× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 8a8696f6b93b30c56d03a47e8efe6c24eb20a530702392378cb20a0e26878242
File name: message_payment283.doc
Detection ratio: 9 / 56
Analysis date: 2017-07-05 14:57:18 UTC ( 1 year, 9 months ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan.e 20170705
Cyren W97M/Agent 20170705
F-Prot New or modified W97M/Agent 20170705
Ikarus Trojan-Downloader.VBA.Agent 20170705
Kaspersky HEUR:Trojan.Script.Agent.gen 20170705
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20170705
Qihoo-360 virus.office.qexvmc.1090 20170705
Tencent Macro.Trojan.Dropperx.Auto 20170705
ZoneAlarm by Check Point HEUR:Trojan.Script.Agent.gen 20170705
Ad-Aware 20170705
AegisLab 20170705
AhnLab-V3 20170705
Alibaba 20170705
ALYac 20170705
Antiy-AVL 20170705
Avast 20170705
AVG 20170705
Avira (no cloud) 20170705
AVware 20170705
Baidu 20170705
BitDefender 20170705
CAT-QuickHeal 20170705
ClamAV 20170705
CMC 20170705
Comodo 20170705
CrowdStrike Falcon (ML) 20170420
DrWeb 20170705
Emsisoft 20170705
Endgame 20170629
ESET-NOD32 20170705
F-Secure 20170705
Fortinet 20170629
GData 20170705
Sophos ML 20170607
Jiangmin 20170705
K7AntiVirus 20170705
K7GW 20170705
Kingsoft 20170705
Malwarebytes 20170705
MAX 20170705
McAfee 20170705
McAfee-GW-Edition 20170704
Microsoft 20170705
eScan 20170705
nProtect 20170705
Palo Alto Networks (Known Signatures) 20170705
Panda 20170705
Rising 20170705
SentinelOne (Static ML) 20170516
Sophos AV 20170705
SUPERAntiSpyware 20170704
Symantec 20170705
Symantec Mobile Insight 20170705
TheHacker 20170704
TrendMicro 20170705
TrendMicro-HouseCall 20170705
Trustlook 20170705
VBA32 20170705
VIPRE 20170705
ViRobot 20170705
Webroot 20170705
WhiteArmor 20170627
Yandex 20170704
Zillya 20170705
Zoner 20170705
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Summary
last_author
user
creation_datetime
2017-07-04 11:12:00
revision_number
3
author
Accounting
page_count
1
last_saved
2017-07-04 11:13:00
edit_time
60
template
Normal
application_name
Microsoft Office Word
character_count
1
code_page
Cyrillic
Document summary
line_count
1
characters_with_spaces
1
version
786432
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
12672
type_literal
stream
sid
20
name
\x01CompObj
size
121
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
2
name
1Table
size
7297
type_literal
stream
sid
1
name
Data
size
51935
type_literal
stream
sid
19
name
Macros/PROJECT
size
603
type_literal
stream
sid
18
name
Macros/PROJECTwm
size
95
type_literal
stream
sid
16
name
Macros/UserForm1/\x01CompObj
size
97
type_literal
stream
sid
17
name
Macros/UserForm1/\x03VBFrame
size
291
type_literal
stream
sid
14
name
Macros/UserForm1/f
size
314
type_literal
stream
sid
15
name
Macros/UserForm1/o
size
992
type_literal
stream
sid
9
type
macro
name
Macros/VBA/Module1
size
3260
type_literal
stream
sid
8
type
macro
name
Macros/VBA/ThisDocument
size
1097
type_literal
stream
sid
10
type
macro (only attributes)
name
Macros/VBA/UserForm1
size
1159
type_literal
stream
sid
11
name
Macros/VBA/_VBA_PROJECT
size
3437
type_literal
stream
sid
12
name
Macros/VBA/dir
size
841
type_literal
stream
sid
3
name
WordDocument
size
4096
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 31 bytes
[+] Module1.bas Macros/VBA/Module1 939 bytes
obfuscated run-file
ExifTool file metadata
SharedDoc
No

Author
Accounting

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

LastModifiedBy
user

HeadingPairs
Title, 1

Identification
Word 8.0

Template
Normal

CharCountWithSpaces
1

CreateDate
2017:07:04 10:12:00

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Office Word 97-2003 Document

ModifyDate
2017:07:04 10:13:00

Characters
1

CodePage
Windows Cyrillic

RevisionNumber
3

MIMEType
application/msword

Words
0

FileType
DOC

Lines
1

AppVersion
12.0

Security
None

Software
Microsoft Office Word

TotalEditTime
1.0 minutes

Pages
1

ScaleCrop
No

CompObjUserTypeLen
39

FileTypeExtension
doc

Paragraphs
1

DocFlags
Has picture, 1Table, ExtChar

File identification
MD5 7e76f23ad672a0340f276ddbb24965e0
SHA1 2261fd7ae7cbcaaf79a88fe9bdcf3843b5cf1bb1
SHA256 8a8696f6b93b30c56d03a47e8efe6c24eb20a530702392378cb20a0e26878242
ssdeep
1536:iFF+FFFFsnXF0FFFF0FFuFFFuFFFFFlFFcvArLcRXWZyUVBzDrm2fF7gi9PcqNAg:vSaf+C2RgUkBg

File size 88.5 KB ( 90624 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1251, Author: Accounting, Template: Normal, Last Saved By: user, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Mon Jul 03 10:12:00 2017, Last Saved Time/Date: Mon Jul 03 10:13:00 2017, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated macros run-file attachment doc

VirusTotal metadata
First submission 2017-07-05 10:07:11 UTC ( 1 year, 9 months ago )
Last submission 2018-05-04 21:30:09 UTC ( 11 months, 3 weeks ago )
File names 201707051035v65AZ6Gv011745_UTF-8BbWVzc2FnZV9wYXltZW50MjgzLmRvYw
message_payment283.doc.VIR
rYQeu.chm
E_S6tTk5u5.caj
rYio.vsd
virus.doc
_VIRUS_message_payment283.doc
__substg1.0_37010102
D6Z2Kw.xltx
7e76f23ad672a0340f276ddbb24965e0.virobj
message_payment283.doc
c7eddd5bd8618cc8c7c963e5971a4e88.safe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!