× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: aaeb826a475c4f79f54afb693c29bef95631f1848de7570e9e2c5a4c06d1e86f
File name: resume.doc
Detection ratio: 4 / 60
Analysis date: 2017-10-08 05:32:43 UTC ( 1 year, 4 months ago ) View latest
Antivirus Result Update
Fortinet WM/Agent.WIR!tr.dldr 20171008
Kaspersky HEUR:Trojan.Script.Agent.gen 20171008
TrendMicro-HouseCall Mal_Powload-0 20171008
ZoneAlarm by Check Point HEUR:Trojan.Script.Agent.gen 20171008
Ad-Aware 20171008
AegisLab 20171008
AhnLab-V3 20171007
Alibaba 20170911
ALYac 20171007
Antiy-AVL 20171008
Arcabit 20171008
Avast 20171008
Avast-Mobile 20171007
AVG 20171008
Avira (no cloud) 20171007
AVware 20171008
Baidu 20170930
BitDefender 20171008
Bkav 20171007
CAT-QuickHeal 20171007
ClamAV 20171008
CMC 20171008
Comodo 20171008
CrowdStrike Falcon (ML) 20170804
Cylance 20171008
Cyren 20171008
DrWeb 20171008
Emsisoft 20171008
Endgame 20170821
ESET-NOD32 20171007
F-Prot 20171008
F-Secure 20171008
GData 20171008
Ikarus 20171007
Sophos ML 20170914
Jiangmin 20171008
K7AntiVirus 20171008
K7GW 20171008
Kingsoft 20171008
Malwarebytes 20171008
MAX 20171008
McAfee 20171008
McAfee-GW-Edition 20171008
Microsoft 20171008
eScan 20171008
NANO-Antivirus 20171008
nProtect 20171008
Palo Alto Networks (Known Signatures) 20171008
Panda 20171007
Qihoo-360 20171008
Rising 20171008
SentinelOne (Static ML) 20171001
Sophos AV 20171008
SUPERAntiSpyware 20171008
Symantec 20171007
Symantec Mobile Insight 20171006
Tencent 20171008
TheHacker 20171007
TotalDefense 20171008
TrendMicro 20171008
Trustlook 20171008
VBA32 20171006
VIPRE 20171008
ViRobot 20171007
Webroot 20171008
WhiteArmor 20170927
Yandex 20171006
Zillya 20171006
Zoner 20171008
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
last_author
WorldStream Customer
creation_datetime
2017-10-08 02:06:00
revision_number
3
author
mdtammtgsicxpiq
page_count
1
last_saved
2017-10-08 02:08:00
word_count
38
template
Normal
application_name
Microsoft Office Word
character_count
222
code_page
Latin I
Document summary
line_count
1
characters_with_spaces
259
version
917504
paragraph_count
1
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
4800
type_literal
stream
sid
18
name
\x01CompObj
size
114
type_literal
stream
sid
4
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
3
name
\x05SummaryInformation
size
432
type_literal
stream
sid
1
name
1Table
size
26493
type_literal
stream
sid
16
name
Macros/PROJECT
size
443
type_literal
stream
sid
17
name
Macros/PROJECTwm
size
77
type_literal
stream
sid
14
type
macro (only attributes)
name
Macros/VBA/ThisDocument
size
1097
type_literal
stream
sid
15
name
Macros/VBA/_VBA_PROJECT
size
7156
type_literal
stream
sid
10
name
Macros/VBA/__SRP_0
size
1295
type_literal
stream
sid
11
name
Macros/VBA/__SRP_1
size
110
type_literal
stream
sid
12
name
Macros/VBA/__SRP_2
size
220
type_literal
stream
sid
13
name
Macros/VBA/__SRP_3
size
66
type_literal
stream
sid
7
name
Macros/VBA/dir
size
603
type_literal
stream
sid
8
type
macro
name
Macros/VBA/nqhcs
size
18544
type_literal
stream
sid
9
type
macro
name
Macros/VBA/wmrlt
size
35938
type_literal
stream
sid
2
name
WordDocument
size
91887
Macros and VBA code streams
[+] nqhcs.bas Macros/VBA/nqhcs 9199 bytes
create-ole obfuscated
[+] wmrlt.bas Macros/VBA/wmrlt 11064 bytes
ExifTool file metadata
SharedDoc
No

Author
mdtammtgsicxpiq

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
WorldStream Customer

HeadingPairs
Title, 1, Titel, 1

Template
Normal

CharCountWithSpaces
259

CreateDate
2017:10:08 01:06:00

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2017:10:08 01:08:00

TitleOfParts
,

Characters
222

CodePage
Windows Latin 1 (Western European)

RevisionNumber
3

MIMEType
application/msword

Words
38

FileType
DOC

Lines
1

AppVersion
14.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
1

Compressed bundles
File identification
MD5 427e5c6e3a60070e784313c7d519bc81
SHA1 481cbe840df0e3255246e5d969e3fb11752125af
SHA256 aaeb826a475c4f79f54afb693c29bef95631f1848de7570e9e2c5a4c06d1e86f
ssdeep
6144:D+Eb4BesEcE6bRuGkUEI26MYjN5aQT4C8cn+j5EzixIRTBBOr:D+e4BesRuGkUEI26MYjN5aQT4C8cn+jC

File size 195.5 KB ( 200192 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: mdtammtgsicxpiq, Template: Normal, Last Saved By: WorldStream Customer, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sat Oct 07 01:06:00 2017, Last Saved Time/Date: Sat Oct 07 01:08:00 2017, Number of Pages: 1, Number of Words: 38, Number of Characters: 222, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated macros doc create-ole

VirusTotal metadata
First submission 2017-10-08 05:32:43 UTC ( 1 year, 4 months ago )
Last submission 2017-10-12 10:14:35 UTC ( 1 year, 4 months ago )
File names resume.doc
resume.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!