× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: ef1b29f3883e13d43f69b081735d4b23f53e8590de1a956e1ddca5df379dde8c
File name: fax_61277.doc
Detection ratio: 9 / 58
Analysis date: 2018-05-16 17:56:21 UTC ( 9 months, 1 week ago ) View latest
Antivirus Result Update
AegisLab W97M.Gen!c 20180516
F-Secure Trojan:W97M/Nastjencro.A 20180516
Fortinet VBA/Agent.YPEZ!tr.dldr 20180516
Ikarus Trojan-Downloader.PowerShell.Agent 20180516
McAfee-GW-Edition BehavesLike.Downloader.mr 20180516
Microsoft TrojanDownloader:O97M/Powdow.KE 20180516
Qihoo-360 virus.office.qexvmc.1070 20180516
Symantec W97M.Downloader!g28 20180516
ZoneAlarm by Check Point HEUR:Trojan-Downloader.Script.Generic 20180516
Ad-Aware 20180516
AhnLab-V3 20180516
Alibaba 20180516
ALYac 20180516
Antiy-AVL 20180516
Arcabit 20180516
Avast 20180516
Avast-Mobile 20180516
AVG 20180516
Avira (no cloud) 20180516
AVware 20180428
Babable 20180406
Baidu 20180511
BitDefender 20180516
Bkav 20180516
CAT-QuickHeal 20180516
ClamAV 20180516
CMC 20180516
Comodo 20180516
CrowdStrike Falcon (ML) 20180418
Cybereason None
Cylance 20180516
Cyren 20180516
eGambit 20180516
Emsisoft 20180516
Endgame 20180507
ESET-NOD32 20180516
F-Prot 20180516
GData 20180516
Sophos ML 20180503
Jiangmin 20180516
K7AntiVirus 20180516
K7GW 20180516
Kaspersky 20180516
Kingsoft 20180516
Malwarebytes 20180516
MAX 20180516
McAfee 20180516
eScan 20180516
NANO-Antivirus 20180516
nProtect 20180516
Palo Alto Networks (Known Signatures) 20180516
Panda 20180516
Rising 20180516
SentinelOne (Static ML) 20180225
Sophos AV 20180516
SUPERAntiSpyware 20180516
Symantec Mobile Insight 20180516
Tencent 20180516
TheHacker 20180516
TrendMicro 20180516
TrendMicro-HouseCall 20180516
Trustlook 20180516
VBA32 20180516
VIPRE 20180516
ViRobot 20180516
Webroot 20180516
Yandex 20180516
Zillya 20180516
Zoner 20180516
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
last_author
Longer
creation_datetime
2018-05-16 17:17:00
revision_number
30
author
Longer
page_count
1
last_saved
2018-05-16 17:55:00
edit_time
2280
word_count
27
template
Normal.dotm
application_name
Microsoft Office Word
character_count
154
code_page
Latin I
Document summary
line_count
1
characters_with_spaces
180
version
786432
paragraph_count
1
code_page
-535
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
35136
type_literal
stream
sid
45
name
\x01CompObj
size
160
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
2
name
1Table
size
7181
type_literal
stream
sid
1
name
Data
size
13008
type_literal
stream
sid
26
name
Macros/AVOTITSSAV/\x01CompObj
size
97
type_literal
stream
sid
27
name
Macros/AVOTITSSAV/\x03VBFrame
size
292
type_literal
stream
sid
24
name
Macros/AVOTITSSAV/f
size
283
type_literal
stream
sid
25
name
Macros/AVOTITSSAV/o
size
292
type_literal
stream
sid
36
name
Macros/GREBZDNAYL2/\x01CompObj
size
97
type_literal
stream
sid
37
name
Macros/GREBZDNAYL2/\x03VBFrame
size
294
type_literal
stream
sid
34
name
Macros/GREBZDNAYL2/f
size
278
type_literal
stream
sid
35
name
Macros/GREBZDNAYL2/o
size
444
type_literal
stream
sid
44
name
Macros/PROJECT
size
1106
type_literal
stream
sid
43
name
Macros/PROJECTwm
size
401
type_literal
stream
sid
17
type
macro (only attributes)
name
Macros/VBA/AVOTITSSAV
size
1352
type_literal
stream
sid
19
type
macro
name
Macros/VBA/GREBZDNAYL2
size
1895
type_literal
stream
sid
8
type
macro
name
Macros/VBA/ThisDocument
size
1567
type_literal
stream
sid
21
name
Macros/VBA/_VBA_PROJECT
size
7247
type_literal
stream
sid
9
type
macro
name
Macros/VBA/adydarin
size
3003
type_literal
stream
sid
18
type
macro
name
Macros/VBA/coolwinnt2
size
1849
type_literal
stream
sid
10
type
macro
name
Macros/VBA/crappwqsb
size
2316
type_literal
stream
sid
22
name
Macros/VBA/dir
size
1372
type_literal
stream
sid
11
type
macro
name
Macros/VBA/laesboms
size
2523
type_literal
stream
sid
20
type
macro (only attributes)
name
Macros/VBA/mike88632
size
1320
type_literal
stream
sid
12
type
macro
name
Macros/VBA/sed17011
size
2029
type_literal
stream
sid
14
type
macro
name
Macros/VBA/steveb28
size
2092
type_literal
stream
sid
15
type
macro
name
Macros/VBA/tom21413
size
2931
type_literal
stream
sid
13
type
macro
name
Macros/VBA/voryique
size
2012
type_literal
stream
sid
16
type
macro
name
Macros/VBA/xxpaganexxx
size
1726
type_literal
stream
sid
31
name
Macros/coolwinnt2/\x01CompObj
size
97
type_literal
stream
sid
32
name
Macros/coolwinnt2/\x03VBFrame
size
293
type_literal
stream
sid
29
name
Macros/coolwinnt2/f
size
322
type_literal
stream
sid
30
name
Macros/coolwinnt2/o
size
492
type_literal
stream
sid
41
name
Macros/mike88632/\x01CompObj
size
97
type_literal
stream
sid
42
name
Macros/mike88632/\x03VBFrame
size
292
type_literal
stream
sid
39
name
Macros/mike88632/f
size
322
type_literal
stream
sid
40
name
Macros/mike88632/o
size
484
type_literal
stream
sid
3
name
WordDocument
size
4142
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 184 bytes
[+] adydarin.bas Macros/VBA/adydarin 1081 bytes
[+] crappwqsb.bas Macros/VBA/crappwqsb 814 bytes
[+] laesboms.bas Macros/VBA/laesboms 856 bytes
[+] sed17011.bas Macros/VBA/sed17011 414 bytes
[+] voryique.bas Macros/VBA/voryique 512 bytes
[+] steveb28.bas Macros/VBA/steveb28 404 bytes
[+] tom21413.bas Macros/VBA/tom21413 982 bytes
obfuscated
[+] xxpaganexxx.bas Macros/VBA/xxpaganexxx 429 bytes
[+] coolwinnt2.frm Macros/VBA/coolwinnt2 259 bytes
create-ole
[+] GREBZDNAYL2.frm Macros/VBA/GREBZDNAYL2 267 bytes
ExifTool file metadata
SharedDoc
No

