× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: ed57709d1335dfcbf79eea28aba4bfb518303eb2f19edc8dfc687c9fe68362e3
File name: OTRTRZH.docm
Detection ratio: 13 / 57
Analysis date: 2017-05-23 15:12:34 UTC ( 2 months, 4 weeks ago ) View latest
Antivirus Result Update
AhnLab-V3 WM/Downloader 20170523
Antiy-AVL Trojan[Downloader]/MSOffice.Agent.ab 20170523
CAT-QuickHeal O97M.Downloader.AJK 20170523
F-Secure Trojan-Downloader:W97M/Dridex.Z 20170523
GData Macro.Trojan-Downloader.Agent.ZV 20170523
Ikarus Trojan-Downloader.VBA.Jaff 20170523
McAfee W97M/Downloader.bze 20170523
McAfee-GW-Edition W97M/Downloader.bze 20170523
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20170523
Panda O97M/Downloader 20170522
Qihoo-360 virus.office.obfuscated.1 20170523
TrendMicro HEUR_VBA.O2 20170523
ZoneAlarm by Check Point HEUR:Trojan-Downloader.Script.Generic 20170523
Ad-Aware 20170523
AegisLab 20170523
Alibaba 20170523
ALYac 20170523
Arcabit 20170523
Avast 20170523
AVG 20170523
Avira (no cloud) 20170523
AVware 20170523
BitDefender 20170523
Bkav 20170523
ClamAV 20170523
CMC 20170523
Comodo 20170523
CrowdStrike Falcon (ML) 20170130
Cyren 20170523
DrWeb 20170523
Emsisoft 20170523
Endgame 20170515
ESET-NOD32 20170523
F-Prot 20170523
Fortinet 20170523
Sophos ML 20170519
Jiangmin 20170523
K7AntiVirus 20170523
K7GW 20170523
Kaspersky 20170523
Kingsoft 20170523
Malwarebytes 20170523
Microsoft 20170523
eScan 20170523
nProtect 20170523
Palo Alto Networks (Known Signatures) 20170523
Rising 20170523
SentinelOne (Static ML) 20170516
Sophos AV 20170523
SUPERAntiSpyware 20170523
Symantec 20170523
Symantec Mobile Insight 20170523
Tencent 20170523
TheHacker 20170522
TrendMicro-HouseCall 20170523
Trustlook 20170523
VBA32 20170523
VIPRE 20170523
ViRobot 20170523
Webroot 20170523
WhiteArmor 20170517
Yandex 20170518
Zillya 20170523
Zoner 20170523
The file being studied follows the Open XML file format! More specifically, it is a Office Open XML Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May perform operations with other files.
May create OLE objects.
May enumerate open windows.
Seems to contain deobfuscation code.
Macros and VBA code streams
[+] ThisDocument.cls word/vbaProject.bin VBA/ThisDocument 78 bytes
[+] STRIX.cls word/vbaProject.bin VBA/STRIX 339 bytes
[+] Module3.bas word/vbaProject.bin VBA/Module3 1569 bytes
create-ole enum-windows obfuscated
[+] Module1.bas word/vbaProject.bin VBA/Module1 572 bytes
[+] Module2.bas word/vbaProject.bin VBA/Module2 6625 bytes
exe-pattern create-ole handle-file obfuscated open-file write-file
Content types
bin
rels
jpg
xml
Package relationships
word/document.xml
docProps/app.xml
docProps/core.xml
Core document properties
dc:creator
1
cp:lastModifiedBy
1
cp:revision
2
dcterms:created
2017-05-23T09:57:00Z
dcterms:modified
2017-05-23T09:57:00Z
cp:contentStatus
Microsoft.XMLHTTPTESLAAdodb.streaMTESLAshell.ApplicationTESLAWscript.shellTESLAProcessTESLAGeTTESLATeMPTESLATypeTESLAopenTESLAwriteTESLAresponseBodyTESLAsavetofileTESLA\\levinsky.exe
Application document properties
Template
Normal.dotm
TotalTime
0
Pages
2
Words
1
Characters
6
Application
Microsoft Office Word
DocSecurity
0
Lines
1
Paragraphs
1
ScaleCrop
false
vt:lpstr
\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435
vt:i4
1
LinksUpToDate
false
CharactersWithSpaces
6
SharedDoc
false
HyperlinksChanged
false
AppVersion
16.0000
Document languages
Language
Prevalence
ru-ru
3
en-us
1
ar-sa
1
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
1

HeadingPairs
, 1

ZipFileName
[Content_Types].xml

Template
Normal.dotm

ZipRequiredVersion
20

ModifyDate
2017:05:23 09:57:00Z

ZipCRC
0x199c740e

Words
1

ScaleCrop
No

RevisionNumber
2

MIMEType
application/vnd.ms-word.document.macroEnabled

ZipBitFlag
0x0006

CreateDate
2017:05:23 09:57:00Z

Lines
1

AppVersion
16.0

ZipUncompressedSize
1636

ZipCompressedSize
427

Characters
6

CharactersWithSpaces
6

DocSecurity
None

ZipModifyDate
1980:01:01 00:00:00

FileType
DOCM

Application
Microsoft Office Word

TotalEditTime
0

ZipCompression
Deflated

Pages
2

Creator
1

FileTypeExtension
docm

Paragraphs
1

ContentStatus
Microsoft.XMLHTTPTESLAAdodb.streaMTESLAshell.ApplicationTESLAWscript.shellTESLAProcessTESLAGeTTESLATeMPTESLATypeTESLAopenTESLAwriteTESLAresponseBodyTESLAsavetofileTESLA\levinsky.exe

The file being studied is a compressed stream! Details about the compressed contents follow.
Contained files
Compression metadata
Contained files
18
Uncompressed size
131099
Highest datetime
1980-01-01 00:00:00
Lowest datetime
1980-01-01 00:00:00
Contained files by extension
xml
12
bin
1
jpg
1
Contained files by type
XML
16
Microsoft Office
1
JPG
1
File identification
MD5 f40273edadf7d675f7b61f57b1e3305f
SHA1 c22af9c7aa87e1550b36d9e49d37c2fb08666b99
SHA256 ed57709d1335dfcbf79eea28aba4bfb518303eb2f19edc8dfc687c9fe68362e3
ssdeep
1536:KpC6P2eKdPzvFnJHrul2hBbhs/hT7opC6P2eKdPzvFnJHrul2hBbhs/hT75:KpZeJhvHLqCNUTcpZeJhvHLqCNUTd

File size 122.1 KB ( 125044 bytes )
File type Office Open XML Document
Magic literal
Zip archive data, at least v2.0 to extract

TrID Word Microsoft Office Open XML Format document (with Macro) (53.6%)
Word Microsoft Office Open XML Format document (24.2%)
Open Packaging Conventions container (18.0%)
ZIP compressed archive (4.1%)
Tags
obfuscated open-file enum-windows exe-pattern handle-file docx macros write-file create-ole

VirusTotal metadata
First submission 2017-05-23 15:12:34 UTC ( 2 months, 4 weeks ago )
Last submission 2017-05-24 02:48:05 UTC ( 2 months, 3 weeks ago )
File names ed57709d1335dfcbf79eea28aba4bfb518303eb2f19edc8dfc687c9fe68362e3.bin
OTRTRZH.docm
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!