× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: e0f8f0ae3022336f8a3eaeda88ef97297af862b86fef2c91310d55b631915169
File name: 12236860 Rechnung.doc
Detection ratio: 13 / 57
Analysis date: 2018-12-19 08:03:18 UTC ( 2 months ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan.e 20181219
Endgame malicious (high confidence) 20181108
Fortinet VBA/Agent.LWI!tr.dldr 20181219
Kaspersky HEUR:Trojan-Downloader.MSOffice.SLoad.gen 20181219
McAfee W97M/Downloader!BF7B8607E371 20181219
McAfee-GW-Edition BehavesLike.Downloader.ml 20181219
Microsoft Trojan:Script/Foretype.A!ml 20181218
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20181219
Rising Macro.Agent.dx (CLASSIC) 20181219
SentinelOne (Static ML) static engine - malicious 20181011
Symantec ISB.Downloader!gen186 20181219
TACHYON Suspicious/W97M.Obfus.Gen.6 20181219
ZoneAlarm by Check Point HEUR:Trojan-Downloader.MSOffice.SLoad.gen 20181219
Acronis 20180726
Ad-Aware 20181219
AegisLab 20181219
AhnLab-V3 20181219
Alibaba 20180921
ALYac 20181219
Antiy-AVL 20181218
Avast 20181219
Avast-Mobile 20181218
AVG 20181219
Avira (no cloud) 20181219
Babable 20180918
Baidu 20181207
BitDefender 20181219
Bkav 20181217
CAT-QuickHeal 20181218
ClamAV 20181219
CMC 20181218
Comodo 20181219
CrowdStrike Falcon (ML) 20181022
Cybereason 20180225
Cylance 20181219
Cyren 20181219
DrWeb 20181219
eGambit 20181219
Emsisoft 20181219
ESET-NOD32 20181219
F-Prot 20181219
F-Secure 20181219
GData 20181219
Sophos ML 20181128
Jiangmin 20181219
K7AntiVirus 20181219
K7GW 20181219
Kingsoft 20181219
Malwarebytes 20181219
MAX 20181219
eScan 20181219
Palo Alto Networks (Known Signatures) 20181219
Panda 20181218
Qihoo-360 20181219
Sophos AV 20181219
SUPERAntiSpyware 20181212
Symantec Mobile Insight 20181215
Tencent 20181219
TheHacker 20181216
Trapmine 20181205
TrendMicro 20181219
TrendMicro-HouseCall 20181219
Trustlook 20181219
VBA32 20181218
ViRobot 20181218
Webroot 20181219
Yandex 20181218
Zillya 20181217
Zoner 20181219
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Summary
creation_datetime
2018-12-19 06:58:00
template
Normal.dotm
page_count
1
last_saved
2018-12-19 06:58:00
word_count
2
revision_number
1
application_name
Microsoft Office Word
character_count
15
code_page
Latin I
Document summary
line_count
1
characters_with_spaces
16
version
1048576
paragraph_count
1
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
25600
type_literal
stream
size
114
name
\x01CompObj
sid
39
type_literal
stream
size
280
name
\x05DocumentSummaryInformation
sid
12
type_literal
stream
size
404
name
\x05SummaryInformation
sid
11
type_literal
stream
size
7960
name
1Table
sid
10
type_literal
stream
size
29684
name
Data
sid
1
type_literal
stream
size
1254
name
Macros/PROJECT
sid
38
type_literal
stream
size
569
name
Macros/PROJECTwm
sid
37
type_literal
stream
size
678
type
macro (only attributes)
name
Macros/VBA/A09120795
sid
24
type_literal
stream
size
682
type
macro (only attributes)
name
Macros/VBA/C778537235433
sid
21
type_literal
stream
size
679
type
macro (only attributes)
name
Macros/VBA/E278181547
sid
25
type_literal
stream
size
991
type
macro (only attributes)
name
Macros/VBA/I719657549651
sid
29
type_literal
stream
size
988
type
macro (only attributes)
name
Macros/VBA/K17715104
sid
31
type_literal
stream
size
683
type
macro (only attributes)
name
Macros/VBA/K9829146080015
sid
22
type_literal
stream
size
680
type
macro (only attributes)
name
Macros/VBA/O4860898568
sid
26
type_literal
stream
size
993
type
macro (only attributes)
name
Macros/VBA/Q564627277327
sid
30
type_literal
stream
size
2940
type
macro
name
Macros/VBA/S6815127
sid
18
type_literal
stream
size
1474
type
macro
name
Macros/VBA/T85003864
sid
15
type_literal
stream
size
990
type
macro (only attributes)
name
Macros/VBA/W8964317312
sid
32
type_literal
stream
size
6678
name
Macros/VBA/_VBA_PROJECT
sid
33
type_literal
stream
size
2329
name
Macros/VBA/__SRP_0
sid
35
type_literal
stream
size
242
name
Macros/VBA/__SRP_1
sid
36
type_literal
stream
size
428
name
Macros/VBA/__SRP_2
sid
16
type_literal
stream
size
142
name
Macros/VBA/__SRP_3
sid
17
type_literal
stream
size
1584
name
Macros/VBA/dir
sid
34
type_literal
stream
size
684
type
macro (only attributes)
name
Macros/VBA/i09233453287623
sid
20
type_literal
stream
size
678
type
macro (only attributes)
name
Macros/VBA/m24336478
sid
19
type_literal
stream
size
987
type
macro (only attributes)
name
Macros/VBA/p3646675
sid
28
type_literal
stream
size
993
type
macro (only attributes)
name
Macros/VBA/u604212895191
sid
27
type_literal
stream
size
677
type
macro (only attributes)
name
Macros/VBA/z6862423
sid
23
type_literal
stream
size
116
name
ObjectPool/_1606715037/\x01CompObj
sid
6
type_literal
stream
size
20
name
ObjectPool/_1606715037/\x03OCXNAME
sid
8
type_literal
stream
size
6
name
ObjectPool/_1606715037/\x03ObjInfo
sid
7
type_literal
stream
size
514
name
ObjectPool/_1606715037/\x03PRINT
sid
5
type_literal
stream
size
896
name
ObjectPool/_1606715037/contents
sid
9
type_literal
stream
size
4096
name
WordDocument
sid
2
Macros and VBA code streams
[+] T85003864.cls Macros/VBA/T85003864 29 bytes
[+] S6815127.bas Macros/VBA/S6815127 1249 bytes
obfuscated run-file
ExifTool file metadata
SharedDoc
No

