× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: bc80572f2722be04d27b5bd1cf5fe79d8215890834a7809a1148e10bf7def016
File name: Unpaid Invoice (ID00-133462).doc
Detection ratio: 1 / 54
Analysis date: 2016-02-17 16:59:41 UTC ( 2 years, 11 months ago ) View latest
Antivirus Result Update
CAT-QuickHeal O97M.Dropper.TQ 20160217
Ad-Aware 20160217
AegisLab 20160217
Yandex 20160216
AhnLab-V3 20160217
Alibaba 20160217
ALYac 20160217
Antiy-AVL 20160217
Arcabit 20160217
Avast 20160217
AVG 20160217
Avira (no cloud) 20160217
Baidu-International 20160216
BitDefender 20160217
Bkav 20160217
ByteHero 20160217
ClamAV 20160217
CMC 20160216
Comodo 20160217
Cyren 20160217
DrWeb 20160217
Emsisoft 20160217
ESET-NOD32 20160217
F-Prot 20160217
F-Secure 20160217
Fortinet 20160217
GData 20160217
Ikarus 20160217
Jiangmin 20160217
K7AntiVirus 20160217
K7GW 20160217
Kaspersky 20160217
Malwarebytes 20160217
McAfee 20160217
McAfee-GW-Edition 20160217
Microsoft 20160217
eScan 20160217
NANO-Antivirus 20160217
nProtect 20160217
Panda 20160217
Qihoo-360 20160217
Rising 20160217
Sophos AV 20160217
SUPERAntiSpyware 20160217
Symantec 20160216
Tencent 20160217
TheHacker 20160217
TrendMicro 20160217
TrendMicro-HouseCall 20160217
VBA32 20160217
VIPRE 20160217
ViRobot 20160217
Zillya 20160217
Zoner 20160217
The file being studied follows the Open XML file format! More specifically, it is a Office Open XML Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May read system environment variables.
May execute code from Dynamically Linked Libraries.
May try to download additional files from the Internet.
Seems to contain deobfuscation code.
Macros and VBA code streams
[+] autoopen_Main.bas word/vbaProject.bin VBA/autoopen_Main 778 bytes
obfuscated
[+] Class4.cls word/vbaProject.bin VBA/Class4 72 bytes
environ
[+] Class2.cls word/vbaProject.bin VBA/Class2 535 bytes
exe-pattern obfuscated run-dll
[+] Class3.cls word/vbaProject.bin VBA/Class3 601 bytes
download run-dll
Content types
bin
rels
jpg
xml
Package relationships
word/document.xml
docProps/app.xml
docProps/core.xml
Core document properties
dc:creator
qwerty \u041e\u043b\u0435\u0433
cp:lastModifiedBy
Microsoft Office
cp:revision
514
dcterms:created
2016-01-15T17:12:00Z
dcterms:modified
2016-02-17T09:06:00Z
Application document properties
Template
Normal
TotalTime
1192
Pages
2
Words
0
Characters
2
Application
Microsoft Office Word
DocSecurity
0
Lines
1
Paragraphs
1
ScaleCrop
false
vt:lpstr
\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435
vt:i4
1
LinksUpToDate
false
CharactersWithSpaces
2
SharedDoc
false
HyperlinksChanged
false
AppVersion
16.0000
Document languages
Language
Prevalence
ru-ru
3
en-us
1
uk-ua
1
ar-sa
1
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
Microsoft Office

HeadingPairs
, 1

ZipFileName
customXml/_rels/item1.xml.rels

Template
Normal

ZipRequiredVersion
20

ModifyDate
2016:02:17 09:06:00Z

ZipCRC
0x7a393f74

Words
0

ScaleCrop
No

RevisionNumber
514

MIMEType
application/vnd.ms-word.document.macroEnabled

ZipBitFlag
0

CreateDate
2016:01:15 17:12:00Z

Lines
1

AppVersion
16.0

ZipUncompressedSize
296

ZipCompressedSize
188

Characters
2

CharactersWithSpaces
2

DocSecurity
None

ZipModifyDate
2016:02:17 13:09:48

FileType
DOCM

Application
Microsoft Office Word

TotalEditTime
19.9 hours

ZipCompression
Deflated

Pages
2

Creator
qwerty

FileTypeExtension
docm

Paragraphs
1

The file being studied is a compressed stream! Details about the compressed contents follow.
Contained files
Compression metadata
Contained files
19
Uncompressed size
370157
Highest datetime
2016-02-17 13:11:34
Lowest datetime
2016-02-17 13:09:48
Contained files by extension
xml
13
bin
1
jpg
1
Contained files by type
XML
17
Microsoft Office
1
JPG
1
File identification
MD5 f4240544a8400eca28919d0dd49b77de
SHA1 d4f8f26dd33a802e18753a313dd59100b6a15da1
SHA256 bc80572f2722be04d27b5bd1cf5fe79d8215890834a7809a1148e10bf7def016
ssdeep
6144:trhhv8BG/5cVOzvDyU2pLO00VYYEAl1qWuzEgrU:tVF8BGiMh100vFqWuzEL

File size 209.7 KB ( 214711 bytes )
File type Office Open XML Document
Magic literal
Zip archive data, at least v2.0 to extract

TrID Word Microsoft Office Open XML Format document (with Macro) (53.0%)
Word Microsoft Office Open XML Format document (23.9%)
Open Packaging Conventions container (17.8%)
ZIP compressed archive (4.0%)
PrintFox/Pagefox bitmap (var. P) (1.0%)
Tags
obfuscated docx exe-pattern macros run-dll environ download

VirusTotal metadata
First submission 2016-02-17 16:53:42 UTC ( 2 years, 11 months ago )
Last submission 2018-04-09 10:04:59 UTC ( 9 months, 1 week ago )
File names Unpaid Invoice (ID00-133462).doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!