× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: e007aec492e7d715ef55ecddc00c4a5b1b08bbb6e97e558db02841489e09f0fe
File name: RECH2415836300412.doc
Detection ratio: 10 / 56
Analysis date: 2019-03-13 09:36:13 UTC ( 1 month, 2 weeks ago ) View latest
Antivirus Result Update
Endgame malicious (high confidence) 20190215
Fortinet VBA/Agent.NBP!tr.dldr 20190313
Ikarus Trojan-Downloader.VBA.Agent 20190313
K7AntiVirus Trojan ( 00536d111 ) 20190313
K7GW Trojan ( 00536d111 ) 20190313
SentinelOne (Static ML) DFI - Malicious OLE 20190311
TACHYON Suspicious/W97M.Obfus.Gen.3 20190313
Tencent Heur.Macro.Generic.Gen.h 20190313
ZoneAlarm by Check Point HEUR:Trojan-Downloader.Script.Generic 20190313
Zoner Probably W97Obfuscated 20190312
Acronis 20190222
Ad-Aware 20190313
AegisLab 20190313
AhnLab-V3 20190313
Alibaba 20190306
ALYac 20190313
Antiy-AVL 20190313
Arcabit 20190313
Avast 20190313
Avast-Mobile 20190313
AVG 20190313
Avira (no cloud) 20190313
Babable 20180918
Baidu 20190306
BitDefender 20190313
Bkav 20190312
CAT-QuickHeal 20190312
ClamAV 20190312
CMC 20190313
Comodo 20190313
CrowdStrike Falcon (ML) 20190212
Cybereason 20190109
Cyren 20190313
DrWeb 20190313
eGambit 20190313
Emsisoft 20190313
ESET-NOD32 20190313
F-Secure 20190313
GData 20190313
Sophos ML 20181128
Jiangmin 20190313
Kaspersky 20190313
Kingsoft 20190313
Malwarebytes 20190313
MAX 20190313
McAfee 20190313
McAfee-GW-Edition 20190313
Microsoft 20190312
eScan 20190313
NANO-Antivirus 20190313
Palo Alto Networks (Known Signatures) 20190313
Panda 20190312
Qihoo-360 20190313
Rising 20190313
Sophos AV 20190313
SUPERAntiSpyware 20190307
Symantec Mobile Insight 20190220
TheHacker 20190308
TotalDefense 20190313
Trapmine 20190301
TrendMicro-HouseCall 20190313
Trustlook 20190313
VBA32 20190313
ViRobot 20190313
Yandex 20190312
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to hide the viewer or other applications.
Seems to contain deobfuscation code.
Summary
creation_datetime
2019-03-13 07:48:00
revision_number
1
page_count
1
word_count
1
last_saved
2019-03-13 07:48:00
template
Normal.dotm
application_name
Microsoft Office Word
character_count
6
code_page
Latin I
Document summary
line_count
1
characters_with_spaces
6
version
1048576
paragraph_count
1
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
3584
type_literal
stream
sid
19
name
\x01CompObj
size
114
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
2
name
1Table
size
7482
type_literal
stream
sid
1
name
Data
size
65344
type_literal
stream
sid
18
name
Macros/PROJECT
size
466
type_literal
stream
sid
17
name
Macros/PROJECTwm
size
74
type_literal
stream
sid
11
type
macro
name
Macros/VBA/FUBUQAUA
size
44958
type_literal
stream
sid
8
type
macro
name
Macros/VBA/TDZZAZ
size
9549
type_literal
stream
sid
13
name
Macros/VBA/_VBA_PROJECT
size
34208
type_literal
stream
sid
15
name
Macros/VBA/__SRP_0
size
1345
type_literal
stream
sid
16
name
Macros/VBA/__SRP_1
size
110
type_literal
stream
sid
9
name
Macros/VBA/__SRP_2
size
436
type_literal
stream
sid
10
name
Macros/VBA/__SRP_3
size
187
type_literal
stream
sid
14
name
Macros/VBA/dir
size
596
type_literal
stream
sid
12
type
macro
name
Macros/VBA/wQCAUwA
size
12277
type_literal
stream
sid
3
name
WordDocument
size
4096
Macros and VBA code streams
[+] TDZZAZ.cls Macros/VBA/TDZZAZ 4950 bytes
obfuscated
[+] FUBUQAUA.bas Macros/VBA/FUBUQAUA 26347 bytes
obfuscated
[+] wQCAUwA.bas Macros/VBA/wQCAUwA 6914 bytes
hide-app obfuscated
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

HeadingPairs
Title, 1

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
6

CreateDate
2019:03:13 06:48:00

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2019:03:13 06:48:00

Characters
6

CodePage
Windows Latin 1 (Western European)

RevisionNumber
1

MIMEType
application/msword

Words
1

FileType
DOC

Lines
1

AppVersion
16.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
1

LastPrinted
0000:00:00 00:00:00

DocFlags
Has picture, 1Table, ExtChar

File identification
MD5 d9ecbe79917baa7c8a9f47b3273cd161
SHA1 7e63d535dfb1337a78d3ada32940a9e18c0c490f
SHA256 e007aec492e7d715ef55ecddc00c4a5b1b08bbb6e97e558db02841489e09f0fe
ssdeep
6144:877HUUUUUUUUUUUUUUUUUUUT52V2yyYZ2OtXD7Nw:877HUUUUUUUUUUUUUUUUUUUTCSctX1w

File size 194.6 KB ( 199296 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Mar 12 06:48:00 2019, Last Saved Time/Date: Tue Mar 12 06:48:00 2019, Number of Pages: 1, Number of Words: 1, Number of Characters: 6, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated macros hide-app doc

VirusTotal metadata
First submission 2019-03-13 09:36:08 UTC ( 1 month, 2 weeks ago )
Last submission 2019-03-14 06:59:58 UTC ( 1 month, 1 week ago )
File names DET27097044228926.doc
2019_03_DET318578716907383.doc
emotet_e2_e007aec492e7d715ef55ecddc00c4a5b1b08bbb6e97e558db02841489e09f0fe_2019-03-13__093017.doc
2019_03_RECH2430492801.doc
FGPCD2494775458847913227.doc
RECH2415836300412.doc
2019_03_RECH3040417657504.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!