× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: d72bfcbf638e22979b2427f776738ef8dc95477bc8a29a3eae3534544dd5c49a
File name: 1aacc472-73e5-43cd-bbd8-5fe843db7b4d.doc
Detection ratio: 24 / 58
Analysis date: 2018-11-13 19:43:46 UTC ( 4 months, 1 week ago ) View latest
Antivirus Result Update
Ad-Aware VB.Downloader.2.Gen 20181112
AhnLab-V3 W97M/Downloader 20181113
Arcabit HEUR.VBA.Trojan.d 20181113
Avast MO97:Downloader-WT [Trj] 20181113
AVG MO97:Downloader-WT [Trj] 20181113
Baidu VBA.Trojan-Downloader.Agent.dlq 20181112
BitDefender VB.Downloader.2.Gen 20181113
ClamAV Doc.Downloader.Generic-6698422-0 20181113
Emsisoft VB.Downloader.2.Gen (B) 20181113
Endgame malicious (high confidence) 20181108
F-Secure VB.Downloader.2.Gen 20181113
GData VB.Downloader.2.Gen 20181113
Kaspersky HEUR:Trojan-Downloader.Script.Generic 20181113
MAX malware (ai score=82) 20181113
McAfee-GW-Edition BehavesLike.Downloader.nx 20181113
eScan VB.Downloader.2.Gen 20181113
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20181113
Qihoo-360 heur.macro.powershell.a 20181113
Rising Trojan.DL-Agent/Macro!1.A495 (CLASSIC) 20181113
SentinelOne (Static ML) static engine - malicious 20181011
TACHYON Suspicious/W97M.Download.Gen 20181113
Tencent Heur.Macro.Generic.Gen.a 20181113
ZoneAlarm by Check Point HEUR:Trojan-Downloader.Script.Generic 20181113
Zoner Probably W97Shell 20181113
AegisLab 20181113
Alibaba 20180921
Antiy-AVL 20181113
Avast-Mobile 20181113
Avira (no cloud) 20181113
Babable 20180918
Bkav 20181113
CAT-QuickHeal 20181113
CMC 20181113
CrowdStrike Falcon (ML) 20181022
Cybereason 20180308
Cylance 20181113
Cyren 20181113
DrWeb 20181113
eGambit 20181113
ESET-NOD32 20181113
F-Prot 20181113
Fortinet 20181113
Ikarus 20181113
Sophos ML 20181108
Jiangmin 20181113
K7AntiVirus 20181113
K7GW 20181113
Kingsoft 20181113
Malwarebytes 20181113
McAfee 20181113
Microsoft 20181113
Palo Alto Networks (Known Signatures) 20181113
Panda 20181113
Sophos AV 20181113
SUPERAntiSpyware 20181107
Symantec 20181113
Symantec Mobile Insight 20181108
TheHacker 20181108
TotalDefense 20181113
TrendMicro 20181113
TrendMicro-HouseCall 20181113
Trustlook 20181113
VBA32 20181113
VIPRE 20181113
ViRobot 20181113
Webroot 20181113
Yandex 20181113
Zillya 20181113
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
Automatically runs commands or instructions when the file is opened.
May open a file.
May write to a file.
May try to run other files, shell commands or applications.
May execute powershell commands.
May enumerate open windows.
May try to download additional files from the Internet.
Summary
last_author
me
creation_datetime
2018-11-13 16:43:00
revision_number
1
author
me
page_count
1
last_saved
2018-11-13 16:44:00
edit_time
60
template
Normal.dotm
application_name
Microsoft Office Word
code_page
Cyrillic
Document summary
version
1048576
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
7616
type_literal
stream
sid
12
name
\x01CompObj
size
114
type_literal
stream
sid
4
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
3
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
1
name
1Table
size
7350
type_literal
stream
sid
11
name
Macros/PROJECT
size
373
type_literal
stream
sid
10
name
Macros/PROJECTwm
size
41
type_literal
stream
sid
7
type
macro
name
Macros/VBA/ThisDocument
size
3853
type_literal
stream
sid
8
name
Macros/VBA/_VBA_PROJECT
size
2499
type_literal
stream
sid
9
name
Macros/VBA/dir
size
522
type_literal
stream
sid
2
name
WordDocument
size
4096
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 1590 bytes
exe-pattern url-pattern auto-open download enum-windows open-file powershell run-file write-file
ExifTool file metadata
SharedDoc
No

Author
me

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

LastModifiedBy
me

HeadingPairs
, 1

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
0

CreateDate
2018:11:13 15:43:00

Word97
No

LanguageCode
Russian

CompObjUserType
???????? Microsoft Word 97-2003

ModifyDate
2018:11:13 15:44:00

Characters
0

CodePage
Windows Cyrillic

RevisionNumber
1

MIMEType
application/msword

Words
0

FileType
DOC

Lines
0

AppVersion
16.0

Security
None

Software
Microsoft Office Word

TotalEditTime
1 minute

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
0

LastPrinted
0000:00:00 00:00:00

DocFlags
1Table, ExtChar

Compressed bundles
File identification
MD5 05a7cc92e0075fdb3ab77800b9d06174
SHA1 e8b4d6606404e7d2968f213a9598a6bb62085f55
SHA256 d72bfcbf638e22979b2427f776738ef8dc95477bc8a29a3eae3534544dd5c49a
ssdeep
384:4/MMMjAMuug3GbiSAoKXMVk4DUXk/ABRdN/GajEC0jIdt7:4/MMMjAMuugxMVkg/ATZnb

File size 30.5 KB ( 31232 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: me, Template: Normal.dotm, Last Saved By: me, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Mon Nov 12 15:43:00 2018, Last Saved Time/Date: Mon Nov 12 15:44:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
open-file auto-open exe-pattern url-pattern run-file macros enum-windows doc download write-file powershell

VirusTotal metadata
First submission 2018-11-13 19:35:05 UTC ( 4 months, 1 week ago )
Last submission 2018-11-14 16:16:33 UTC ( 4 months, 1 week ago )
File names 1aacc472-73e5-43cd-bbd8-5fe843db7b4d.doc
invoices%E2%84%9654634587.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!