× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: b0d7a4a572cfab28ccd34a58171f189c4f2d8315e09a2605af3d0d6e17840004
File name: WIRE-FORM-ARMC-536152960.doc
Detection ratio: 4 / 58
Analysis date: 2018-03-22 13:49:39 UTC ( 11 months ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan.e 20180322
Baidu VBA.Trojan-Downloader.Agent.cpw 20180322
Fortinet VBA/Agent.HHV!tr 20180322
Zoner Probably W97Obfuscated 20180322
Ad-Aware 20180322
AegisLab 20180322
AhnLab-V3 20180322
Alibaba 20180322
ALYac 20180322
Antiy-AVL 20180322
Avast 20180322
Avast-Mobile 20180322
AVG 20180322
Avira (no cloud) 20180322
AVware 20180322
BitDefender 20180322
Bkav 20180322
CAT-QuickHeal 20180322
ClamAV 20180322
CMC 20180322
Comodo 20180322
CrowdStrike Falcon (ML) 20170201
Cybereason None
Cylance 20180322
Cyren 20180322
DrWeb 20180322
eGambit 20180322
Emsisoft 20180322
Endgame 20180316
ESET-NOD32 20180322
F-Prot 20180322
F-Secure 20180322
GData 20180322
Ikarus 20180322
Sophos ML 20180121
Jiangmin 20180322
K7AntiVirus 20180322
K7GW 20180322
Kaspersky 20180322
Kingsoft 20180322
Malwarebytes 20180322
MAX 20180322
McAfee 20180322
McAfee-GW-Edition 20180322
Microsoft 20180322
eScan 20180322
NANO-Antivirus 20180322
nProtect 20180322
Palo Alto Networks (Known Signatures) 20180322
Panda 20180321
Qihoo-360 20180322
Rising 20180322
SentinelOne (Static ML) 20180225
Sophos AV 20180322
SUPERAntiSpyware 20180322
Symantec 20180322
Symantec Mobile Insight 20180311
Tencent 20180322
TheHacker 20180319
TrendMicro 20180322
TrendMicro-HouseCall 20180322
Trustlook 20180322
VBA32 20180322
VIPRE 20180322
ViRobot 20180322
Webroot 20180322
WhiteArmor 20180223
Yandex 20180322
ZoneAlarm by Check Point 20180322
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to run other files, shell commands or applications.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
creation_datetime
2018-03-22 13:18:00
author
ZHilaeho
title
ZHilaehoti
page_count
1
last_saved
2018-03-22 13:18:00
revision_number
1
application_name
Microsoft Office Word
character_count
1
template
Normal.dotm
code_page
Latin I
subject
ZHilaeho
Document summary
category
ZHilaeho
line_count
1
company
ZHilaehoti
characters_with_spaces
1
version
1048576
paragraph_count
1
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
7104
type_literal
stream
sid
21
name
\x01CompObj
size
114
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
336
type_literal
stream
sid
4
name
\x05SummaryInformation
size
428
type_literal
stream
sid
2
name
1Table
size
7264
type_literal
stream
sid
1
name
Data
size
46636
type_literal
stream
sid
19
name
Macros/PROJECT
size
597
type_literal
stream
sid
20
name
Macros/PROJECTwm
size
185
type_literal
stream
sid
14
type
macro
name
Macros/VBA/BIuLWlzGZH
size
43675
type_literal
stream
sid
15
type
macro (only attributes)
name
Macros/VBA/DkWAjXPsdIWW
size
1111
type_literal
stream
sid
18
type
macro
name
Macros/VBA/EEnUwdaPthwYB
size
7009
type_literal
stream
sid
13
type
macro
name
Macros/VBA/YiIHsSzwh
size
1435
type_literal
stream
sid
17
name
Macros/VBA/_VBA_PROJECT
size
25804
type_literal
stream
sid
9
name
Macros/VBA/__SRP_0
size
1396
type_literal
stream
sid
10
name
Macros/VBA/__SRP_1
size
118
type_literal
stream
sid
11
name
Macros/VBA/__SRP_2
size
220
type_literal
stream
sid
12
name
Macros/VBA/__SRP_3
size
66
type_literal
stream
sid
8
name
Macros/VBA/dir
size
755
type_literal
stream
sid
16
type
macro
name
Macros/VBA/rbDEmzTGTApz
size
25386
type_literal
stream
sid
3
name
WordDocument
size
4096
Macros and VBA code streams
[+] BIuLWlzGZH.bas Macros/VBA/BIuLWlzGZH 26735 bytes
obfuscated
[+] rbDEmzTGTApz.bas Macros/VBA/rbDEmzTGTApz 15651 bytes
create-ole obfuscated run-file
[+] EEnUwdaPthwYB.bas Macros/VBA/EEnUwdaPthwYB 3946 bytes
obfuscated
[+] YiIHsSzwh.bas Macros/VBA/YiIHsSzwh 372 bytes
obfuscated
ExifTool file metadata
Category
ZHilaeho

