× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 6dc15f5bb4b61c9166734134b0b22928f5c02fc1f8128f2561ea36fbba89ce87
File name: Tracking 4981990700-FIB-KTWT.doc
Detection ratio: 4 / 58
Analysis date: 2018-03-19 13:18:30 UTC ( 1 year, 2 months ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan.e 20180319
Baidu VBA.Trojan-Downloader.Agent.cpw 20180319
Rising Macro.Run.d (CLASSIC) 20180319
Zoner Probably W97Obfuscated 20180319
Ad-Aware 20180319
AegisLab 20180319
AhnLab-V3 20180319
Alibaba 20180319
ALYac 20180319
Antiy-AVL 20180319
Avast 20180319
Avast-Mobile 20180319
AVG 20180319
Avira (no cloud) 20180319
AVware 20180319
BitDefender 20180319
Bkav 20180319
CAT-QuickHeal 20180319
ClamAV 20180319
CMC 20180319
Comodo 20180319
CrowdStrike Falcon (ML) 20170201
Cybereason None
Cylance 20180319
Cyren 20180319
DrWeb 20180319
eGambit 20180319
Emsisoft 20180319
Endgame 20180316
ESET-NOD32 20180319
F-Prot 20180319
F-Secure 20180319
Fortinet 20180319
GData 20180319
Ikarus 20180319
Sophos ML 20180121
Jiangmin 20180319
K7AntiVirus 20180319
K7GW 20180319
Kaspersky 20180319
Kingsoft 20180319
Malwarebytes 20180319
MAX 20180319
McAfee 20180319
McAfee-GW-Edition 20180319
Microsoft 20180319
eScan 20180319
NANO-Antivirus 20180319
nProtect 20180319
Palo Alto Networks (Known Signatures) 20180319
Panda 20180318
Qihoo-360 20180319
SentinelOne (Static ML) 20180225
Sophos AV 20180319
SUPERAntiSpyware 20180319
Symantec 20180319
Symantec Mobile Insight 20180311
Tencent 20180319
TheHacker 20180319
TrendMicro-HouseCall 20180319
Trustlook 20180319
VBA32 20180319
VIPRE 20180319
ViRobot 20180319
Webroot 20180319
WhiteArmor 20180223
Yandex 20180319
Zillya 20180316
ZoneAlarm by Check Point 20180319
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to run other files, shell commands or applications.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
creation_datetime
2018-03-19 12:32:00
revision_number
1
author
irfWRPPE
page_count
1
last_saved
2018-03-19 12:32:00
template
Normal.dotm
application_name
Microsoft Office Word
character_count
1
code_page
Latin I
Document summary
line_count
1
characters_with_spaces
1
version
1048576
paragraph_count
1
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
8128
type_literal
stream
sid
21
name
\x01CompObj
size
114
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
412
type_literal
stream
sid
2
name
1Table
size
7378
type_literal
stream
sid
1
name
Data
size
20436
type_literal
stream
sid
19
name
Macros/PROJECT
size
577
type_literal
stream
sid
20
name
Macros/PROJECTwm
size
155
type_literal
stream
sid
18
type
macro (only attributes)
name
Macros/VBA/HAvPlSpsGuOYjF
size
1113
type_literal
stream
sid
9
type
macro
name
Macros/VBA/SQsuaEq
size
2880
type_literal
stream
sid
10
type
macro
name
Macros/VBA/VZCDwIj
size
9402
type_literal
stream
sid
17
name
Macros/VBA/_VBA_PROJECT
size
45463
type_literal
stream
sid
11
name
Macros/VBA/__SRP_0
size
1386
type_literal
stream
sid
12
name
Macros/VBA/__SRP_1
size
118
type_literal
stream
sid
13
name
Macros/VBA/__SRP_2
size
220
type_literal
stream
sid
14
name
Macros/VBA/__SRP_3
size
66
type_literal
stream
sid
8
name
Macros/VBA/dir
size
733
type_literal
stream
sid
16
type
macro
name
Macros/VBA/pJLJGzVwGw
size
34507
type_literal
stream
sid
15
type
macro
name
Macros/VBA/vWbREvYU
size
57267
type_literal
stream
sid
3
name
WordDocument
size
4096
Macros and VBA code streams
[+] vWbREvYU.bas Macros/VBA/vWbREvYU 37030 bytes
obfuscated
[+] pJLJGzVwGw.bas Macros/VBA/pJLJGzVwGw 22706 bytes
obfuscated
[+] VZCDwIj.bas Macros/VBA/VZCDwIj 5708 bytes
obfuscated
[+] SQsuaEq.bas Macros/VBA/SQsuaEq 1319 bytes
create-ole obfuscated run-file
ExifTool file metadata
SharedDoc
No

Author
irfWRPPE

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

HeadingPairs
Title, 1

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
1

CreateDate
2018:03:19 11:32:00

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2018:03:19 11:32:00

Characters
1

CodePage
Windows Latin 1 (Western European)

RevisionNumber
1

MIMEType
application/msword

Words
0

FileType
DOC

Lines
1

AppVersion
16.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
1

DocFlags
Has picture, 1Table, ExtChar

File identification
MD5 dd27429900aeb1ddaedfc1368870232b
SHA1 9188b7201bbce37cd2c5a1c7b557c2205cc2b732
SHA256 6dc15f5bb4b61c9166734134b0b22928f5c02fc1f8128f2561ea36fbba89ce87
ssdeep
3072:NHiqkTurCygAWbFkxQfy7V7aNrnSFkkiGhg:NLr7gTbFkxjErS6kiG

File size 197.5 KB ( 202240 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: irfWRPPE, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sun Mar 18 11:32:00 2018, Last Saved Time/Date: Sun Mar 18 11:32:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated macros run-file doc create-ole

VirusTotal metadata
First submission 2018-03-19 13:18:30 UTC ( 1 year, 2 months ago )
Last submission 2018-04-18 02:10:31 UTC ( 1 year, 1 month ago )
File names Express 1280336178-XZLL-FXOC.doc
Tracking 44465138394-XZM-INOF.doc
Number 96782106141-IIJE-XOV.doc
Tracking-00138231-KO-TWQM.doc
01171-SRG-QNTO.doc
Number 334884172-YD-PQX.doc
46093870395-QQI-FSWSI.doc
Number 244154014-DW-YNQD.doc
433667340-QPBK-VGTH.doc
9330325-BGU-BOJD.doc
Number 44932558759-PYSK-PPKT.doc
Tracking 350171335-PG-ONZE.doc
Express 80646-BZNA-GET.doc
83877605669-CD-JUSMY.doc
Number 226853900-AAWY-TQHMP.doc
7995765-IU-ZPPPO.doc
Number 67971-USRW-VAFLO.doc
Tracking-89843-GFSB-MBRBU.doc
Tracking-6655803-ZE-TWF.doc
Tracking-317044365-XGB-SJF.doc
Tracking 07838541-YHXG-UBC.doc
353047-CQQU-VHG.doc
Tracking 490031-CGB-IYJW.doc
Express 00324310893-UMD-DNUH.doc
5609407885-RRU-JHWR.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!