× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: f30318102e872ee76515aa795cec5423ff9a3b2425f326c5e0ff2e01f39b34b0
File name: INV_d69c8af8dd90d126a3cf5ca1aa778d7a.doc
Detection ratio: 22 / 58
Analysis date: 2018-12-07 02:52:44 UTC ( 2 months, 1 week ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan.d 20181206
ClamAV Doc.Macro.Obfuscated-6397052-2 20181206
Endgame malicious (high confidence) 20181108
ESET-NOD32 VBA/TrojanDownloader.Agent.LNH 20181207
F-Secure Trojan:W97M/Nastjencro.A 20181206
Fortinet VBA/Agent.E9DF!tr.dldr 20181206
K7AntiVirus Trojan ( 00536d111 ) 20181207
K7GW Trojan ( 00536d111 ) 20181207
Kaspersky HEUR:Trojan.MSOffice.Pederr.gen 20181207
McAfee RDN/Generic.grp 20181207
McAfee-GW-Edition BehavesLike.Downloader.cg 20181207
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20181207
Qihoo-360 virus.office.qexvmc.1085 20181207
Rising Heur.Macro.Downloader.e (CLASSIC) 20181207
SentinelOne (Static ML) static engine - malicious 20181011
Symantec W97M.Downloader 20181207
TACHYON Suspicious/W97M.Obfus.Gen.1 20181207
Tencent Heur.MSWord.Downloader.d 20181207
TrendMicro TROJ_FRS.0NZ900L618 20181207
TrendMicro-HouseCall TROJ_FRS.0NZ900L618 20181207
ZoneAlarm by Check Point HEUR:Trojan.MSOffice.Pederr.gen 20181207
Zoner Probably W97Obfuscated 20181207
Ad-Aware 20181206
AegisLab 20181206
AhnLab-V3 20181206
Alibaba 20180921
ALYac 20181206
Antiy-AVL 20181205
Avast 20181206
Avast-Mobile 20181206
AVG 20181206
Avira (no cloud) 20181206
Babable 20180918
Baidu 20181206
BitDefender 20181206
Bkav 20181206
CAT-QuickHeal 20181206
CMC 20181206
Comodo 20181206
CrowdStrike Falcon (ML) 20180202
Cybereason 20180308
Cylance 20181207
Cyren 20181206
DrWeb 20181206
eGambit 20181207
Emsisoft 20181206
F-Prot 20181206
GData 20181206
Ikarus 20181206
Sophos ML 20181128
Jiangmin 20181206
Kingsoft 20181207
Malwarebytes 20181207
MAX 20181207
Microsoft 20181207
eScan 20181207
Palo Alto Networks (Known Signatures) 20181207
Panda 20181206
Sophos AV 20181207
SUPERAntiSpyware 20181205
Symantec Mobile Insight 20181204
TheHacker 20181202
Trapmine 20181205
Trustlook 20181207
VBA32 20181206
ViRobot 20181207
Webroot 20181207
Yandex 20181204
Zillya 20181206
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May create additional files.
May try to run other files, shell commands or applications.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
last_author
Windows User
creation_datetime
2018-12-06 14:05:00
template
Normal.dotm
author
Windows User
page_count
1
last_saved
2018-12-06 14:06:00
revision_number
3
application_name
Microsoft Office Word
character_count
1
code_page
Cyrillic
Document summary
line_count
1
characters_with_spaces
1
version
786432
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
6208
type_literal
stream
size
121
name
\x01CompObj
sid
26
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
5
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
4
type_literal
stream
size
6561
name
1Table
sid
2
type_literal
stream
size
86045
name
Data
sid
1
type_literal
stream
size
97
name
Macros/IYQpeCCoWHhyOJc/\x01CompObj
sid
24
type_literal
stream
size
297
name
Macros/IYQpeCCoWHhyOJc/\x03VBFrame
sid
25
type_literal
stream
size
138
name
Macros/IYQpeCCoWHhyOJc/f
sid
22
type_literal
stream
size
124
name
Macros/IYQpeCCoWHhyOJc/o
sid
23
type_literal
stream
size
97
name
Macros/LFeLUzWQIYNmdZ/\x01CompObj
sid
19
type_literal
stream
size
270
name
Macros/LFeLUzWQIYNmdZ/\x03VBFrame
sid
20
type_literal
stream
size
38
name
Macros/LFeLUzWQIYNmdZ/f
sid
17
type_literal
stream
size
0
name
Macros/LFeLUzWQIYNmdZ/o
sid
18
type_literal
stream
size
632
name
Macros/PROJECT
sid
14
type_literal
stream
size
182
name
Macros/PROJECTwm
sid
15
type_literal
stream
size
23344
type
macro
name
Macros/VBA/AKdkHFUsQMuLaCJ
sid
12
type_literal
stream
size
6939
type
macro
name
Macros/VBA/IYQpeCCoWHhyOJc
sid
13
type_literal
stream
size
1929
type
macro
name
Macros/VBA/LFeLUzWQIYNmdZ
sid
11
type_literal
stream
size
924
type
macro (only attributes)
name
Macros/VBA/ThisDocument
sid
9
type_literal
stream
size
8216
name
Macros/VBA/_VBA_PROJECT
sid
10
type_literal
stream
size
987
name
Macros/VBA/dir
sid
8
type_literal
stream
size
4096
name
WordDocument
sid
3
Macros and VBA code streams
[+] AKdkHFUsQMuLaCJ.bas Macros/VBA/AKdkHFUsQMuLaCJ 14256 bytes
create-ole obfuscated
[+] IYQpeCCoWHhyOJc.frm Macros/VBA/IYQpeCCoWHhyOJc 3287 bytes
create-file open-file write-file
[+] LFeLUzWQIYNmdZ.frm Macros/VBA/LFeLUzWQIYNmdZ 312 bytes
run-file
ExifTool file metadata
SharedDoc
No