SharedDoc
No

Author
ZHilaeho

CodePage
Windows Latin 1 (Western European)

System
Windows

LinksUpToDate
No

HeadingPairs
Title, 1

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
1

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2018:03:22 12:18:00

Company
ZHilaehoti

Title
ZHilaehoti

Characters
1

HyperlinksChanged
No

RevisionNumber
1

MIMEType
application/msword

Words
0

CreateDate
2018:03:22 12:18:00

Lines
1

AppVersion
16.0

Security
None

Software
Microsoft Office Word

FileType
DOC

TotalEditTime
0

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
1

LastPrinted
0000:00:00 00:00:00

DocFlags
Has picture, 1Table, ExtChar

Subject
ZHilaeho

File identification
MD5 af17a4477a6d06d0abf910e17bf49ee3
SHA1 4c56dd522ba167d38d217e3479f45b7bc4a45dab
SHA256 b0d7a4a572cfab28ccd34a58171f189c4f2d8315e09a2605af3d0d6e17840004
ssdeep
3072:/fkoTvhR2eSC+ONXXfXEVYZro0/Jvf0Ynu:/fkoTvhULOxvoYZc0/Jvf1

File size 178.5 KB ( 182784 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: ZHilaehoti, Subject: ZHilaeho, Author: ZHilaeho, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Mar 21 12:18:00 2018, Last Saved Time/Date: Wed Mar 21 12:18:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated macros run-file doc create-ole

VirusTotal metadata
First submission 2018-03-22 13:49:39 UTC ( 11 months ago )
Last submission 2018-04-30 23:42:29 UTC ( 9 months, 3 weeks ago )
File names WIRE-FORM-UT-2906264.doc
INV-AGH-66841337.doc
INV-MT-992432152230936.doc
ACH-FORM-TQCH-80904165.doc
INVOICE-RQ-26070996.doc
WIRE-FORM-VAPG-6861073851.doc
INVOICE-XC-8408223865805.doc
INVOICE-PQ-82320456568735.doc
INV-FZY-5753975.doc
ACH-FORM-UJAV-981961657.doc
9b18def03fe3a586b66a1345889f9609c07ea729
WIRE-FORM-QHH-10556236562.doc
ACH-FORM-RKXG-835978002.doc
ACH-FORM-LK-91086221253819.doc
INV-CO-3006710.doc
INVOICE-QRC-8034855067.doc
ACH-FORM-WQZ-174475538675.doc
WIRE-FORM-LQ-1649559061725.doc
ACH-FORM-WMXJ-80381765.doc
WIRE-FORM-AREO-093970077477.doc
WIRE-FORM-RV-15109546.doc
INV-RPN-8744604955.doc
WIRE-FORM-LRB-861064072214847.doc
INV-FHJL-32112710301.doc
ACH-FORM-FO-095389514834766.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!