× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: a4870bb398acdcc2f2c0c3396d3e29b7cc1bdd4459df1d19834fc38471427436
Detection ratio: 23 / 59
Analysis date: 2018-03-13 03:08:11 UTC ( 5 months ago ) View latest
Antivirus Result Update
Ad-Aware VB:Trojan.Valyria.1278 20180313
ALYac VB:Trojan.Valyria.1278 20180312
Arcabit VB:Trojan.Valyria.D4FE 20180313
AVware LooksLike.Macro.Malware.k (v) 20180313
Baidu VBA.Trojan-Downloader.Agent.cot 20180312
BitDefender VB:Trojan.Valyria.1278 20180313
Emsisoft VB:Trojan.Valyria.1278 (B) 20180313
ESET-NOD32 VBA/TrojanDownloader.Agent.GVC 20180313
F-Secure VB:Trojan.Valyria.1278 20180313
Fortinet VBA/Agent.GKM!tr 20180313
GData VB:Trojan.Valyria.1278 20180313
Ikarus Trojan-Downloader.VBA.Agent 20180312
Kaspersky HEUR:Trojan.Script.Agent.gen 20180313
MAX malware (ai score=85) 20180313
McAfee W97M/Downloader.ckw 20180313
McAfee-GW-Edition W97M/Downloader.ckw 20180313
Microsoft TrojanDownloader:O97M/Donoff 20180312
eScan VB:Trojan.Valyria.1278 20180313
Rising Downloader.VBA/Agent!1.AF61 (CLASSIC) 20180312
TrendMicro HEUR_VBA.E 20180313
VIPRE LooksLike.Macro.Malware.k (v) 20180312
ZoneAlarm by Check Point HEUR:Trojan.Script.Agent.gen 20180313
Zoner Probably W97DownloaderA 20180313
AegisLab 20180313
AhnLab-V3 20180312
Alibaba 20180312
Antiy-AVL 20180312
Avast 20180313
Avast-Mobile 20180312
AVG 20180313
Avira (no cloud) 20180313
Bkav 20180312
CAT-QuickHeal 20180312
ClamAV 20180313
CMC 20180312
Comodo 20180313
CrowdStrike Falcon (ML) 20170201
Cybereason None
Cylance 20180313
Cyren 20180313
DrWeb 20180313
eGambit 20180313
Endgame 20180308
F-Prot 20180313
Sophos ML 20180121
Jiangmin 20180313
K7AntiVirus 20180312
K7GW 20180313
Kingsoft 20180313
Malwarebytes 20180312
NANO-Antivirus 20180313
nProtect 20180313
Palo Alto Networks (Known Signatures) 20180313
Panda 20180312
Qihoo-360 20180313
SentinelOne (Static ML) 20180225
Sophos AV 20180312
SUPERAntiSpyware 20180313
Symantec 20180312
Symantec Mobile Insight 20180311
Tencent 20180313
TheHacker 20180311
TrendMicro-HouseCall 20180313
Trustlook 20180313
VBA32 20180312
ViRobot 20180313
Webroot 20180313
WhiteArmor 20180223
Yandex 20180308
Zillya 20180312
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
Automatically runs commands or instructions when the file is opened.
May execute code from Dynamically Linked Libraries.
Seems to contain deobfuscation code.
Summary
last_author
--
creation_datetime
2018-03-13 02:06:00
template
Normal.dotm
author
Autohr
page_count
1
last_saved
2018-03-13 02:06:00
application_name
Microsoft Office Word
comments
Aenean toCurabitur fermentum nisl lr pulvinar tortor quis metus tempus a. Praesent quis aliquet odio. ibero, sed varius toret rhoncus in vel purus.
revision_number
1
keywords
x, , elit, ornare,a molestieMauris, condimentum, mi e vitae
title
JYYBKP9JE
code_page
Turkish
subject
3ULGM14X
Document summary
byte_count
11000
company
--
version
1048576
code_page
Turkish
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
1152
type_literal
stream
sid
12
name
\x01CompObj
size
114
type_literal
stream
sid
4
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
3
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
1
name
1Table
size
9416
type_literal
stream
sid
11
name
Macros/PROJECT
size
363
type_literal
stream
sid
10
name
Macros/PROJECTwm
size
41
type_literal
stream
sid
7
type
macro
name
Macros/VBA/ThisDocument
size
37998
type_literal
stream
sid
8
name
Macros/VBA/_VBA_PROJECT
size
4232
type_literal
stream
sid
9
name
Macros/VBA/dir
size
513
type_literal
stream
sid
2
name
WordDocument
size
4096
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 20162 bytes
auto-open obfuscated run-dll
ExifTool file metadata
SharedDoc
No

Author
Autohr

CodePage
Windows Turkish

LinksUpToDate
No

LastModifiedBy
--

HeadingPairs
Title, 1

Template
Normal.dotm

CharCountWithSpaces
0

CreateDate
2018:03:13 01:06:00

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2018:03:13 01:06:00

Company
--

Title
JYYBKP9JE

HyperlinksChanged
No

Characters
0

ScaleCrop
No

RevisionNumber
1

MIMEType
application/msword

Words
0

Bytes
11000

FileType
DOC

Lines
0

AppVersion
16.0

Comments
Aenean toCurabitur fermentum nisl lr pulvinar tortor quis metus tempus a. Praesent quis aliquet odio. ibero, sed varius toret rhoncus in vel purus.

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
0

Keywords
x, , elit, ornare,a molestieMauris, condimentum, mi e vitae

Subject
3ULGM14X

File identification
MD5 cff56ec9776cc6449531f1a7fffc540f
SHA1 ac4ed1d4d0bdb8207c48f2e7d9819e67f5c8dd65
SHA256 a4870bb398acdcc2f2c0c3396d3e29b7cc1bdd4459df1d19834fc38471427436
ssdeep
768:JKKq1YTAuT2HBgjzbFSAaMIfAvO4W3Vzwq3iDZnTnr8AOfPWAO7:Xq19wAAaPff9Jwq3iDZ71

File size 69.5 KB ( 71168 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1254, Title: JYYBKP9JE, Subject: 3ULGM14X, Author: Autohr, Keywords: x, , elit, ornare,a molestieMauris, condimentum, mi e vitae, Comments: Aenean toCurabitur fermentum nisl lr pulvinar tortor quis metus tempus a. Praesent quis aliquet odio. ibero, sed varius toret rhoncus in vel purus., Template: Normal.dotm, Last Saved By: --, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Mar 12 01:06:00 2018, Last Saved Time/Date: Mon Mar 12 01:06:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated macros auto-open run-dll doc

VirusTotal metadata
First submission 2018-03-13 03:07:34 UTC ( 5 months ago )
Last submission 2018-03-13 03:08:11 UTC ( 5 months ago )
File names Kcc-Invoice.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!