× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 89cdf68a65bc1bc227ac696ef9e8e74a654319518f84428ca71d1bce270a661e
File name: RE-2017-12-12-00775.doc
Detection ratio: 12 / 59
Analysis date: 2017-12-12 12:05:54 UTC ( 1 year, 3 months ago ) View latest
Antivirus Result Update
AegisLab Vba.Gen!c 20171212
Avira (no cloud) W97M/Agent.1914915 20171212
Baidu VBA.Trojan-Downloader.Agent.bpu 20171212
F-Secure Trojan-Downloader:W97M/Dridex.R 20171212
Ikarus Win32.Outbreak 20171212
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20171212
Panda W97M/Downloader.OFA 20171211
Qihoo-360 virus.office.obfuscated.1 20171212
Rising Downloader.VBA/Donoff!1.AF1A (CLASSIC) 20171212
TrendMicro HEUR_VBA.O2 20171212
ZoneAlarm by Check Point HEUR:Trojan-Downloader.Script.Generic 20171212
Zoner Probably W97Downloader 20171212
Ad-Aware 20171212
AhnLab-V3 20171212
Alibaba 20171212
ALYac 20171212
Antiy-AVL 20171212
Arcabit 20171212
Avast 20171212
Avast-Mobile 20171211
AVG 20171212
AVware 20171212
BitDefender 20171212
Bkav 20171211
CAT-QuickHeal 20171212
ClamAV 20171212
CMC 20171212
Comodo 20171212
CrowdStrike Falcon (ML) 20171016
Cybereason None
Cylance 20171212
Cyren 20171212
DrWeb 20171212
eGambit 20171212
Emsisoft 20171212
Endgame 20171130
ESET-NOD32 20171212
F-Prot 20171212
Fortinet 20171212
GData 20171212
Sophos ML 20170914
Jiangmin 20171211
K7AntiVirus 20171212
K7GW 20171212
Kaspersky 20171212
Kingsoft 20171212
Malwarebytes 20171212
MAX 20171212
McAfee 20171212
McAfee-GW-Edition 20171212
Microsoft 20171212
eScan 20171212
nProtect 20171212
Palo Alto Networks (Known Signatures) 20171212
SentinelOne (Static ML) 20171207
Sophos AV 20171212
SUPERAntiSpyware 20171212
Symantec 20171212
Symantec Mobile Insight 20171207
Tencent 20171212
TheHacker 20171210
TrendMicro-HouseCall 20171212
Trustlook 20171212
VBA32 20171212
VIPRE 20171212
ViRobot 20171212
Webroot 20171212
WhiteArmor 20171204
Yandex 20171211
Zillya 20171211
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May try to run other files, shell commands or applications.
May create OLE objects.
May enumerate open windows.
Seems to contain deobfuscation code.
Summary
last_author
1
creation_datetime
2017-12-12 11:54:00
revision_number
2
author
1
page_count
1
last_saved
2017-12-12 11:54:00
word_count
42
template
Normal.dotm
application_name
Microsoft Office Word
character_count
241
code_page
Cyrillic
Document summary
byte_count
148480
characters_with_spaces
282
content_status
Microsoft.XMLHTTPMATCHAdodb.streaMMATCHshell.ApplicationMATCHWscript.shellMATCHProcessMATCHGeTMATCHTeMPMATCHTypeMATCHopenMATCHwriteMATCHresponseBodyMATCHsavetofileMATCH\\dilaryi.exe
line_count
2
version
1048576
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
13376
type_literal
stream
sid
26
name
\x01CompObj
size
114
type_literal
stream
sid
4
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
3
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
1
name
1Table
size
9728
type_literal
stream
sid
24
name
Macros/PROJECT
size
659
type_literal
stream
sid
25
name
Macros/PROJECTwm
size
143
type_literal
stream
sid
9
name
Macros/RDM/\x01CompObj
size
97
type_literal
stream
sid
10
name
Macros/RDM/\x03VBFrame
size
288
type_literal
stream
sid
7
name
Macros/RDM/f
size
675
type_literal
stream
sid
8
name
Macros/RDM/o
size
672
type_literal
stream
sid
14
type
macro
name
Macros/VBA/Class0
size
3717
type_literal
stream
sid
15
type
macro
name
Macros/VBA/Class2
size
4602
type_literal
stream
sid
16
type
macro
name
Macros/VBA/Module1
size
23540
type_literal
stream
sid
17
type
macro
name
Macros/VBA/Module2
size
13039
type_literal
stream
sid
13
type
macro (only attributes)
name
Macros/VBA/RDM
size
1168
type_literal
stream
sid
22
type
macro
name
Macros/VBA/ThisDocument
size
1974
type_literal
stream
sid
23
name
Macros/VBA/_VBA_PROJECT
size
8442
type_literal
stream
sid
18
name
Macros/VBA/__SRP_0
size
1758
type_literal
stream
sid
19
name
Macros/VBA/__SRP_1
size
122
type_literal
stream
sid
20
name
Macros/VBA/__SRP_2
size
448
type_literal
stream
sid
21
name
Macros/VBA/__SRP_3
size
187
type_literal
stream
sid
12
name
Macros/VBA/dir
size
942
type_literal
stream
sid
2
name
WordDocument
size
71808
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 234 bytes
[+] Class2.cls Macros/VBA/Class2 1596 bytes
obfuscated
[+] Module2.bas Macros/VBA/Module2 5947 bytes
create-ole enum-windows obfuscated
[+] Class0.cls Macros/VBA/Class0 1463 bytes
[+] Module1.bas Macros/VBA/Module1 12869 bytes
create-ole obfuscated open-file run-file write-file
ExifTool file metadata
SharedDoc
No

