× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: ed7ae1e339015da0d3ae74125d2ad3a20713f3053824a30684b402a1594ebfdd
File name: malicious docm
Detection ratio: 36 / 60
Analysis date: 2017-12-01 01:25:09 UTC ( 2 months, 3 weeks ago )
Antivirus Result Update
Ad-Aware Trojan.Doc.Agent.K 20171130
AegisLab Troj.Downloader.Pdf!c 20171201
AhnLab-V3 W97M/Downloader 20171130
Antiy-AVL Trojan[Downloader]/PDF.Agent.aw 20171201
Arcabit Trojan.Doc.Agent.K 20171130
Avast VBA:Downloader-KN [Trj] 20171130
AVG VBA:Downloader-KN [Trj] 20171130
Avira (no cloud) W2000M/Agent.894612 20171130
AVware LooksLike.Macro.Malware.g (v) 20171130
Baidu VBA.Trojan-Dropper.Agent.fw 20171130
BitDefender Trojan.Doc.Agent.K 20171130
CAT-QuickHeal O97M.Dropper.GO 20171130
Cyren PP97M/Donoff 20171130
Emsisoft Trojan.Doc.Agent.K (B) 20171130
ESET-NOD32 VBA/TrojanDownloader.Agent.ZS 20171130
F-Prot New or modified PP97M/Donoff 20171130
F-Secure Trojan:W97M/MaliciousMacro.GEN 20171130
Fortinet WM/Agent.BJC!tr.dldr 20171130
GData Macro.Trojan-Downloader.Donoff.Q@gen 20171130
Ikarus Trojan-Dropper.PDF.Agent 20171130
Kaspersky Trojan-Downloader.PDF.Agent.aw 20171130
MAX malware (ai score=83) 20171130
McAfee Artemis!5EC105E717D8 20171201
McAfee-GW-Edition W97M/Downloader.ama 20171201
Microsoft TrojanDownloader:O97M/Donoff 20171130
eScan Trojan.Doc.Agent.K 20171130
NANO-Antivirus Trojan.Script.PDF.dzxkwm 20171130
Panda W97M/Downloader 20171130
Qihoo-360 heur.macro.encodefeature.c 20171201
Rising Macro.Agent.ev (CLASSIC) 20171130
Sophos AV Troj/DocDl-XI 20171130
Symantec W97M.Downloader 20171130
Tencent OLE.Win32.Macro.700322 20171201
TrendMicro W2KM_DRIDEX.XCV 20171130
TrendMicro-HouseCall Suspicious_GEN.F47V0924 20171201
ZoneAlarm by Check Point Trojan-Downloader.PDF.Agent.aw 20171130
Alibaba 20171130
ALYac 20171130
Avast-Mobile 20171130
Bkav 20171129
CMC 20171126
Comodo 20171201
CrowdStrike Falcon (ML) 20171016
Cybereason 20171103
Cylance 20171201
DrWeb 20171130
eGambit 20171201
Endgame 20171130
Sophos ML 20170914
Jiangmin 20171201
K7AntiVirus 20171130
K7GW 20171130
Kingsoft 20171201
Malwarebytes 20171201
nProtect 20171130
Palo Alto Networks (Known Signatures) 20171201
SentinelOne (Static ML) 20171113
SUPERAntiSpyware 20171130
Symantec Mobile Insight 20171130
TheHacker 20171130
TotalDefense 20171130
Trustlook 20171201
VBA32 20171130
VIPRE 20171130
ViRobot 20171130
Webroot 20171201
WhiteArmor 20171104
Yandex 20171120
Zillya 20171129
Zoner 20171130
The file being studied follows the Open XML file format! More specifically, it is a Office Open XML Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May create additional files.
May create OLE objects.
Seems to contain deobfuscation code.
Macros and VBA code streams
[+] ThisDocument.cls word/vbaProject.bin VBA/ThisDocument 91 bytes
[+] Module2.bas word/vbaProject.bin VBA/Module2 2563 bytes
create-file
[+] Module1.bas word/vbaProject.bin VBA/Module1 6218 bytes
obfuscated open-file write-file
[+] Module3.bas word/vbaProject.bin VBA/Module3 5436 bytes
create-ole obfuscated open-file
Content types
bin
rels
xml
Package relationships
word/document.xml
docProps/app.xml
docProps/core.xml
Core document properties
dc:creator
1
cp:lastModifiedBy
1
cp:revision
2
dcterms:created
2015-08-11T06:26:00Z
dcterms:modified
2015-08-11T06:26:00Z
Application document properties
Template
Normal
TotalTime
0
Pages
1
Words
0
Characters
0
Application
Microsoft Office Word
DocSecurity
0
Lines
1
Paragraphs
1
ScaleCrop
false
vt:lpstr
\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435
vt:i4
1
Company
Home
LinksUpToDate
false
CharactersWithSpaces
0
SharedDoc
false
HyperlinksChanged
false
AppVersion
12.0000
Document languages
Language
Prevalence
ru-ru
2
ar-sa
1
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
1

Application
Microsoft Office Word

ZipFileName
[Content_Types].xml

Template
Normal

CreateDate
2015:08:11 06:26:00Z

ZipRequiredVersion
20

ModifyDate
2015:08:11 06:26:00Z

ZipCRC
0xc1a32581

Company
Home

Words
0

ScaleCrop
No

RevisionNumber
2

MIMEType
application/vnd.ms-word.document.macroEnabled

ZipBitFlag
0x0006

FileType
DOCM

Lines
1

AppVersion
12.0

ZipUncompressedSize
1453

ZipCompressedSize
406

Characters
0

CharactersWithSpaces
0

DocSecurity
None

ZipModifyDate
1980:01:01 00:00:00

HeadingPairs
, 1

TotalEditTime
0

ZipCompression
Deflated

Pages
1

Creator
1

FileTypeExtension
docm

Paragraphs
1

The file being studied is a compressed stream! Details about the compressed contents follow.
Contained files
Compression metadata
Contained files
14
Uncompressed size
107032
Highest datetime
1980-01-01 00:00:00
Lowest datetime
1980-01-01 00:00:00
Contained files by extension
xml
10
bin
1
Contained files by type
XML
13
Microsoft Office
1
File identification
MD5 87285981ae1feae4bf154e574627985d
SHA1 3dad92f96181911fae0092a54e054d068f15d0bf
SHA256 ed7ae1e339015da0d3ae74125d2ad3a20713f3053824a30684b402a1594ebfdd
ssdeep
768:MAZsxf4u/PVpEggttcJUIo1C/rDkmI8PTU07IzEKC5ZQTdm:Mh3UMowkV8PTUHXgWTc

File size 42.8 KB ( 43821 bytes )
File type Office Open XML Document
Magic literal
Zip archive data, at least v2.0 to extract

TrID Word Microsoft Office Open XML Format document (with Macro) (53.6%)
Word Microsoft Office Open XML Format document (24.2%)
Open Packaging Conventions container (18.0%)
ZIP compressed archive (4.1%)
Tags
obfuscated open-file create-file docx macros write-file create-ole

VirusTotal metadata
First submission 2015-08-11 12:38:23 UTC ( 2 years, 6 months ago )
Last submission 2017-06-07 08:20:48 UTC ( 8 months, 2 weeks ago )
File names 87285981AE1FEAE4BF154E574627985D
ed7ae1e339015da0d3ae74125d2ad3a20713f3053824a30684b402a1594ebfdd#env#1
5.docm
malicious docm
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!