× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 787d923c658f44ec1fb19eb07938a9f09668e2cfdfcdc215f7de9acfcaad9745
File name:
Detection ratio: 18 / 61
Analysis date: 2018-08-02 17:21:40 UTC ( 7 months, 3 weeks ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan.e 20180802
AVware LooksLike.Macro.Malware.k (v) 20180727
CAT-QuickHeal W97M.Downloader.30507 20180802
Emsisoft Trojan-Downloader.Macro.Generic (A) 20180802
Endgame malicious (high confidence) 20180730
Ikarus Trojan-Downloader.VBA.Agent 20180802
K7AntiVirus Trojan ( 00536d111 ) 20180802
K7GW Trojan ( 00536d111 ) 20180802
McAfee W97M/Downloader.dr 20180802
Microsoft Trojan:Script/Cloxer.D!cl 20180802
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20180802
Qihoo-360 virus.office.qexvmc.1085 20180802
Symantec ISB.Downloader!gen131 20180802
TACHYON Suspicious/W97M.Obfus.Gen 20180802
Tencent Heur.Macro.Generic.Gen.f 20180802
TrendMicro HEUR_VBA.O2 20180802
VIPRE LooksLike.Macro.Malware.k (v) 20180802
Zoner Probably W97Obfuscated 20180802
Ad-Aware 20180802
AegisLab 20180802
AhnLab-V3 20180802
Alibaba 20180713
ALYac 20180802
Antiy-AVL 20180802
Avast 20180802
Avast-Mobile 20180802
AVG 20180802
Avira (no cloud) 20180802
Babable 20180725
Baidu 20180802
BitDefender 20180802
Bkav 20180802
ClamAV 20180802
CMC 20180802
Comodo 20180802
CrowdStrike Falcon (ML) 20180723
Cybereason 20180225
Cylance 20180802
Cyren 20180802
DrWeb 20180802
eGambit 20180802
ESET-NOD32 20180802
F-Prot 20180802
F-Secure 20180802
Fortinet 20180802
GData 20180802
Sophos ML 20180717
Jiangmin 20180802
Kaspersky 20180802
Kingsoft 20180802
Malwarebytes 20180802
MAX 20180802
McAfee-GW-Edition 20180802
eScan 20180802
Palo Alto Networks (Known Signatures) 20180802
Panda 20180802
Rising 20180802
SentinelOne (Static ML) 20180701
Sophos AV 20180802
SUPERAntiSpyware 20180802
Symantec Mobile Insight 20180801
TheHacker 20180802
TotalDefense 20180802
TrendMicro-HouseCall 20180802
Trustlook 20180802
VBA32 20180802
ViRobot 20180802
Webroot 20180802
Yandex 20180731
Zillya 20180802
ZoneAlarm by Check Point 20180802
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Summary
creation_datetime
2018-08-02 15:26:00
revision_number
1
author
AExidyqijumux-PC
page_count
1
last_saved
2018-08-02 15:26:00
template
Normal.dotm
application_name
Microsoft Office Word
character_count
1
code_page
Latin I
Document summary
line_count
1
characters_with_spaces
1
version
1048576
paragraph_count
1
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
5440
type_literal
stream
sid
18
name
\x01CompObj
size
114
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
420
type_literal
stream
sid
2
name
1Table
size
7766
type_literal
stream
sid
1
name
Data
size
42348
type_literal
stream
sid
16
name
Macros/PROJECT
size
431
type_literal
stream
sid
17
name
Macros/PROJECTwm
size
56
type_literal
stream
sid
13
type
macro
name
Macros/VBA/Bzkmkmua
size
9104
type_literal
stream
sid
14
type
macro
name
Macros/VBA/ZKokHwTq
size
1871
type_literal
stream
sid
15
name
Macros/VBA/_VBA_PROJECT
size
4490
type_literal
stream
sid
9
name
Macros/VBA/__SRP_0
size
1252
type_literal
stream
sid
10
name
Macros/VBA/__SRP_1
size
106
type_literal
stream
sid
11
name
Macros/VBA/__SRP_2
size
292
type_literal
stream
sid
12
name
Macros/VBA/__SRP_3
size
103
type_literal
stream
sid
8
name
Macros/VBA/dir
size
554
type_literal
stream
sid
3
name
WordDocument
size
4096
Macros and VBA code streams
[+] ZKokHwTq.cls Macros/VBA/ZKokHwTq 368 bytes
run-file
[+] Bzkmkmua.bas Macros/VBA/Bzkmkmua 4612 bytes
obfuscated
ExifTool file metadata
SharedDoc
No

Author
AExidyqijumux-PC

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

HeadingPairs
Title, 1

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
1

CreateDate
2018:08:02 14:26:00

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2018:08:02 14:26:00

Characters
1

CodePage
Windows Latin 1 (Western European)

RevisionNumber
1

MIMEType
application/msword

Words
0

FileType
DOC

Lines
1

AppVersion
16.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
1

DocFlags
Has picture, 1Table, ExtChar

File identification
MD5 831803cc2f99b5567af817f5e2c5205d
SHA1 189d4323fc912763b15e164277601a803c8ec721
SHA256 787d923c658f44ec1fb19eb07938a9f09668e2cfdfcdc215f7de9acfcaad9745
ssdeep
1536:dTxjwKZ09cB7y9ghN8+mQ90MTr+a9YMB8iNi5Lvx91:txjnB29gb8onzmiN2

File size 87.5 KB ( 89600 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: AExidyqijumux-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Aug 01 14:26:00 2018, Last Saved Time/Date: Wed Aug 01 14:26:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated macros run-file doc

VirusTotal metadata
First submission 2018-08-02 17:21:40 UTC ( 7 months, 3 weeks ago )
Last submission 2018-08-02 17:21:40 UTC ( 7 months, 3 weeks ago )
File names Latest payment.doc
New Address and payment details.doc

DHL_02024011283.doc
DHL_Tracking_8000516153154.doc
Wire transfer info.doc
Tracking_64865353463144.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!