× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: eb9a56652f5c6c434722538660807dc2d3edb816e3e99ab15a17119ff018a02f
File name: INV000336-132090.docm
Detection ratio: 7 / 56
Analysis date: 2016-05-27 10:46:22 UTC ( 1 year, 4 months ago ) View latest
Antivirus Result Update
AhnLab-V3 W97M/Downloader 20160527
Arcabit HEUR.VBA.Trojan.d 20160527
Baidu VBA.Trojan-Downloader.Agent.ahz 20160527
F-Secure Trojan:W97M/MaliciousMacro.GEN 20160527
Ikarus Trojan-Downloader.VBA.Agent 20160527
Qihoo-360 virus.office.obfuscated.1 20160527
Rising Downloader.Agent/VBA!1.A517 20160527
Ad-Aware 20160527
AegisLab 20160527
Alibaba 20160527
ALYac 20160527
Antiy-AVL 20160527
Avast 20160527
AVG 20160527
Avira (no cloud) 20160527
AVware 20160527
Baidu-International 20160527
BitDefender 20160527
Bkav 20160527
CAT-QuickHeal 20160527
ClamAV 20160527
CMC 20160523
Comodo 20160527
Cyren 20160527
DrWeb 20160527
Emsisoft 20160527
ESET-NOD32 20160527
F-Prot 20160527
Fortinet 20160527
GData 20160527
Jiangmin 20160527
K7AntiVirus 20160527
K7GW 20160527
Kaspersky 20160527
Kingsoft 20160527
Malwarebytes 20160527
McAfee 20160527
McAfee-GW-Edition 20160527
Microsoft 20160527
eScan 20160527
NANO-Antivirus 20160527
nProtect 20160527
Panda 20160526
Sophos AV 20160527
SUPERAntiSpyware 20160527
Symantec 20160527
Tencent 20160527
TheHacker 20160526
TrendMicro 20160527
TrendMicro-HouseCall 20160527
VBA32 20160527
VIPRE 20160527
ViRobot 20160527
Yandex 20160526
Zillya 20160526
Zoner 20160527
The file being studied follows the Open XML file format! More specifically, it is a Office Open XML Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May create additional files.
May create OLE objects.
Seems to contain deobfuscation code.
Macros and VBA code streams
[+] ThisDocument.cls word/vbaProject.bin VBA/ThisDocument 171 bytes
email-pattern exe-pattern
[+] Module1.bas word/vbaProject.bin VBA/Module1 15416 bytes
email-pattern exe-pattern url-pattern create-ole open-file
[+] Module2.bas word/vbaProject.bin VBA/Module2 4240 bytes
create-file obfuscated write-file
[+] Module3.bas word/vbaProject.bin VBA/Module3 10310 bytes
exe-pattern url-pattern
Content types
bin
rels
xml
Package relationships
word/document.xml
docProps/app.xml
docProps/core.xml
Core document properties
creator
1
lastModifiedBy
1
revision
2
created
2016-05-27T08:20:00Z
modified
2016-05-27T08:20:00Z
Application document properties
Template
Normal
TotalTime
0
Pages
1
Words
0
Characters
0
Application
Microsoft Office Word
DocSecurity
0
Lines
0
Paragraphs
0
ScaleCrop
false
Company
Home
LinksUpToDate
false
CharactersWithSpaces
0
SharedDoc
false
HyperlinksChanged
false
AppVersion
14.0000
Document languages
Language
Prevalence
en-us
2
ar-sa
1
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
1

Application
Microsoft Office Word

ZipFileName
[Content_Types].xml

Template
Normal

CreateDate
2016:05:27 08:20:00Z

ZipRequiredVersion
20

ModifyDate
2016:05:27 08:20:00Z

ZipCRC
0x4dc12e6a

Company
Home

Words
0

ScaleCrop
No

RevisionNumber
2

MIMEType
application/vnd.ms-word.document.macroEnabled

ZipBitFlag
0x0006

FileType
DOCM

Lines
0

AppVersion
14.0

ZipUncompressedSize
1563

ZipCompressedSize
419

Characters
0

CharactersWithSpaces
0

DocSecurity
None

ZipModifyDate
1980:01:01 00:00:00

Creator
1

TotalEditTime
0

ZipCompression
Deflated

Pages
1

FileTypeExtension
docm

Paragraphs
0

The file being studied is a compressed stream! Details about the compressed contents follow.
Contained files
Compression metadata
Contained files
15
Uncompressed size
129216
Highest datetime
1980-01-01 00:00:00
Lowest datetime
1980-01-01 00:00:00
Contained files by extension
xml
11
bin
1
Contained files by type
XML
14
Microsoft Office
1
File identification
MD5 9729af2c92f505dacd42166c1f1ee0c8
SHA1 829b5b11fb4257f9462d813f313009bac2d046ea
SHA256 eb9a56652f5c6c434722538660807dc2d3edb816e3e99ab15a17119ff018a02f
ssdeep
768:3FJ6i66YS2VhKi0XeEReKda2HZCyaGGoDaSDSFkuHjkC9j+lfwCnC8bV1sH:3yi6BNVcikRrdaWCyaGNDaSDSFkuHICL

File size 47.9 KB ( 49060 bytes )
File type Office Open XML Document
Magic literal
Zip archive data, at least v2.0 to extract

TrID Word Microsoft Office Open XML Format document (with Macro) (59.4%)
Word Microsoft Office Open XML Format document (36.0%)
ZIP compressed archive (4.5%)
Tags
obfuscated open-file exe-pattern email-pattern url-pattern create-file docx macros write-file create-ole

VirusTotal metadata
First submission 2016-05-27 08:56:38 UTC ( 1 year, 4 months ago )
Last submission 2016-05-27 10:46:22 UTC ( 1 year, 4 months ago )
File names INV000336-132090.docm
0003_.b64.zip
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!