Author
Windows User

CodePage
Windows Cyrillic

System
Windows

LinksUpToDate
No

LastModifiedBy
Windows User

HeadingPairs
, 1

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
1

CreateDate
2018:12:06 13:05:00

Word97
No

LanguageCode
Russian

CompObjUserType
???????? Microsoft Office Word 97-2003

ModifyDate
2018:12:06 13:06:00

ScaleCrop
No

Characters
1

HyperlinksChanged
No

RevisionNumber
3

MIMEType
application/msword

Words
0

FileType
DOC

Lines
1

AppVersion
12.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

CompObjUserTypeLen
39

FileTypeExtension
doc

Paragraphs
1

LastPrinted
0000:00:00 00:00:00

DocFlags
Has picture, 1Table, ExtChar

File identification
MD5 d69c8af8dd90d126a3cf5ca1aa778d7a
SHA1 e158bb092ee16e6b05729c196e49d2330182fc52
SHA256 f30318102e872ee76515aa795cec5423ff9a3b2425f326c5e0ff2e01f39b34b0
ssdeep
1536:SDXWbfxGn403TycwpSErU81SnfwhrsxNcPllfjtSBIIpEAg6SsOEgyjsbov2DW9n:xbfxB0eczfI2zcPl1gBIEHNjsB0n

File size 154.0 KB ( 157696 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: Windows User, Template: Normal.dotm, Last Saved By: Windows User, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Dec 05 13:05:00 2018, Last Saved Time/Date: Wed Dec 05 13:06:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated open-file doc create-file run-file macros write-file create-ole

VirusTotal metadata
First submission 2018-12-07 02:52:44 UTC ( 2 months, 1 week ago )
Last submission 2018-12-07 02:52:44 UTC ( 2 months, 1 week ago )
File names INV_d69c8af8dd90d126a3cf5ca1aa778d7a.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!