× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 8f65dc3068be3457c1e2825298e7bdc6a85339d8a7ea5887f080bb21b661fc1a
File name: Question
Detection ratio: 21 / 60
Analysis date: 2018-12-05 04:27:11 UTC ( 5 months, 2 weeks ago ) View latest
Antivirus Result Update
Ad-Aware VB:Trojan.VBA.Agent.ABR 20181205
Arcabit HEUR.VBA.Trojan.e 20181205
BitDefender VB:Trojan.VBA.Agent.ABR 20181205
Emsisoft VB:Trojan.VBA.Agent.ABR (B) 20181204
Endgame malicious (high confidence) 20181108
ESET-NOD32 VBA/TrojanDownloader.Agent.LQE 20181205
Fortinet VBA/Agent.LPT!tr.dldr 20181204
GData Macro.Trojan-Downloader.Shallow.S 20181204
Ikarus Trojan.VBA.Agent 20181204
MAX malware (ai score=83) 20181205
McAfee W97M/Downloader.ga 20181204
McAfee-GW-Edition BehavesLike.Downloader.cg 20181204
Microsoft Trojan:O97M/Sonbokli.A!cl 20181204
eScan VB:Trojan.VBA.Agent.ABR 20181205
Qihoo-360 virus.office.qexvmc.1075 20181205
SentinelOne (Static ML) static engine - malicious 20181011
Symantec ISB.Downloader!gen172 20181205
TACHYON Suspicious/W97M.Obfus.Gen.6 20181204
Tencent Heur.Macro.Generic.Gen.h 20181205
ZoneAlarm by Check Point UDS:DangerousObject.Multi.Generic 20181205
Zoner Probably W97Obfuscated 20181205
AegisLab 20181205
AhnLab-V3 20181204
Alibaba 20180921
ALYac 20181205
Antiy-AVL 20181205
Avast 20181205
Avast-Mobile 20181204
AVG 20181205
Avira (no cloud) 20181205
Babable 20180918
Baidu 20181204
Bkav 20181203
CAT-QuickHeal 20181204
ClamAV 20181203
CMC 20181204
Comodo 20181204
CrowdStrike Falcon (ML) 20181022
Cybereason 20180225
Cylance 20181205
Cyren 20181204
DrWeb 20181204
eGambit 20181205
F-Prot 20181204
F-Secure 20181204
Sophos ML 20181128
Jiangmin 20181204
K7AntiVirus 20181204
K7GW 20181204
Kaspersky 20181204
Kingsoft 20181205
Malwarebytes 20181204
NANO-Antivirus 20181205
Palo Alto Networks (Known Signatures) 20181205
Panda 20181204
Rising 20181205
Sophos AV 20181205
SUPERAntiSpyware 20181128
Symantec Mobile Insight 20181204
TheHacker 20181202
TotalDefense 20181205
Trapmine 20181128
TrendMicro 20181205
TrendMicro-HouseCall 20181205
Trustlook 20181205
VBA32 20181204
VIPRE 20181204
ViRobot 20181205
Webroot 20181205
Yandex 20181204
Zillya 20181204
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Summary
creation_datetime
2018-12-04 23:37:00
template
Normal.dotm
page_count
1
last_saved
2018-12-04 23:37:00
word_count
5
revision_number
1
application_name
Microsoft Office Word
character_count
34
code_page
Latin I
Document summary
line_count
1
characters_with_spaces
38
version
1048576
paragraph_count
1
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
2944
type_literal
stream
size
114
name
\x01CompObj
sid
17
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
5
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
4
type_literal
stream
size
9318
name
1Table
sid
2
type_literal
stream
size
81766
name
Data
sid
1
type_literal
stream
size
390
name
Macros/PROJECT
sid
16
type_literal
stream
size
35
name
Macros/PROJECTwm
sid
15
type_literal
stream
size
9627
name
Macros/VBA/_VBA_PROJECT
sid
11
type_literal
stream
size
1192
name
Macros/VBA/__SRP_0
sid
13
type_literal
stream
size
102
name
Macros/VBA/__SRP_1
sid
14
type_literal
stream
size
304
name
Macros/VBA/__SRP_2
sid
9
type_literal
stream
size
103
name
Macros/VBA/__SRP_3
sid
10
type_literal
stream
size
510
name
Macros/VBA/dir
sid
12
type_literal
stream
size
14604
type
macro
name
Macros/VBA/jiQRQjsicS
sid
8
type_literal
stream
size
5166
name
WordDocument
sid
3
Macros and VBA code streams
[+] jiQRQjsicS.cls Macros/VBA/jiQRQjsicS 9037 bytes
obfuscated run-file
ExifTool file metadata
SharedDoc
No

CodePage
Windows Latin 1 (Western European)

System
Windows

LinksUpToDate
No

HeadingPairs
Title, 1

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
38

CreateDate
2018:12:04 22:37:00

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2018:12:04 22:37:00

ScaleCrop
No

Characters
34

HyperlinksChanged
No

RevisionNumber
1

MIMEType
application/msword

Words
5

FileType
DOC

Lines
1

AppVersion
16.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
1

LastPrinted
0000:00:00 00:00:00

DocFlags
Has picture, 1Table, ExtChar

File identification
MD5 93053dcf4bc647fbb356615f4c135774
SHA1 c1c3470ecc1019f9715be614f7f031cbf72c4d64
SHA256 8f65dc3068be3457c1e2825298e7bdc6a85339d8a7ea5887f080bb21b661fc1a
ssdeep
1536:181ooMDS034nC54nZrL4AkiuAMOkEEW/yEbzvadf+a9wEWeafGL8w5CV+9:18GhDS0o9zTGOZD6EbzCdXW2YjW

File size 135.9 KB ( 139136 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Dec 03 22:37:00 2018, Last Saved Time/Date: Mon Dec 03 22:37:00 2018, Number of Pages: 1, Number of Words: 5, Number of Characters: 34, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated macros run-file doc

VirusTotal metadata
First submission 2018-12-05 04:27:11 UTC ( 5 months, 2 weeks ago )
Last submission 2018-12-05 10:31:08 UTC ( 5 months, 2 weeks ago )
File names emotet_e2_8f65dc3068be3457c1e2825298e7bdc6a85339d8a7ea5887f080bb21b661fc1a_2018-12-05__04:25:34.doc
IRS Tax Return Transcript.doc
Question
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!