× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 3565f05b3541e5839c9744388c24c34d42b592a74f2f9f2129dbb8fcbe82165f
File name: QCS3ZYS.docm
Detection ratio: 26 / 58
Analysis date: 2017-05-16 09:04:47 UTC ( 5 months, 1 week ago ) View latest
Antivirus Result Update
Antiy-AVL Trojan[Downloader]/MSWord.Agent.bim 20170516
Arcabit VB:Trojan.VBS.Downloader.ACS 20170516
Avira (no cloud) W2000M/Agent.5289217 20170516
BitDefender VB:Trojan.VBS.Downloader.ACS 20170516
CAT-QuickHeal O97M.Downloader.AJK 20170516
Cyren PP97M/Downldr 20170516
DrWeb W97M.DownLoader.1742 20170516
Emsisoft VB:Trojan.VBS.Downloader.ACS (B) 20170516
ESET-NOD32 VBA/TrojanDownloader.Agent.DFJ 20170516
F-Prot New or modified PP97M/Downldr 20170516
F-Secure VB:Trojan.VBS.Downloader.ACS 20170516
Fortinet PDF/Agent.U!tr 20170516
GData VB:Trojan.VBS.Downloader.ACS 20170516
Ikarus Trojan-Downloader.VBA.Agent 20170516
Kaspersky Trojan-Downloader.MSWord.Agent.bim 20170516
McAfee W97M/Downloader.byx 20170516
Microsoft TrojanDownloader:O97M/Donoff 20170516
eScan VB:Trojan.VBS.Downloader.ACS 20170516
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20170516
Panda O97M/Downloader 20170515
Qihoo-360 virus.office.obfuscated.1 20170516
Sophos AV Troj/DocDl-IXE 20170516
Symantec W97M.Downloader 20170515
TrendMicro W2KM_DLOADR.DOCD 20170516
TrendMicro-HouseCall W2KM_DLOADR.DOCD 20170516
ZoneAlarm by Check Point HEUR:Trojan-Downloader.Script.Generic 20170516
Ad-Aware 20170516
AegisLab 20170516
AhnLab-V3 20170515
Alibaba 20170516
ALYac 20170516
Avast 20170516
AVG 20170515
AVware 20170516
Baidu 20170503
Bkav 20170516
ClamAV 20170515
CMC 20170516
Comodo 20170516
CrowdStrike Falcon (ML) 20170130
Endgame 20170515
Sophos ML 20170413
Jiangmin 20170516
K7AntiVirus 20170516
K7GW 20170516
Kingsoft 20170516
Malwarebytes 20170516
McAfee-GW-Edition 20170515
nProtect 20170516
Palo Alto Networks (Known Signatures) 20170516
Rising None
SentinelOne (Static ML) 20170330
SUPERAntiSpyware 20170516
Symantec Mobile Insight 20170516
Tencent 20170516
TheHacker 20170514
VBA32 20170516
VIPRE 20170516
ViRobot 20170516
Webroot 20170516
WhiteArmor 20170512
Yandex 20170515
Zillya 20170516
Zoner 20170516
The file being studied follows the Open XML file format! More specifically, it is a Office Open XML Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May perform operations with other files.
May create OLE objects.
May enumerate open windows.
Seems to contain deobfuscation code.
Macros and VBA code streams
[+] ThisDocument.cls word/vbaProject.bin VBA/ThisDocument 80 bytes
[+] STRIX.cls word/vbaProject.bin VBA/STRIX 332 bytes
[+] Module3.bas word/vbaProject.bin VBA/Module3 5438 bytes
exe-pattern enum-windows handle-file obfuscated open-file write-file
[+] Module1.bas word/vbaProject.bin VBA/Module1 1153 bytes
obfuscated
[+] Module2.bas word/vbaProject.bin VBA/Module2 3208 bytes
create-ole obfuscated open-file
Content types
bin
rels
jpg
xml
Package relationships
word/document.xml
docProps/app.xml
docProps/core.xml
Core document properties
dc:creator
1
cp:lastModifiedBy
1
cp:revision
2
dcterms:created
2017-05-15T09:18:00Z
dcterms:modified
2017-05-15T09:18:00Z
cp:contentStatus
Microsoft.XMLHTTPLOVEISAdodb.streaMLOVEISshell.ApplicationLOVEISWscript.shellLOVEISProcessLOVEISGeTLOVEISTeMPLOVEISTypeLOVEISopenLOVEISwriteLOVEISresponseBodyLOVEISsavetofileLOVEIS\\drefudre.exe
Application document properties
Template
Normal.dotm
TotalTime
0
Pages
2
Words
1
Characters
6
Application
Microsoft Office Word
DocSecurity
0
Lines
1
Paragraphs
1
ScaleCrop
false
vt:lpstr
\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435
vt:i4
1
LinksUpToDate
false
CharactersWithSpaces
6
SharedDoc
false
HyperlinksChanged
false
AppVersion
16.0000
Document languages
Language
Prevalence
ru-ru
3
en-us
1
ar-sa
1
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
1

