× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: d21eb79b506d7a5409d96d5696245071932fbc547eebd425be6b03e5d9fc54b7
File name: sus.doc
Detection ratio: 19 / 59
Analysis date: 2018-07-07 01:10:32 UTC ( 8 months, 2 weeks ago ) View latest
Antivirus Result Update
Ad-Aware VB:Trojan.Valyria.1945 20180706
Arcabit VB:Trojan.Valyria.D799 20180707
Baidu VBA.Trojan-Downloader.Agent.dcb 20180706
BitDefender VB:Trojan.Valyria.1945 20180707
CAT-QuickHeal W97M.Downloader.31772 20180706
Cyren W97M/Agent 20180706
DrWeb Exploit.Siggen.6344 20180706
Emsisoft VB:Trojan.Valyria.1945 (B) 20180706
F-Prot New or modified W97M/Agent 20180706
F-Secure VB:Trojan.Valyria.1945 20180706
Fortinet VBA/Agent.ASH!tr.dldr 20180706
GData VB:Trojan.Valyria.1945 20180706
Kaspersky HEUR:Trojan.Script.Agent.gen 20180707
MAX malware (ai score=89) 20180707
McAfee-GW-Edition BehavesLike.Downloader.mg 20180706
eScan VB:Trojan.Valyria.1945 20180707
TrendMicro-HouseCall Suspicious_GEN.F47V0706 20180707
ZoneAlarm by Check Point HEUR:Trojan.Script.Agent.gen 20180707
Zoner Probably W97Shell 20180706
AegisLab 20180706
AhnLab-V3 20180706
Alibaba 20180705
ALYac 20180706
Antiy-AVL 20180707
Avast 20180707
Avast-Mobile 20180706
AVG 20180707
Avira (no cloud) 20180706
AVware 20180707
Babable 20180406
Bkav 20180706
ClamAV 20180706
CMC 20180706
Comodo 20180706
CrowdStrike Falcon (ML) 20180202
Cybereason 20180308
Cylance 20180707
eGambit 20180707
Endgame 20180612
ESET-NOD32 20180707
Ikarus 20180706
Sophos ML 20180601
Jiangmin 20180707
K7AntiVirus 20180706
K7GW 20180706
Kingsoft 20180707
Malwarebytes 20180707
McAfee 20180707
Microsoft 20180707
NANO-Antivirus 20180706
Palo Alto Networks (Known Signatures) 20180707
Panda 20180705
Qihoo-360 20180707
Rising 20180707
SentinelOne (Static ML) 20180701
Sophos AV 20180706
SUPERAntiSpyware 20180706
Symantec 20180706
TACHYON 20180706
Tencent 20180707
TheHacker 20180628
TrendMicro 20180707
Trustlook 20180707
VBA32 20180705
VIPRE 20180707
ViRobot 20180706
Webroot 20180707
Yandex 20180706
Zillya 20180706
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Summary
last_author
12345
creation_datetime
2018-07-06 16:57:00
revision_number
6
author
12345
page_count
1
last_saved
2018-07-06 17:04:00
edit_time
420
word_count
6
template
Normal.dotm
application_name
Microsoft Office Word
character_count
35
code_page
Latin I
Document summary
line_count
1
characters_with_spaces
40
version
786432
paragraph_count
1
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
17856
type_literal
stream
sid
31
name
\x01CompObj
size
121
type_literal
stream
sid
10
name
\x05DocumentSummaryInformation
size
280
type_literal
stream
sid
9
name
\x05SummaryInformation
size
332
type_literal
stream
sid
8
name
1Table
size
6619
type_literal
stream
sid
1
name
Data
size
45961
type_literal
stream
sid
30
name
Macros/PROJECT
size
641
type_literal
stream
sid
29
name
Macros/PROJECTwm
size
143
type_literal
stream
sid
27
name
Macros/UserForm1/\x01CompObj
size
97
type_literal
stream
sid
28
name
Macros/UserForm1/\x03VBFrame
size
291
type_literal
stream
sid
25
name
Macros/UserForm1/f
size
271
type_literal
stream
sid
26
name
Macros/UserForm1/o
size
268
type_literal
stream
sid
14
type
macro
name
Macros/VBA/Module1
size
2525
type_literal
stream
sid
15
type
macro
name
Macros/VBA/Module2
size
1577
type_literal
stream
sid
18
type
macro
name
Macros/VBA/Module3
size
3354
type_literal
stream
sid
13
type
macro
name
Macros/VBA/ThisDocument
size
1866
type_literal
stream
sid
19
type
macro
name
Macros/VBA/UserForm1
size
1728
type_literal
stream
sid
20
name
Macros/VBA/_VBA_PROJECT
size
4962
type_literal
stream
sid
22
name
Macros/VBA/__SRP_0
size
1878
type_literal
stream
sid
23
name
Macros/VBA/__SRP_1
size
113
type_literal
stream
sid
16
name
Macros/VBA/__SRP_4
size
104
type_literal
stream
sid
17
name
Macros/VBA/__SRP_5
size
213
type_literal
stream
sid
21
name
Macros/VBA/dir
size
1138
type_literal
stream
sid
6
name
ObjectPool/_1592369429/\x03OCXNAME
size
26
type_literal
stream
sid
5
name
ObjectPool/_1592369429/\x03ObjInfo
size
6
type_literal
stream
sid
7
name
ObjectPool/_1592369429/Contents
size
94
type_literal
stream
sid
2
name
WordDocument
size
4096
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 110 bytes
[+] Module1.bas Macros/VBA/Module1 735 bytes
obfuscated
[+] Module2.bas Macros/VBA/Module2 225 bytes
[+] Module3.bas Macros/VBA/Module3 1159 bytes
[+] UserForm1.frm Macros/VBA/UserForm1 163 bytes
run-file
ExifTool file metadata
SharedDoc
No