Author
Longer

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

LastModifiedBy
Longer

HeadingPairs
, 1

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
180

CreateDate
2018:05:16 16:17:00

Word97
No

LanguageCode
English (US)

ModifyDate
2018:05:16 16:55:00

Characters
154

CodePage
Unicode (UTF-8)

RevisionNumber
30

MIMEType
application/msword

Words
27

FileType
DOC

Lines
1

AppVersion
12.0

Security
None

Software
Microsoft Office Word

TotalEditTime
38.0 minutes

Pages
1

ScaleCrop
No

CompObjUserTypeLen
0

FileTypeExtension
doc

Paragraphs
1

DocFlags
Has picture, 1Table, ExtChar

File identification
MD5 81b7490c76dc990292c22e4fb38ffef9
SHA1 9dc7a909cbda8e63876caf197b825486d62abf0c
SHA256 ef1b29f3883e13d43f69b081735d4b23f53e8590de1a956e1ddca5df379dde8c
ssdeep
768:MTXUAvRB5LcJgwo4r65/KCBuxEYqdUqVt/azV8Vq4rYWAHpP7p6pXp:KlvRB5QIv3yqCWAHd7g5

File size 85.0 KB ( 87040 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Longer, Template: Normal.dotm, Last Saved By: Longer, Revision Number: 30, Name of Creating Application: Microsoft Office Word, Total Editing Time: 38:00, Create Time/Date: Tue May 15 16:17:00 2018, Last Saved Time/Date: Tue May 15 16:55:00 2018, Number of Pages: 1, Number of Words: 27, Number of Characters: 154, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated macros create-ole attachment doc

VirusTotal metadata
First submission 2018-05-16 16:55:26 UTC ( 9 months, 1 week ago )
Last submission 2018-05-17 17:41:30 UTC ( 9 months, 1 week ago )
File names fax_58662.doc
Doc1.doc
fax_61277.doc
fax_71076.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!