HeadingPairs
, 1

ZipFileName
[Content_Types].xml

Template
Normal.dotm

ZipRequiredVersion
20

ModifyDate
2017:05:15 09:18:00Z

ZipCRC
0x199c740e

Words
1

ScaleCrop
No

RevisionNumber
2

MIMEType
application/vnd.ms-word.document.macroEnabled

ZipBitFlag
0x0006

CreateDate
2017:05:15 09:18:00Z

Lines
1

AppVersion
16.0

ZipUncompressedSize
1636

ZipCompressedSize
427

Characters
6

CharactersWithSpaces
6

DocSecurity
None

ZipModifyDate
1980:01:01 00:00:00

FileType
DOCM

Application
Microsoft Office Word

TotalEditTime
0

ZipCompression
Deflated

Pages
2

Creator
1

FileTypeExtension
docm

Paragraphs
1

ContentStatus
Microsoft.XMLHTTPLOVEISAdodb.streaMLOVEISshell.ApplicationLOVEISWscript.shellLOVEISProcessLOVEISGeTLOVEISTeMPLOVEISTypeLOVEISopenLOVEISwriteLOVEISresponseBodyLOVEISsavetofileLOVEIS\drefudre.exe

The file being studied is a compressed stream! Details about the compressed contents follow.
Contained files
Compression metadata
Contained files
18
Uncompressed size
122255
Highest datetime
1980-01-01 00:00:00
Lowest datetime
1980-01-01 00:00:00
Contained files by extension
xml
12
bin
1
jpg
1
Contained files by type
XML
16
Microsoft Office
1
JPG
1
File identification
MD5 6d6761d6f3e3e812d9e814942d3ddb78
SHA1 db8cb21367a3b332452469dd1e8508288ea80ba0
SHA256 3565f05b3541e5839c9744388c24c34d42b592a74f2f9f2129dbb8fcbe82165f
ssdeep
1536:9CRkknw8zloS6oQ0JsyI/onOADVVud6dy47f:sRkkw8Vc/onO+6d6Xz

File size 54.2 KB ( 55497 bytes )
File type Office Open XML Document
Magic literal
Zip archive data, at least v2.0 to extract

TrID Word Microsoft Office Open XML Format document (with Macro) (53.6%)
Word Microsoft Office Open XML Format document (24.2%)
Open Packaging Conventions container (18.0%)
ZIP compressed archive (4.1%)
Tags
obfuscated open-file enum-windows exe-pattern handle-file docx macros write-file create-ole

VirusTotal metadata
First submission 2017-05-16 09:04:47 UTC ( 5 months, 1 week ago )
Last submission 2017-05-16 09:04:47 UTC ( 5 months, 1 week ago )
File names QCS3ZYS.docm
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!