× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: af3e4798677e18672a503d6dfc9b3aa1b3994ee5b3f35df65fb4d43d0e347d8b
File name: PaymentReceipt.docm
Detection ratio: 7 / 55
Analysis date: 2016-08-19 09:58:57 UTC ( 2 years, 8 months ago ) View latest
Antivirus Result Update
AVware Trojan-Downloader.O97M.Donoff.by (v) 20160819
Baidu VBA.Trojan-Downloader.Agent.aqx 20160819
Fortinet WM/Agent!tr 20160819
Panda VBS/Jenxcus.A 20160818
Qihoo-360 virus.office.obfuscated.1 20160819
Rising Heur.Macro.Downloader.d 20160819
Tencent Macro.Trojan.Dropperd.Auto 20160819
Ad-Aware 20160819
AegisLab 20160819
AhnLab-V3 20160819
Alibaba 20160819
ALYac 20160819
Antiy-AVL 20160819
Arcabit 20160819
Avast 20160819
AVG 20160819
Avira (no cloud) 20160819
BitDefender 20160819
Bkav 20160818
CAT-QuickHeal 20160818
ClamAV 20160819
CMC 20160818
Comodo 20160818
Cyren 20160819
DrWeb 20160819
Emsisoft 20160819
ESET-NOD32 20160819
F-Prot 20160819
F-Secure 20160819
GData 20160819
Ikarus 20160819
Jiangmin 20160819
K7AntiVirus 20160819
K7GW 20160819
Kaspersky 20160819
Kingsoft 20160819
Malwarebytes 20160819
McAfee 20160819
McAfee-GW-Edition 20160819
Microsoft 20160819
eScan 20160819
NANO-Antivirus 20160819
nProtect 20160817
Sophos AV 20160819
SUPERAntiSpyware 20160819
Symantec 20160819
TheHacker 20160817
TrendMicro 20160819
TrendMicro-HouseCall 20160819
VBA32 20160818
VIPRE 20160819
ViRobot 20160819
Yandex 20160818
Zillya 20160818
Zoner 20160819
The file being studied follows the Open XML file format! More specifically, it is a Office Open XML Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May perform operations with other files.
May copy a file.
May create additional files.
May create OLE objects.
May enumerate open windows.
Seems to contain deobfuscation code.
Macros and VBA code streams
[+] ThisDocument.cls word/vbaProject.bin VBA/ThisDocument 42 bytes
[+] Module1.bas word/vbaProject.bin VBA/Module1 29707 bytes
copy-file create-file create-ole enum-windows handle-file obfuscated open-file write-file
Content types
bin
rels
xml
Package relationships
word/document.xml
docProps/app.xml
docProps/core.xml
Core document properties
dc:creator
1
cp:lastModifiedBy
1
cp:revision
2
dcterms:created
2016-08-19T08:19:00Z
dcterms:modified
2016-08-19T08:19:00Z
Application document properties
Template
Normal.dotm
TotalTime
0
Pages
1
Words
0
Characters
0
Application
Microsoft Office Word
DocSecurity
0
Lines
0
Paragraphs
0
ScaleCrop
false
LinksUpToDate
false
CharactersWithSpaces
0
SharedDoc
false
HyperlinksChanged
false
AppVersion
16.0000
Document languages
Language
Prevalence
ru-ru
2
en-us
1
ar-sa
1
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
1

Application
Microsoft Office Word

ZipFileName
[Content_Types].xml

Template
Normal.dotm

ZipRequiredVersion
20

ModifyDate
2016:08:19 08:19:00Z

ZipCRC
0x7aec387e

Words
0

ScaleCrop
No

RevisionNumber
2

MIMEType
application/vnd.ms-word.document.macroEnabled

ZipBitFlag
0x0006

CreateDate
2016:08:19 08:19:00Z

Lines
0

AppVersion
16.0

ZipUncompressedSize
1453

ZipCompressedSize
391

Characters
0

CharactersWithSpaces
0

DocSecurity
None

ZipModifyDate
1980:01:01 00:00:00

FileType
DOCM

Creator
1

TotalEditTime
0

ZipCompression
Deflated

Pages
1

FileTypeExtension
docm

Paragraphs
0

The file being studied is a compressed stream! Details about the compressed contents follow.
Contained files
Compression metadata
Contained files
14
Uncompressed size
131504
Highest datetime
1980-01-01 00:00:00
Lowest datetime
1980-01-01 00:00:00
Contained files by extension
xml
10
bin
1
Contained files by type
XML
13
Microsoft Office
1
Compressed bundles
File identification
MD5 d6b0edb0312383fc564871038db424b0
SHA1 6cf56ec5aa9a32dd11268aebaa31f060ad558ff5
SHA256 af3e4798677e18672a503d6dfc9b3aa1b3994ee5b3f35df65fb4d43d0e347d8b
ssdeep
768:/L6E07RHXlZz1zV+nNuCyx8Ruh6Ino4k9V5yNOB/dBlarLfxl1Q7:OE07R3lZ34o98cvo5P3F/iLfxa

File size 48.2 KB ( 49342 bytes )
File type Office Open XML Document
Magic literal
Zip archive data, at least v2.0 to extract

TrID Word Microsoft Office Open XML Format document (with Macro) (53.0%)
Word Microsoft Office Open XML Format document (23.9%)
Open Packaging Conventions container (17.8%)
ZIP compressed archive (4.0%)
PrintFox/Pagefox bitmap (var. P) (1.0%)
Tags
obfuscated open-file enum-windows handle-file copy-file create-file docx macros attachment write-file create-ole

VirusTotal metadata
First submission 2016-08-19 09:43:34 UTC ( 2 years, 8 months ago )
Last submission 2017-09-07 18:38:18 UTC ( 1 year, 7 months ago )
File names Malware_NEW_OFFICE_af3e4798677e18672a503d6dfc9b3aa1b3994ee5b3f35df65fb4d43d0e347d8b
PaymentReceipt.docm
PaymentReceipt
af3e4798677e18672a503d6dfc9b3aa1b3994ee5b3f35df65fb4d43d0e347d8b.bin
__substg1.0_37010102
7ca8596cb67b6a74d6555d0c137cea54
30118918063-107-0_attach.1.PaymentReceipt.docm
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!