CodePage
Windows Latin 1 (Western European)

System
Windows

LinksUpToDate
No

HeadingPairs
Title, 1

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
16

CreateDate
2018:12:19 05:58:00

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2018:12:19 05:58:00

ScaleCrop
No

Characters
15

HyperlinksChanged
No

RevisionNumber
1

MIMEType
application/msword

Words
2

FileType
DOC

Lines
1

AppVersion
16.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
1

LastPrinted
0000:00:00 00:00:00

DocFlags
Has picture, 1Table, ExtChar

File identification
MD5 bf7b8607e37141215439bf4e839bec08
SHA1 98703ba1ade124bca9abf38bd315e74a19c09ad2
SHA256 e0f8f0ae3022336f8a3eaeda88ef97297af862b86fef2c91310d55b631915169
ssdeep
768:KVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFB0mqQGriMJOKbEgKMgtfQm3YPZoQ/J:Kocn1kp59gxBK85fB0z5kKGTQ/+a9

File size 89.8 KB ( 91904 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Dec 18 05:58:00 2018, Last Saved Time/Date: Tue Dec 18 05:58:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 15, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated macros run-file doc

VirusTotal metadata
First submission 2018-12-19 07:40:09 UTC ( 2 months ago )
Last submission 2018-12-21 20:11:11 UTC ( 2 months ago )
File names Rechnung 6784-640.doc
Rechnung 1645221.doc
Rg 3182-589.doc
emotet_e1_e0f8f0ae3022336f8a3eaeda88ef97297af862b86fef2c91310d55b631915169_2018-12-19__07:50:03.doc
12236860 Rechnung.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!