Author
12345

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

LastModifiedBy
12345

HeadingPairs
Title, 1

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
40

CreateDate
2018:07:06 14:57:00

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Office Word 97-2003 Document

ModifyDate
2018:07:06 15:04:00

Characters
35

CodePage
Windows Latin 1 (Western European)

RevisionNumber
6

MIMEType
application/msword

Words
6

FileType
DOC

Lines
1

AppVersion
12.0

Security
None

Software
Microsoft Office Word

TotalEditTime
7 minutes

Pages
1

ScaleCrop
No

CompObjUserTypeLen
39

FileTypeExtension
doc

Paragraphs
1

LastPrinted
0000:00:00 00:00:00

DocFlags
Has picture, 1Table, ExtChar

File identification
MD5 36d65dbe39a16893a8fc408c0aa50c1c
SHA1 0db295e89806511bd1c188d29291e630792c98a2
SHA256 d21eb79b506d7a5409d96d5696245071932fbc547eebd425be6b03e5d9fc54b7
ssdeep
1536:Jgb6Evkehxknn10P5UkJ+OpHOuC9TVIq:J87vhyn10P3+OpuuC9TV

File size 85.0 KB ( 87040 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: 12345, Template: Normal.dotm, Last Saved By: 12345, Revision Number: 6, Name of Creating Application: Microsoft Office Word, Total Editing Time: 07:00, Create Time/Date: Thu Jul 05 15:57:00 2018, Last Saved Time/Date: Thu Jul 05 16:04:00 2018, Number of Pages: 1, Number of Words: 6, Number of Characters: 35, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated macros run-file doc

VirusTotal metadata
First submission 2018-07-06 17:06:27 UTC ( 8 months, 2 weeks ago )
Last submission 2018-07-07 18:08:16 UTC ( 8 months, 2 weeks ago )
File names sus.doc
statement_130986.doc
07c0f2e9a926bad4f6182ec95449d0bab0715788
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!