 20170727
K7AntiVirus 20170727
K7GW 20170726
Kingsoft 20170727
Malwarebytes 20170727
MAX 20170727
McAfee 20170727
McAfee-GW-Edition 20170726
Microsoft 20170727
eScan 20170727
NANO-Antivirus 20170727
nProtect 20170726
Palo Alto Networks (Known Signatures) 20170727
Panda 20170725
Rising 20170727
SentinelOne (Static ML) 20170718
Sophos AV 20170727
SUPERAntiSpyware 20170726
Symantec 20170726
Symantec Mobile Insight 20170727
Tencent 20170727
TheHacker 20170724
Trustlook 20170727
VBA32 20170725
VIPRE 20170727
ViRobot 20170727
Webroot 20170727
Yandex 20170726
Zillya 20170726
Zoner 20170727
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Summary
last_author
admin
creation_datetime
2017-07-26 20:51:00
author
admin
title
sdf
page_count
1
last_saved
2017-07-26 20:51:00
word_count
18
revision_number
2
application_name
Microsoft Office Word
character_count
18
subject
df
code_page
Cyrillic
template
Normal.dotm
Document summary
byte_count
79872
company
home
characters_with_spaces
19
line_count
18
manager
admin
version
1048576
paragraph_count
17
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
4544
type_literal
stream
sid
20
name
\x01CompObj
size
114
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
2
name
1Table
size
7359
type_literal
stream
sid
1
name
Data
size
55949
type_literal
stream
sid
19
name
Macros/PROJECT
size
470
type_literal
stream
sid
18
name
Macros/PROJECTwm
size
98
type_literal
stream
sid
11
type
macro
name
Macros/VBA/EQHon
size
7752
type_literal
stream
sid
12
type
macro
name
Macros/VBA/Js3Dme
size
8775
type_literal
stream
sid
13
type
macro
name
Macros/VBA/OBAG1
size
5024
type_literal
stream
sid
8
type
macro
name
Macros/VBA/ThisDocument
size
96289
type_literal
stream
sid
14
name
Macros/VBA/_VBA_PROJECT
size
16233
type_literal
stream
sid
16
name
Macros/VBA/__SRP_0
size
1976
type_literal
stream
sid
17
name
Macros/VBA/__SRP_1
size
198
type_literal
stream
sid
9
name
Macros/VBA/__SRP_2
size
532
type_literal
stream
sid
10
name
Macros/VBA/__SRP_3
size
156
type_literal
stream
sid
15
name
Macros/VBA/dir
size
747
type_literal
stream
sid
3
name
WordDocument
size
4148
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 41148 bytes
obfuscated
[+] EQHon.bas Macros/VBA/EQHon 3055 bytes
obfuscated
[+] Js3Dme.bas Macros/VBA/Js3Dme 3593 bytes
[+] OBAG1.bas Macros/VBA/OBAG1 1865 bytes
run-file
ExifTool file metadata
SharedDoc
No

Author
admin

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

LastModifiedBy
admin

HeadingPairs
, 1

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
19

Word97
No

LanguageCode
Russian

CompObjUserType
???????? Microsoft Word 97-2003

ModifyDate
2017:07:26 19:51:00

Company
home

Title
sdf

Characters
18

CodePage
Windows Cyrillic

RevisionNumber
2

MIMEType
application/msword

Words
18

Lines
18

CreateDate
2017:07:26 19:51:00

Bytes
79872

AppVersion
16.0

Security
None

Software
Microsoft Office Word

FileType
DOC

TotalEditTime
0

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

Manager
admin

FileTypeExtension
doc

Paragraphs
17

DocFlags
Has picture, 1Table, ExtChar

Subject
df

Compressed bundles
File identification
MD5 c979aa0c0d62a01acedbf9e455004be2
SHA1 b3fba98c6b5228011aee793d74a558038fd492f7
SHA256 65c861a58ff17e389c04f000ddabd5421765dd4bf5aac666e6aa1b4934b15d27
ssdeep
3072:DlC6zAYG6N53k/VffMLL8Sv3VQnuQXWbrxyP747obRAmrSKi:DlblNFk/tUXp3VkWb1yIY

File size 218.0 KB ( 223232 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Title: sdf, Subject: df, Author: admin, Template: Normal.dotm, Last Saved By: admin, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jul 25 19:51:00 2017, Last Saved Time/Date: Tue Jul 25 19:51:00 2017, Number of Pages: 1, Number of Words: 18, Number of Characters: 18, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated macros run-file doc

VirusTotal metadata
First submission 2017-07-26 20:06:47 UTC ( 1 year, 6 months ago )
Last submission 2017-10-09 16:15:28 UTC ( 1 year, 4 months ago )
File names MGRNXJ3807.doc
GNHQT3479406.doc
KVZHZP7127.doc
EDCRXK1227.doc
GZSUP4888462.doc
ZFEGTJ4003.doc
UQKGT6434943.doc
PQMVQ9136852.doc
NRGZN4638355.doc
ASWIU5947774.doc
HYVVQ7569431.doc
DVFPU0752999.doc
GXJHSO9735.doc
WGFJM1711384.doc
ESRUY3207407.doc
ZPZXS3683418.doc
DXGWNC7575.doc
OQVNZ5888521.doc
KYREWI2815.doc
GCWJG1669590.doc
UIGZWR0113.doc
YHYPOE1623.doc
BYFZG0490964.doc
JMXIC0655883.doc
SAPDQ5933657.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!