× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: b97691ce2e4e9d21aaa521b5f6dd10cbd28226ec555a3789065801c6a64a9ff0
File name: 7035df8751b61c417a80d1f933440785.exe
Detection ratio: 33 / 56
Analysis date: 2017-05-01 03:17:50 UTC ( 5 months, 2 weeks ago )
Antivirus Result Update
Ad-Aware w97m.Agent.CU 20170501
AhnLab-V3 W97M/Downloader 20170430
ALYac w97m.Agent.CU 20170501
Arcabit HEUR.VBA.Trojan.e 20170501
Avast VBA:Downloader-EXM [Trj] 20170501
Avira (no cloud) W2000M/Agent.0594947 20170430
Baidu VBA.Trojan-Downloader.Agent.bio 20170428
BitDefender w97m.Agent.CU 20170501
CAT-QuickHeal W97M.Downloader.AIQ 20170430
ClamAV Doc.Macro.MaliciousHeuristic-6290326-0 20170430
Cyren W97M/Downldr.AX 20170501
DrWeb W97M.DownLoader.1708 20170501
Emsisoft w97m.Agent.CU (B) 20170501
ESET-NOD32 VBA/TrojanDownloader.Agent.DAZ 20170430
F-Prot W97M/Downldr.AX 20170501
F-Secure w97m.Agent.CU 20170501
Fortinet WM/Agent.67719!tr.dldr 20170501
GData w97m.Agent.CU 20170501
Ikarus Trojan-Downloader.VBA.Agent 20170430
Kaspersky Trojan-Downloader.MSWord.Agent.bgn 20170501
McAfee Downloader-FBNL!7035DF8751B6 20170501
McAfee-GW-Edition Downloader-FBNL!7035DF8751B6 20170430
Microsoft TrojanDownloader:O97M/Donoff 20170501
eScan w97m.Agent.CU 20170501
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20170430
Rising Downloader.Donoff!8.36C (topis) 20170430
Sophos AV Troj/DocDl-IQQ 20170501
Symantec W97M.Downloader 20170430
Tencent Win32.Trojan.Downloader.Pgeo 20170501
TrendMicro W2KM_POWLOAD.AUSJPC 20170501
TrendMicro-HouseCall W2KM_POWLOAD.AUSJPC 20170501
ViRobot DOC.Z.Agent.30720.AX[h] 20170501
ZoneAlarm by Check Point Trojan-Downloader.MSWord.Agent.bgn 20170501
AegisLab 20170501
Alibaba 20170428
Antiy-AVL 20170429
AVG 20170501
AVware 20170501
Bkav 20170428
CMC 20170427
Comodo 20170501
CrowdStrike Falcon (ML) 20170130
Endgame 20170419
Sophos ML 20170413
Jiangmin 20170428
K7AntiVirus 20170501
K7GW 20170426
Kingsoft 20170501
Malwarebytes 20170430
nProtect 20170501
Palo Alto Networks (Known Signatures) 20170501
Panda 20170430
Qihoo-360 20170501
SentinelOne (Static ML) 20170330
SUPERAntiSpyware 20170430
Symantec Mobile Insight 20170428
TheHacker 20170429
Trustlook 20170501
VBA32 20170429
VIPRE 20170501
Webroot 20170501
WhiteArmor 20170409
Yandex 20170428
Zillya 20170428
Zoner 20170501
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
Automatically runs commands or instructions when the file is opened.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Summary
last_author
Matt
creation_datetime
2017-04-12 20:35:00
template
Normal
author
klrqjdwuvvjboxr
page_count
1
last_saved
2017-04-13 03:32:00
edit_time
6720
word_count
54
revision_number
6
application_name
Microsoft Office Word
character_count
311
code_page
Latin I
Document summary
line_count
2
company
Microsoft
characters_with_spaces
364
version
917504
paragraph_count
1
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
7168
type_literal
stream
size
114
name
\x01CompObj
sid
13
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
396
name
\x05SummaryInformation
sid
3
type_literal
stream
size
7003
name
1Table
sid
1
type_literal
stream
size
492
name
Macros/PROJECT
sid
11
type_literal
stream
size
71
name
Macros/PROJECTwm
sid
12
type_literal
stream
size
1766
type
macro
name
Macros/VBA/NewMacros
sid
8
type_literal
stream
size
938
type
macro (only attributes)
name
Macros/VBA/ThisDocument
sid
9
type_literal
stream
size
2566
name
Macros/VBA/_VBA_PROJECT
sid
10
type_literal
stream
size
570
name
Macros/VBA/dir
sid
7
type_literal
stream
size
4148
name
WordDocument
sid
2
Macros and VBA code streams
[+] NewMacros.bas Macros/VBA/NewMacros 292 bytes
auto-open obfuscated run-file
ExifTool file metadata
SharedDoc
No

Author
klrqjdwuvvjboxr

CodePage
Windows Latin 1 (Western European)

LinksUpToDate
No

LastModifiedBy
Matt

HeadingPairs
Title, 1

Template
Normal

CharCountWithSpaces
364

CreateDate
2017:04:12 19:35:00

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2017:04:13 02:32:00

Company
Microsoft

HyperlinksChanged
No

Characters
311

ScaleCrop
No

RevisionNumber
6

MIMEType
application/msword

Words
54

FileType
DOC

Lines
2

AppVersion
14.0

Security
None

Software
Microsoft Office Word

TotalEditTime
1.9 hours

Pages
1

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
1

File identification
MD5 7035df8751b61c417a80d1f933440785
SHA1 812b56cd25a0e96e679976f26d4af4167a4fb864
SHA256 b97691ce2e4e9d21aaa521b5f6dd10cbd28226ec555a3789065801c6a64a9ff0
ssdeep
192:F+IlLZEvA+6/6rT5bk8xgNAOR6MLrVUgtan8gBG3RtS0j14SEh7taq:N8iSY5UMNPtGDBG3XS0j1d2

File size 30.0 KB ( 30720 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: klrqjdwuvvjboxr, Template: Normal, Last Saved By: Matt, Revision Number: 6, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:52:00, Create Time/Date: Tue Apr 11 19:35:00 2017, Last Saved Time/Date: Wed Apr 12 02:32:00 2017, Number of Pages: 1, Number of Words: 54, Number of Characters: 311, Security: 0

TrID Microsoft Word document (35.9%)
Microsoft Excel sheet (33.7%)
Microsoft Word document (old ver.) (21.3%)
Generic OLE2 / Multistream Compound File (8.9%)
Tags
obfuscated macros run-file auto-open doc

VirusTotal metadata
First submission 2017-04-13 10:37:32 UTC ( 6 months, 1 week ago )
Last submission 2017-05-01 03:17:50 UTC ( 5 months, 2 weeks ago )
File names m5.exe
7035df8751b61c417a80d1f933440785.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!