× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: b6705076f0310883fa69280190f75e24f1c30d986029a7b4114016d0bc22a93f
File name: 560991692-SPV-YKY.doc
Detection ratio: 5 / 59
Analysis date: 2018-03-19 15:21:35 UTC ( 1 year, 1 month ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan.e 20180319
Baidu VBA.Trojan-Downloader.Agent.cpw 20180319
Fortinet VBA/Agent.FZL!tr.dldr 20180319
Rising Macro.Run.d (CLASSIC) 20180319
Zoner Probably W97Obfuscated 20180319
Ad-Aware 20180319
AegisLab 20180319
AhnLab-V3 20180319
Alibaba 20180319
ALYac 20180319
Antiy-AVL 20180319
Avast 20180319
Avast-Mobile 20180319
AVG 20180319
Avira (no cloud) 20180319
AVware 20180319
BitDefender 20180319
Bkav 20180319
CAT-QuickHeal 20180319
ClamAV 20180319
CMC 20180319
Comodo 20180319
CrowdStrike Falcon (ML) 20170201
Cybereason None
Cylance 20180319
Cyren 20180319
DrWeb 20180319
eGambit 20180319
Emsisoft 20180319
Endgame 20180316
ESET-NOD32 20180319
F-Prot 20180319
F-Secure 20180319
GData 20180319
Ikarus 20180319
Sophos ML 20180121
Jiangmin 20180319
K7AntiVirus 20180319
K7GW 20180319
Kaspersky 20180319
Kingsoft 20180319
Malwarebytes 20180319
MAX 20180319
McAfee 20180319
McAfee-GW-Edition 20180319
Microsoft 20180319
eScan 20180319
NANO-Antivirus 20180319
nProtect 20180319
Palo Alto Networks (Known Signatures) 20180319
Panda 20180319
Qihoo-360 20180319
SentinelOne (Static ML) 20180225
Sophos AV 20180319
SUPERAntiSpyware 20180319
Symantec 20180319
Symantec Mobile Insight 20180311
Tencent 20180319
TheHacker 20180319
TrendMicro 20180319
TrendMicro-HouseCall 20180319
Trustlook 20180319
VBA32 20180319
VIPRE 20180319
ViRobot 20180319
Webroot 20180319
WhiteArmor 20180223
Yandex 20180319
Zillya 20180319
ZoneAlarm by Check Point 20180319
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to run other files, shell commands or applications.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
creation_datetime
2018-03-19 16:12:00
revision_number
1
author
bPdQazcp
page_count
1
last_saved
2018-03-19 16:12:00
template
Normal.dotm
application_name
Microsoft Office Word
character_count
1
code_page
Latin I
Document summary
line_count
1
characters_with_spaces
1
version
1048576
paragraph_count
1
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
8128
type_literal
stream
sid
21
name
\x01CompObj
size
114
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
412
type_literal
stream
sid
2
name
1Table
size
7386
type_literal
stream
sid
1
name
Data
size
20436
type_literal
stream
sid
19
name
Macros/PROJECT
size
583
type_literal
stream
sid
20
name
Macros/PROJECTwm
size
149
type_literal
stream
sid
9
type
macro
name
Macros/VBA/ASdfAGw
size
2869
type_literal
stream
sid
16
type
macro
name
Macros/VBA/JaQdTFDVrUz
size
50010
type_literal
stream
sid
15
type
macro
name
Macros/VBA/XcNTDjaz
size
33840
type_literal
stream
sid
18
name
Macros/VBA/_VBA_PROJECT
size
42538
type_literal
stream
sid
11
name
Macros/VBA/__SRP_0
size
1384
type_literal
stream
sid
12
name
Macros/VBA/__SRP_1
size
118
type_literal
stream
sid
13
name
Macros/VBA/__SRP_2
size
220
type_literal
stream
sid
14
name
Macros/VBA/__SRP_3
size
66
type_literal
stream
sid
8
name
Macros/VBA/dir
size
711
type_literal
stream
sid
10
type
macro
name
Macros/VBA/itzzilO
size
10859
type_literal
stream
sid
17
type
macro (only attributes)
name
Macros/VBA/nFCELVRioFV
size
1109
type_literal
stream
sid
3
name
WordDocument
size
4096
Macros and VBA code streams
[+] JaQdTFDVrUz.bas Macros/VBA/JaQdTFDVrUz 32167 bytes
obfuscated
[+] XcNTDjaz.bas Macros/VBA/XcNTDjaz 22223 bytes
obfuscated
[+] itzzilO.bas Macros/VBA/itzzilO 6712 bytes
obfuscated
[+] ASdfAGw.bas Macros/VBA/ASdfAGw 1305 bytes
create-ole obfuscated run-file
ExifTool file metadata
SharedDoc
No

Author
bPdQazcp

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

HeadingPairs
Title, 1

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
1

CreateDate
2018:03:19 15:12:00

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2018:03:19 15:12:00

Characters
1

CodePage
Windows Latin 1 (Western European)

RevisionNumber
1

MIMEType
application/msword

Words
0

FileType
DOC

Lines
1

AppVersion
16.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
1

DocFlags
Has picture, 1Table, ExtChar

File identification
MD5 aa83826401ef5668474f920d0de7b79f
SHA1 e00222680de7dbbd7ac520a7c41c990e9f112108
SHA256 b6705076f0310883fa69280190f75e24f1c30d986029a7b4114016d0bc22a93f
ssdeep
3072:SgiqkMcvHix1vCfWs23ow2nyQTjyS5dgB2OrVYtePNXKieZIkH:SQFcvCjvCfWs2owqfTjyS5WLVcePlp1

File size 188.5 KB ( 193024 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: bPdQazcp, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sun Mar 18 15:12:00 2018, Last Saved Time/Date: Sun Mar 18 15:12:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated macros run-file doc create-ole

VirusTotal metadata
First submission 2018-03-19 15:18:17 UTC ( 1 year, 1 month ago )
Last submission 2018-05-09 15:44:20 UTC ( 11 months, 2 weeks ago )
File names Number 29064136909-KO-AZL.doc
18231102-QZO-OLROH.doc
Express 60384-BPQ-OAT.doc
Number 16031520821-LYYI-YLVKT.doc
Tracking-09719-DKYO-BENJ.doc
Tracking-923368-JX-GAVM.doc
560991692-SPV-YKY.doc
42004644-QRR-IUE.doc
Express 62522-DBTC-CXFO.doc
99104372-TWL-TYC.doc
Tracking-9607470-MMEZ-QJMK.doc
4892027483-CZXE-FZRWH.doc
764363-CRUD-FQC.doc
Number 6767755315-GONR-ABW.doc
Number 87052014-QB-CVRJ.doc
Tracking-9049879674-OFQB-HUH.doc
Tracking 7979900729-WDUL-JHUBL.doc
35001343-SUT-DGAQ.doc
Number 94839101720-LW-PFX.doc
4601059885-TXBZ-KQE.doc
Tracking 485267760-RGD-JKCG.doc
Express 530648-KNQS-XPTTF.doc
230525-FB-ZELYV.doc
953164190-XZ-GGKI.doc
Express 767066591-ARP-ZPZA.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!