× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: ffee1a33c084360b24c5b987b80887a2d77248224dbd6a0b6574ff9cef74bdd6
File name: eml%20-%20PO20180921.doc
Detection ratio: 28 / 59
Analysis date: 2019-01-05 11:22:21 UTC ( 1 month, 2 weeks ago ) View latest
Antivirus Result Update
Ad-Aware VB:Trojan.Valyria.2630 20190105
ALYac VB:Trojan.Valyria.2630 20190105
Arcabit HEUR.VBA.Trojan.d 20190105
Avira (no cloud) HEUR/Macro.Downloader.PAAL.Gen 20190104
Baidu VBA.Trojan-Downloader.Agent.doe 20190104
BitDefender VB:Trojan.Valyria.2630 20190105
Cyren W97M/Downldr 20190105
Emsisoft VB:Trojan.Valyria.2630 (B) 20190105
Endgame malicious (high confidence) 20181108
F-Prot New or modified W97M/Downldr 20190105
F-Secure Trojan:W97M/MaliciousMacro.GEN 20190105
Fortinet VBA/Agent.1B7E!tr.dldr 20190105
GData Macro.Trojan-Downloader.Agent.MV 20190105
Ikarus Trojan-Downloader.VBA.Agent 20190104
Kaspersky HEUR:Trojan-Downloader.Script.Generic 20190105
MAX malware (ai score=88) 20190105
McAfee-GW-Edition BehavesLike.Downloader.ng 20190105
eScan VB:Trojan.Valyria.2630 20190105
NANO-Antivirus Trojan.Script.ExpKit.euurlw 20190105
Panda O97M/Downloader 20190105
Qihoo-360 virus.office.qexvmc.1095 20190105
Rising Downloader.VBA/Agent!1.AD5B (CLASSIC) 20190105
SentinelOne (Static ML) static engine - malicious 20181223
Symantec ISB.Downloader!gen60 20190104
Tencent Heur.MSWord.Downloader.d 20190105
TrendMicro HEUR_VBA.D 20190105
ZoneAlarm by Check Point HEUR:Trojan-Downloader.Script.Generic 20190105
Zoner Probably W97Obfuscated 20190105
Acronis 20181227
AegisLab 20190105
AhnLab-V3 20190104
Alibaba 20180921
Antiy-AVL 20190105
Avast 20190105
Avast-Mobile 20190104
AVG 20190105
Babable 20180918
Bkav 20190104
CAT-QuickHeal 20190104
ClamAV 20190105
CMC 20190104
Comodo 20190105
CrowdStrike Falcon (ML) 20181022
Cybereason 20180225
Cylance 20190105
DrWeb 20190105
eGambit 20190105
ESET-NOD32 20190105
Sophos ML 20181128
Jiangmin 20190105
K7AntiVirus 20190105
K7GW 20190105
Kingsoft 20190105
Malwarebytes 20190105
McAfee 20190105
Microsoft 20190105
Palo Alto Networks (Known Signatures) 20190105
Sophos AV 20190105
SUPERAntiSpyware 20190102
TACHYON 20190105
TheHacker 20190104
TotalDefense 20190105
Trapmine 20190103
TrendMicro-HouseCall 20190105
Trustlook 20190105
VBA32 20190104
ViRobot 20190105
Webroot 20190105
Yandex 20181229
Zillya 20190105
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May read system environment variables.
May open a file.
May write to a file.
May create additional files.
May try to run other files, shell commands or applications.
May create OLE objects.
May try to download additional files from the Internet.
Seems to contain deobfuscation code.
Summary
last_author
Socrate
creation_datetime
2017-10-17 03:08:00
revision_number
15
author
admin
page_count
1
last_saved
2018-12-19 19:34:00
edit_time
240
word_count
156
template
Normal
application_name
Microsoft Office Word
character_count
895
code_page
Latin I
Document summary
line_count
7
characters_with_spaces
1049
version
917504
paragraph_count
2
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
4352
type_literal
stream
sid
18
name
\x01CompObj
size
114
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
2
name
1Table
size
7733
type_literal
stream
sid
1
name
Data
size
4096
type_literal
stream
sid
16
name
Macros/PROJECT
size
422
type_literal
stream
sid
17
name
Macros/PROJECTwm
size
71
type_literal
stream
sid
13
type
macro
name
Macros/VBA/NewMacros
size
1014
type_literal
stream
sid
14
type
macro
name
Macros/VBA/ThisDocument
size
4632
type_literal
stream
sid
15
name
Macros/VBA/_VBA_PROJECT
size
5684
type_literal
stream
sid
9
name
Macros/VBA/__SRP_0
size
1295
type_literal
stream
sid
10
name
Macros/VBA/__SRP_1
size
115
type_literal
stream
sid
11
name
Macros/VBA/__SRP_2
size
376
type_literal
stream
sid
12
name
Macros/VBA/__SRP_3
size
158
type_literal
stream
sid
8
name
Macros/VBA/dir
size
571
type_literal
stream
sid
3
name
WordDocument
size
54196
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 3932 bytes
exe-pattern create-file create-ole download environ obfuscated open-file run-file write-file
[+] NewMacros.bas Macros/VBA/NewMacros 36 bytes
ExifTool file metadata
SharedDoc
No

Author
admin

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

LastModifiedBy
Socrate

HeadingPairs
Title, 1

Hyperlinks
https://mail.google.com/mail/u/1/h/11qaal8dyddfc/?&th=1672bcb775f351b3&d=u&n=0&v=c&s=m#m_1672bba5d24fd0e1

Identification
Word 8.0

Template
Normal

CharCountWithSpaces
1049

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2018:12:19 18:34:00

Characters
895

CodePage
Windows Latin 1 (Western European)

RevisionNumber
15

MIMEType
application/msword

Words
156

CreateDate
2017:10:17 01:08:00

Lines
7

AppVersion
14.0

Security
None

Software
Microsoft Office Word

FileType
DOC

TotalEditTime
4 minutes

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
2

LastPrinted
0000:00:00 00:00:00

DocFlags
1Table, ExtChar

File identification
MD5 05c6623297acb077603915d37bc8c750
SHA1 2de2af27af8923da2168bcc81953f373ecc52d70
SHA256 ffee1a33c084360b24c5b987b80887a2d77248224dbd6a0b6574ff9cef74bdd6
ssdeep
1536:j6b+0KJB2E+0LUkTAags/1FyMHMWYO6CyV7WDbjUnbu3TJClbbN:j6b+0KJB2E+0LUkTAags/+MHhYO6CyVf

File size 93.0 KB ( 95232 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: admin, Template: Normal, Last Saved By: Socrate, Revision Number: 15, Name of Creating Application: Microsoft Office Word, Total Editing Time: 04:00, Create Time/Date: Mon Oct 16 02:08:00 2017, Last Saved Time/Date: Tue Dec 18 18:34:00 2018, Number of Pages: 1, Number of Words: 156, Number of Characters: 895, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated open-file exe-pattern doc create-file run-file macros environ download write-file create-ole

VirusTotal metadata
First submission 2019-01-05 11:22:21 UTC ( 1 month, 2 weeks ago )
Last submission 2019-01-13 02:04:21 UTC ( 1 month, 1 week ago )
File names eml%20-%20PO20180921.doc
05c6623297acb077603915d37bc8c750.virobj
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!