× Куки вимкнені! Цей сайт потребує ввімкнення куків для правильної роботи
SHA256: 08e3da6d2868bb292f81e3580b1686a34fc5c25051f2c9601671f35873688307
Назва файлу: SecureMessage.doc
Співвідношення виявлення: 5 / 58
Дата дослідження: 2017-08-01 16:37:42 UTC ( 1 рік, 9 місяців тому ) Переглянути останні
Противірус Підсумок Оновлення
Arcabit HEUR.VBA.Trojan.e 20170801
Ikarus Win32.Outbreak 20170801
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20170801
Qihoo-360 virus.office.qexvmc.1080 20170801
Tencent Macro.Trojan.Dropperx.Auto 20170801
Ad-Aware 20170801
AegisLab 20170801
AhnLab-V3 20170801
Alibaba 20170801
ALYac 20170801
Antiy-AVL 20170801
Avast 20170801
AVG 20170801
Avira (no cloud) 20170801
AVware 20170801
Baidu 20170728
BitDefender 20170801
Bkav 20170801
CAT-QuickHeal 20170801
ClamAV 20170801
CMC 20170801
Comodo 20170801
CrowdStrike Falcon (ML) 20170710
Cylance 20170801
Cyren 20170801
DrWeb 20170801
Emsisoft 20170801
Endgame 20170721
ESET-NOD32 20170801
F-Prot 20170801
F-Secure 20170801
Fortinet 20170801
GData 20170801
Sophos ML 20170607
Jiangmin 20170801
K7AntiVirus 20170801
K7GW 20170801
Kaspersky 20170801
Kingsoft 20170801
Malwarebytes 20170801
MAX 20170801
McAfee 20170801
McAfee-GW-Edition 20170801
Microsoft 20170801
eScan 20170801
nProtect 20170801
Palo Alto Networks (Known Signatures) 20170801
Panda 20170801
Rising 20170801
SentinelOne (Static ML) 20170718
Sophos AV 20170801
SUPERAntiSpyware 20170801
Symantec 20170801
Symantec Mobile Insight 20170801
TheHacker 20170730
TrendMicro 20170801
TrendMicro-HouseCall 20170801
Trustlook 20170801
VBA32 20170801
VIPRE 20170801
ViRobot 20170801
Webroot 20170801
WhiteArmor 20170731
Yandex 20170801
Zillya 20170801
ZoneAlarm by Check Point 20170801
Zoner 20170801
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Summary
last_author
user
creation_datetime
2017-08-01 09:56:00
template
Normal
author
Admin
page_count
1
last_saved
2017-08-01 09:58:00
edit_time
60
word_count
27
revision_number
3
application_name
Microsoft Office Word
character_count
154
code_page
Cyrillic
Document summary
line_count
1
characters_with_spaces
180
version
786432
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
12416
type_literal
stream
size
121
name
\x01CompObj
sid
20
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
5
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
4
type_literal
stream
size
7745
name
1Table
sid
2
type_literal
stream
size
7394
name
Data
sid
1
type_literal
stream
size
552
name
Macros/PROJECT
sid
19
type_literal
stream
size
83
name
Macros/PROJECTwm
sid
18
type_literal
stream
size
97
name
Macros/User1/\x01CompObj
sid
16
type_literal
stream
size
287
name
Macros/User1/\x03VBFrame
sid
17
type_literal
stream
size
711
name
Macros/User1/f
sid
14
type_literal
stream
size
204
name
Macros/User1/o
sid
15
type_literal
stream
size
3209
type
macro
name
Macros/VBA/Module1
sid
9
type_literal
stream
size
1097
type
macro
name
Macros/VBA/ThisDocument
sid
8
type_literal
stream
size
1325
type
macro
name
Macros/VBA/User1
sid
10
type_literal
stream
size
3437
name
Macros/VBA/_VBA_PROJECT
sid
11
type_literal
stream
size
840
name
Macros/VBA/dir
sid
12
type_literal
stream
size
4148
name
WordDocument
sid
3
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 32 bytes
[+] Module1.bas Macros/VBA/Module1 828 bytes
obfuscated run-file
[+] User1.frm Macros/VBA/User1 36 bytes
ExifTool file metadata
SharedDoc
No

Author
Admin

CodePage
Windows Cyrillic

System
Windows

LinksUpToDate
No

LastModifiedBy
user

HeadingPairs
Title, 1

Identification
Word 8.0

Template
Normal

CharCountWithSpaces
180

CreateDate
2017:08:01 08:56:00

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Office Word 97-2003 Document

ModifyDate
2017:08:01 08:58:00

ScaleCrop
No

Characters
154

HyperlinksChanged
No

RevisionNumber
3

MIMEType
application/msword

Words
27

FileType
DOC

Lines
1

AppVersion
12.0

Security
None

Software
Microsoft Office Word

TotalEditTime
1 minute

Pages
1

CompObjUserTypeLen
39

FileTypeExtension
doc

Paragraphs
1

LastPrinted
0000:00:00 00:00:00

DocFlags
Has picture, 1Table, ExtChar

Compressed bundles
File identification
MD5 25187f1a0c61dd484e43ccfbbea0d8dd
SHA1 2f57d6fa7cdc407dd7e13f8d82ba385054bf09ea
SHA256 08e3da6d2868bb292f81e3580b1686a34fc5c25051f2c9601671f35873688307
ssdeep
384:PqkJ3chjvoxKJ2LUa8c4yDMLiyGcS2rA6VsEEMc+iOQazItyfeX0juR4Db3fntb1:PcFAYU4yEnrhsEjcc2R8rzm

Розмір файлу 45.5 Кб ( 46592 bytes )
Тип файлу MS Word Document
Чарівні букви
CDF V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1251, Author: Admin, Template: Normal, Last Saved By: user, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Fri Jun 30 08:56:00 2017, Last Saved Time/Date: Fri Jun 30 08:58:00 2017, Number of Pages: 1, Number of Words: 27, Number of Characters: 154, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated macros run-file attachment doc

VirusTotal metadata
First submission 2017-08-01 12:04:15 UTC ( 1 рік, 9 місяців тому )
Last submission 2018-12-27 01:21:50 UTC ( 5 місяців тому )
Назви файлів SecureMessage.doc
SecureMessage.doc
Samp(276)0.vir.rename
SecureMessage-email-attachment.doc
__substg1.0_37010102
2f57d6fa7cdc407dd7e13f8d82ba385054bf09ea
trickbot downloader (2)
Немає дописів. Жоден член VirusTotal Спільноти ще не писав з цього приводу, Ви можете стати першим, хто зробить це!

Напишіть свій допис…

?
Залишити допис

Ви не ввійшли в систему. Лише зареєстровані користувачі можуть залишати дописи, увійдіть для отримання прав!

Немає голосів. Наразі ніхто не проголосував з цього приводу, Ви можете стати першим, хто зробить це!