× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: d3fe95416bee247c718801b3e236c083cb7a84f7a49ca060279e841a20bc7a7e
File name: zbetcheckin_tracker_Paid-Invoices
Detection ratio: 19 / 61
Analysis date: 2018-10-03 06:47:47 UTC ( 5 months, 3 weeks ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan.e 20181003
Cyren W97M/Downldr 20181003
Emsisoft Trojan-Downloader.Macro.Generic.H (A) 20181003
Endgame malicious (high confidence) 20180730
ESET-NOD32 VBA/TrojanDownloader.Agent.KVV 20181003
F-Prot New or modified W97M/Downldr 20181003
Fortinet VBA/Agent.KVT!tr.dldr 20181003
Ikarus Trojan.VBA.Agent 20181002
K7AntiVirus Trojan ( 00536d111 ) 20181003
K7GW Trojan ( 00536d111 ) 20181001
Microsoft Trojan:Script/Foretype.A!ml 20181003
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20181003
Qihoo-360 virus.office.qexvmc.1095 20181003
SentinelOne (Static ML) static engine - malicious 20180926
Symantec ISB.Downloader!gen69 20181003
TACHYON Suspicious/W97M.Obfus.Gen.1 20181003
Tencent Heur.Macro.Generic.Gen.a 20181003
TrendMicro HEUR_VBA.O2 20181003
Zoner Probably W97Shell 20181002
Ad-Aware 20181003
AegisLab 20181003
AhnLab-V3 20181002
Alibaba 20180921
ALYac 20181003
Antiy-AVL 20181003
Avast 20181003
Avast-Mobile 20181003
AVG 20181003
Avira (no cloud) 20181003
AVware 20180925
Babable 20180918
Baidu 20180930
BitDefender 20181003
Bkav 20181002
CAT-QuickHeal 20181001
ClamAV 20181003
CMC 20181003
Comodo 20181003
CrowdStrike Falcon (ML) 20180723
Cybereason 20180225
Cylance 20181003
DrWeb 20181003
eGambit 20181003
F-Secure 20181003
GData 20181003
Sophos ML 20180717
Jiangmin 20181003
Kaspersky 20181003
Kingsoft 20181003
Malwarebytes 20181003
MAX 20181003
McAfee 20181003
McAfee-GW-Edition 20181003
eScan 20181003
Palo Alto Networks (Known Signatures) 20181003
Panda 20181002
Rising 20181003
Sophos AV 20181003
SUPERAntiSpyware 20180907
Symantec Mobile Insight 20181001
TheHacker 20181001
TotalDefense 20181003
TrendMicro-HouseCall 20181003
Trustlook 20181003
VBA32 20181002
VIPRE 20181003
ViRobot 20181002
Webroot 20181003
Yandex 20180927
Zillya 20181002
ZoneAlarm by Check Point 20180925
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Summary
creation_datetime
2018-10-02 23:41:00
template
Normal.dotm
author
Caleb Caleb
page_count
1
last_saved
2018-10-02 23:41:00
word_count
7
revision_number
1
application_name
Microsoft Office Word
character_count
46
code_page
Latin I
Document summary
line_count
1
company
Caleb Caleb
characters_with_spaces
52
version
1048576
paragraph_count
1
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
4160
type_literal
stream
size
114
name
\x01CompObj
sid
19
type_literal
stream
size
292
name
\x05DocumentSummaryInformation
sid
5
type_literal
stream
size
412
name
\x05SummaryInformation
sid
4
type_literal
stream
size
7564
name
1Table
sid
2
type_literal
stream
size
20259
name
Data
sid
1
type_literal
stream
size
491
name
Macros/PROJECT
sid
18
type_literal
stream
size
110
name
Macros/PROJECTwm
sid
17
type_literal
stream
size
5068
type
macro
name
Macros/VBA/PvnlWZljCRanFH
sid
8
type_literal
stream
size
31060
type
macro
name
Macros/VBA/YktwHUaEs
sid
11
type_literal
stream
size
21534
name
Macros/VBA/_VBA_PROJECT
sid
13
type_literal
stream
size
1313
name
Macros/VBA/__SRP_0
sid
15
type_literal
stream
size
110
name
Macros/VBA/__SRP_1
sid
16
type_literal
stream
size
292
name
Macros/VBA/__SRP_2
sid
9
type_literal
stream
size
103
name
Macros/VBA/__SRP_3
sid
10
type_literal
stream
size
641
name
Macros/VBA/dir
sid
14
type_literal
stream
size
9472
type
macro
name
Macros/VBA/hqqkmBEjUL
sid
12
type_literal
stream
size
4096
name
WordDocument
sid
3
Macros and VBA code streams
[+] PvnlWZljCRanFH.cls Macros/VBA/PvnlWZljCRanFH 1391 bytes
obfuscated
[+] YktwHUaEs.bas Macros/VBA/YktwHUaEs 12109 bytes
obfuscated
[+] hqqkmBEjUL.bas Macros/VBA/hqqkmBEjUL 3190 bytes
obfuscated run-file
ExifTool file metadata
SharedDoc
No

Author
Caleb Caleb

CodePage
Windows Latin 1 (Western European)

System
Windows

LinksUpToDate
No

HeadingPairs
Title, 1

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
52

CreateDate
2018:10:02 22:41:00

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2018:10:02 22:41:00

ScaleCrop
No

Company
Caleb Caleb

Characters
46

HyperlinksChanged
No

RevisionNumber
1

MIMEType
application/msword

Words
7

FileType
DOC

Lines
1

AppVersion
16.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

CompObjUserTypeLen
32

Warning
Truncated property list

FileTypeExtension
doc

Paragraphs
1

LastPrinted
0000:00:00 00:00:00

DocFlags
Has picture, 1Table, ExtChar

File identification
MD5 df1711b7f381acbde559349c062fc9b5
SHA1 0dc20da08bde2ae867d193c9894f271b3ff4630a
SHA256 d3fe95416bee247c718801b3e236c083cb7a84f7a49ca060279e841a20bc7a7e
ssdeep
1536:KptJlmrJpmxlRw99NBs+a8QUUUi0fvywGyoqSGCBAzuPSTC9:Wte2dw99f7fvywTSAzk

File size 115.3 KB ( 118016 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Caleb Caleb, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Oct 01 22:41:00 2018, Last Saved Time/Date: Mon Oct 01 22:41:00 2018, Number of Pages: 1, Number of Words: 7, Number of Characters: 46, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated macros run-file doc

VirusTotal metadata
First submission 2018-10-03 06:47:47 UTC ( 5 months, 3 weeks ago )
Last submission 2018-10-03 06:47:47 UTC ( 5 months, 3 weeks ago )
File names PAYMENT #4779855TVYJTI.doc
New invoice 11CAT48422.doc
SEP #425YVGDMGIQ.doc
zbetcheckin_tracker_Paid-Invoices
BIZ #521XILSVQMZ.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!