Author
1

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
1

HeadingPairs
, 1

Template
Normal.dotm

CharCountWithSpaces
282

CreateDate
2017:12:12 10:54:00

CompObjUserType
???????? Microsoft Word 97-2003

ModifyDate
2017:12:12 10:54:00

Characters
241

CodePage
Windows Cyrillic

RevisionNumber
2

MIMEType
application/msword

Words
42

Bytes
148480

FileType
DOC

Lines
2

AppVersion
16.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
1

Compressed bundles
File identification
MD5 95ca5b59253b290b8b9a2c95b0a69141
SHA1 05c26aae931b494187fc309cd3118ab3d2e743a6
SHA256 89cdf68a65bc1bc227ac696ef9e8e74a654319518f84428ca71d1bce270a661e
ssdeep
3072:Sy6+FlvvgFsvoJF54+5Ooiq+dyNWbVbgvOzRPXlG/9gVrFBPBUgn+ARXFr:Sy6+fvYGCF7niuNWzZB+ANp

File size 157.0 KB ( 160768 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: 1, Template: Normal.dotm, Last Saved By: 1, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Dec 11 10:54:00 2017, Last Saved Time/Date: Mon Dec 11 10:54:00 2017, Number of Pages: 1, Number of Words: 42, Number of Characters: 241, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated open-file enum-windows doc run-file macros attachment write-file create-ole

VirusTotal metadata
First submission 2017-12-12 11:29:31 UTC ( 1 year, 3 months ago )
Last submission 2017-12-22 10:43:54 UTC ( 1 year, 3 months ago )
File names RE-2017-12-12-00582.doc
413073a6263659495d367fb960e8df563c6d4af8
RE-2017-12-12-00775.doc
95ca5b59253b290b8b9a2c95b0a69141.05c26aae931b494187fc309cd3118ab3d2e743a6
1007-05c26aae931b494187fc309cd3118ab3d2e743a6
RE-2017-12-12-00152.doc
RE-2017-12-12-00733.doc
RE-2017-12-12-00148.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!