× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: ec9d519ea6c683f8813af50db2135a51bab17afd610095464ad7fda1cf836ae7
File name: fixed_derek_scan.docm
Detection ratio: 23 / 61
Analysis date: 2017-12-01 06:43:02 UTC ( 1 year, 1 month ago ) View latest
Antivirus Result Update
Ad-Aware VB:Trojan.Agent.CQEZ 20171201
Arcabit VB:Trojan.Agent.CQEZ 20171201
Avast VBA:Downloader-EXJ [Trj] 20171201
AVG VBA:Downloader-EXJ [Trj] 20171201
Avira (no cloud) HEUR/Macro.Downloader 20171201
AVware LooksLike.Macro.Downloader.a (v) 20171201
Baidu VBA.Trojan-Downloader.Agent.cel 20171201
BitDefender VB:Trojan.Agent.CQEZ 20171201
CAT-QuickHeal O97M.Dropper.R 20171130
Cyren PP97M/Downldr.K.gen 20171201
Emsisoft VB:Trojan.Agent.CQEZ (B) 20171201
F-Prot PP97M/Downldr.K.gen 20171201
F-Secure Trojan:W97M/MaliciousMacro.GEN 20171201
Fortinet W97M/Agent.AAR!tr 20171201
GData VB:Trojan.Agent.CQEZ 20171201
Kaspersky HEUR:Trojan-Downloader.Script.Generic 20171201
MAX malware (ai score=85) 20171201
Microsoft TrojanDownloader:W97M/Broxoff.gen!A 20171201
eScan VB:Trojan.Agent.CQEZ 20171201
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20171201
Rising Macro.Run.c (CLASSIC) 20171201
Tencent Heur.MSWord.Downloader.d 20171201
ZoneAlarm by Check Point HEUR:Trojan-Downloader.Script.Generic 20171201
AegisLab 20171201
AhnLab-V3 20171130
Alibaba 20171201
ALYac 20171201
Antiy-AVL 20171201
Avast-Mobile 20171130
Bkav 20171129
ClamAV 20171201
CMC 20171201
Comodo 20171201
CrowdStrike Falcon (ML) 20171016
Cybereason None
Cylance 20171201
DrWeb 20171201
eGambit 20171201
Endgame 20171130
ESET-NOD32 20171201
Ikarus 20171130
Sophos ML 20170914
Jiangmin 20171201
K7AntiVirus 20171201
K7GW 20171201
Kingsoft 20171201
Malwarebytes 20171201
McAfee 20171201
McAfee-GW-Edition 20171201
nProtect 20171201
Palo Alto Networks (Known Signatures) 20171201
Panda 20171130
Qihoo-360 20171201
SentinelOne (Static ML) 20171113
Sophos AV 20171201
SUPERAntiSpyware 20171130
Symantec 20171201
Symantec Mobile Insight 20171130
TheHacker 20171130
TotalDefense 20171201
TrendMicro 20171201
TrendMicro-HouseCall 20171201
Trustlook 20171201
VBA32 20171130
VIPRE 20171201
ViRobot 20171201
Webroot 20171201
WhiteArmor 20171104
Yandex 20171120
Zillya 20171129
Zoner 20171201
The file being studied follows the Open XML file format! More specifically, it is a Office Open XML Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May read system environment variables.
May open a file.
May write to a file.
May create additional files.
May try to run other files, shell commands or applications.
May create OLE objects.
May try to download additional files from the Internet.
Seems to contain deobfuscation code.
Macros and VBA code streams
[+] ThisDocument.cls word/vbaProject.bin VBA/ThisDocument 1049 bytes
exe-pattern url-pattern create-file create-ole download environ obfuscated open-file run-file write-file
Content types
bin
rels
png
xml
Package relationships
word/document.xml
docProps/app.xml
docProps/core.xml
Core document properties
dc:title
23581762
dc:creator
02511007
dc:description
3737330951
cp:lastModifiedBy
Derek
cp:revision
2
dcterms:created
2017-12-01T06:41:00Z
dcterms:modified
2017-12-01T06:41:00Z
cp:category
88898184
Application document properties
Template
Normal.dotm
TotalTime
1
Pages
1
Words
59
Characters
340
Application
Microsoft Office Word
DocSecurity
0
Lines
2
Paragraphs
1
ScaleCrop
false
vt:lpstr
Title
vt:i4
1
vt:lpstr
23581762
Company
1185138648
LinksUpToDate
false
CharactersWithSpaces
398
SharedDoc
false
HyperlinksChanged
false
AppVersion
15.0000
Document languages
Language
Prevalence
en-us
2
ar-sa
1
ExifTool file metadata
Category
88898184

SharedDoc
No

Title
23581762

HyperlinksChanged
No

TitlesOfParts
23581762

LinksUpToDate
No

LastModifiedBy
Derek

Application
Microsoft Office Word

ZipFileName
[Content_Types].xml

Template
Normal.dotm

ZipRequiredVersion
20

ModifyDate
2017:12:01 06:41:00Z

Description
3737330951

ZipCRC
0x29d901d6

Company
1185138648

Words
59

Pages
1

RevisionNumber
2

MIMEType
application/vnd.ms-word.document.macroEnabled

ZipBitFlag
0x0006

CreateDate
2017:12:01 06:41:00Z

Lines
2

AppVersion
15.0

ZipUncompressedSize
2160

ZipCompressedSize
472

Characters
340

CharactersWithSpaces
398

DocSecurity
None

ZipModifyDate
1980:01:01 00:00:00

FileType
DOCM

HeadingPairs
Title, 1

TotalEditTime
1 minute

ZipCompression
Deflated

ScaleCrop
No

Creator
02511007

FileTypeExtension
docm

Paragraphs
1

The file being studied is a compressed stream! Details about the compressed contents follow.
Contained files
Compression metadata
Contained files
24
Uncompressed size
82309
Highest datetime
1980-01-01 00:00:00
Lowest datetime
1980-01-01 00:00:00
Contained files by extension
xml
16
png
2
bin
1
Contained files by type
XML
20
PNG
2
unknown
1
Microsoft Office
1
File identification
MD5 4da6fdea2658bd993a548391e21c9b10
SHA1 ded6191d838ae1eef1a828e588c90bb345c98307
SHA256 ec9d519ea6c683f8813af50db2135a51bab17afd610095464ad7fda1cf836ae7
ssdeep
384:CtckGnCxDMOAm6eM/lZ2RpoETxmh9fPxSz0YD3fdUvGWH1lf/r0NeLIaDG:6GkDMOCPl06h7kJUvGWHXYeLfDG

File size 27.3 KB ( 27975 bytes )
File type Office Open XML Document
Magic literal
Zip archive data, at least v2.0 to extract

TrID Word Microsoft Office Open XML Format document (with Macro) (53.0%)
Word Microsoft Office Open XML Format document (23.9%)
Open Packaging Conventions container (17.8%)
ZIP compressed archive (4.0%)
PrintFox/Pagefox bitmap (var. P) (1.0%)
Tags
obfuscated run-file exe-pattern url-pattern docx create-file open-file macros environ download write-file create-ole

VirusTotal metadata
First submission 2017-12-01 06:43:02 UTC ( 1 year, 1 month ago )
Last submission 2018-01-02 18:06:10 UTC ( 1 year ago )
File names fixed_derek_scan.docm
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!