× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 71c76d5248f0a8cfb4c9c3b82e358eff0f6aba9619023e55f530825d71417336
File name: OFCOM_REN04_20150715_0976659.docm
Detection ratio: 37 / 56
Analysis date: 2016-05-04 16:06:27 UTC ( 1 year, 1 month ago )
Antivirus Result Update
Ad-Aware w97m.Downloader.WP 20160504
AhnLab-V3 W97M/Downloader 20160504
Antiy-AVL Trojan[Downloader]/MSWord.Agent.qh 20160504
Arcabit HEUR.VBA.Trojan.d 20160504
Avast VBA:Downloader-JN [Trj] 20160504
AVG W97M/Generic 20160504
Avira (no cloud) W97M/Adnel.101376 20160504
AVware LooksLike.Macro.Malware.g (v) 20160504
Baidu VBA.Trojan-Downloader.Agent.gn 20160504
BitDefender w97m.Downloader.WP 20160504
CAT-QuickHeal O97M.Dropper.GO 20160504
Comodo UnclassifiedMalware 20160504
Cyren PP97M/Donoff 20160504
DrWeb W97M.DownLoader.541 20160504
Emsisoft w97m.Downloader.WP (B) 20160503
ESET-NOD32 VBA/TrojanDownloader.Agent.ZN 20160504
F-Prot New or modified PP97M/Donoff 20160504
F-Secure Trojan:W97M/MaliciousMacro.GEN 20160504
Fortinet WM/Agent!tr 20160504
GData w97m.Downloader.WP 20160504
Ikarus Trojan-Downloader.VBA.Agent 20160504
Jiangmin WM/Downloader.Agent.qe 20160504
Kaspersky Trojan-Downloader.MSWord.Agent.qh 20160504
McAfee W97M/Downloader.all 20160504
McAfee-GW-Edition W97M/Downloader.all 20160504
Microsoft TrojanDownloader:O97M/Donoff 20160504
eScan w97m.Downloader.WP 20160504
NANO-Antivirus Trojan.Script.PDF.dzxkwm 20160504
nProtect w97m.Downloader.WP 20160504
Panda W97M/Downloader 20160504
Rising Heur.Macro.Downloader.e 20160504
Sophos Troj/DocDl-WH 20160504
Symantec W97M.Downloader 20160504
Tencent Word.Trojan-downloader.Agent.Aiid 20160504
TrendMicro W2KM_DRIDEX.SYN 20160504
TrendMicro-HouseCall W2KM_DRIDEX.SYN 20160504
VIPRE LooksLike.Macro.Malware.g (v) 20160504
AegisLab 20160504
Alibaba 20160504
ALYac 20160504
Baidu-International 20160504
Bkav 20160504
ClamAV 20160504
CMC 20160504
K7AntiVirus 20160504
K7GW 20160504
Kingsoft 20160504
Malwarebytes 20160504
Qihoo-360 20160504
SUPERAntiSpyware 20160504
TheHacker 20160503
TotalDefense 20160504
VBA32 20160504
ViRobot 20160504
Yandex 20160502
Zillya 20160504
Zoner 20160504
The file being studied follows the Open XML file format! More specifically, it is a Office Open XML Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May perform operations with other files.
May copy a file.
May create additional files.
May attempt to create directories.
May create OLE objects.
Seems to contain deobfuscation code.
Macros and VBA code streams
[+] ThisDocument.cls word/vbaProject.bin VBA/ThisDocument 83 bytes
[+] Module2.bas word/vbaProject.bin VBA/Module2 10066 bytes
copy-file create-file obfuscated open-file
[+] Module1.bas word/vbaProject.bin VBA/Module1 2686 bytes
copy-file
[+] Module3.bas word/vbaProject.bin VBA/Module3 23403 bytes
copy-file create-dir create-ole handle-file obfuscated open-file write-file
Content types
bin
rels
xml
Package relationships
word/document.xml
docProps/app.xml
docProps/core.xml
Core document properties
creator
1
lastModifiedBy
1
revision
5
created
2015-08-05T06:26:00Z
modified
2015-08-05T06:29:00Z
Application document properties
Template
Normal
TotalTime
2
Pages
1
Words
0
Characters
0
Application
Microsoft Office Word
DocSecurity
0
Lines
1
Paragraphs
1
ScaleCrop
false
Company
Home
LinksUpToDate
false
CharactersWithSpaces
0
SharedDoc
false
HyperlinksChanged
false
AppVersion
12.0000
Document languages
Language
Prevalence
ru-ru
2
ar-sa
1
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
1

Application
Microsoft Office Word

ZipFileName
[Content_Types].xml

Template
Normal

CreateDate
2015:08:05 06:26:00Z

ZipRequiredVersion
20

ModifyDate
2015:08:05 06:29:00Z

ZipCRC
0xc1a32581

Company
Home

Words
0

ScaleCrop
No

RevisionNumber
5

MIMEType
application/vnd.ms-word.document.macroEnabled

ZipBitFlag
0x0006

FileType
DOCM

Lines
1

AppVersion
12.0

ZipUncompressedSize
1453

ZipCompressedSize
406

Characters
0

CharactersWithSpaces
0

DocSecurity
None

ZipModifyDate
1980:01:01 00:00:00

HeadingPairs
, 1

TotalEditTime
2 minutes

ZipCompression
Deflated

Pages
1

Creator
1

FileTypeExtension
docm

Paragraphs
1

The file being studied is a compressed stream! Details about the compressed contents follow.
Contained files
Compression metadata
Contained files
14
Uncompressed size
115574
Highest datetime
1980-01-01 00:00:00
Lowest datetime
1980-01-01 00:00:00
Contained files by extension
xml
10
bin
1
Contained files by type
XML
13
Microsoft Office
1
File identification
MD5 75a3d508f389e3679815cd67f625330a
SHA1 bd15179ec52f08b7528c891cec93719b50284366
SHA256 71c76d5248f0a8cfb4c9c3b82e358eff0f6aba9619023e55f530825d71417336
ssdeep
1536:Mp7iikI2g/DqS8mpLv14m8Rz5NfzfL0I2MaWWTt:Mp7MiOStv147Rz55zfHETt

File size 48.5 KB ( 49696 bytes )
File type Office Open XML Document
Magic literal
Zip archive data, at least v2.0 to extract

TrID Word Microsoft Office Open XML Format document (with Macro) (59.4%)
Word Microsoft Office Open XML Format document (36.0%)
ZIP compressed archive (4.5%)
Tags
obfuscated open-file create-dir handle-file copy-file create-file docx macros attachment write-file create-ole

VirusTotal metadata
First submission 2015-08-05 07:28:35 UTC ( 1 year, 10 months ago )
Last submission 2015-08-10 19:28:52 UTC ( 1 year, 10 months ago )
File names 7bc952b2d6898226cc9a5409be20fad3
1-OFCOM_REN04_20150715_0976659.docm
OFCOM_REN04_20150715_0976659.docm
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!