× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 7bdf7722115be910e2b301b3f6b3037bc4b987c588838cd2459aeeeec9f50be7
File name: a829a9d423a078d034379c8c454c701d.doc
Detection ratio: 40 / 60
Analysis date: 2018-01-09 09:24:19 UTC ( 1 week, 4 days ago )
Antivirus Result Update
Ad-Aware VB:Trojan.Valyria.1055 20180109
AegisLab Troj.Script.Agent!c 20180109
AhnLab-V3 W97M/Downloader 20180109
ALYac Trojan.Downloader.W97M.Gen 20180109
Antiy-AVL Trojan[Downloader]/MSOffice.Agent.fop 20180109
Arcabit VB:Trojan.Valyria.D41F 20180109
Avast Other:Malware-gen [Trj] 20180109
AVG Other:Malware-gen [Trj] 20180109
Avira (no cloud) VBA/Dldr.Agent.yqnyw 20180109
Baidu VBA.Trojan-Downloader.Agent.che 20180109
BitDefender VB:Trojan.Valyria.1055 20180109
CAT-QuickHeal W97M.Downloader.4648 20180109
ClamAV Doc.Macro.Obfuscation-6387400-0 20180109
Cyren W97M/Powmet 20180109
DrWeb W97M.DownLoader.2273 20180109
Emsisoft VB:Trojan.Valyria.1055 (B) 20180109
ESET-NOD32 VBA/TrojanDownloader.Agent.FOP 20180109
F-Prot New or modified W97M/Powmet 20180109
F-Secure VB:Trojan.Valyria.1055 20180109
Fortinet VBA/Agent.FPV!tr 20180109
Ikarus Trojan.Word.Agent 20180109
K7AntiVirus Trojan ( 0001140e1 ) 20180109
K7GW Trojan ( 0001140e1 ) 20180109
Kaspersky HEUR:Trojan.Script.Agent.gen 20180109
MAX malware (ai score=100) 20180109
McAfee W97M/Downloader.cjp 20180109
McAfee-GW-Edition W97M/Downloader.cjp 20180109
Microsoft TrojanDownloader:O97M/Donoff 20180109
eScan VB:Trojan.Valyria.1055 20180109
NANO-Antivirus Trojan.Script.ExpKit.evomus 20180109
Qihoo-360 virus.office.qexvmc.1090 20180109
Rising Trojan.Obfus/VBA!1.A609 (CLASSIC:7z8LaZA7zfC) 20180106
Sophos AV Troj/DocDl-LQN 20180109
Symantec W97M.Downloader 20180109
Tencent Win32.Trojan-downloader.Agent.Llgz 20180109
TrendMicro W2KM_DLOADR.YYTGS 20180109
TrendMicro-HouseCall W2KM_Powload.SMALYTET 20180109
ViRobot DOC.Z.Agent.175104.V 20180109
ZoneAlarm by Check Point HEUR:Trojan.Script.Agent.gen 20180109
Zoner Probably W97Obfuscated 20180109
Alibaba 20180109
Avast-Mobile 20180108
AVware 20180103
Bkav 20180106
CMC 20180109
Comodo 20180109
CrowdStrike Falcon (ML) 20171016
Cybereason 20171103
Cylance 20180109
eGambit 20180109
Endgame 20171130
GData 20180109
Sophos ML 20170914
Jiangmin 20180109
Kingsoft 20180109
Malwarebytes 20180109
nProtect 20180109
Palo Alto Networks (Known Signatures) 20180109
Panda 20180108
SentinelOne (Static ML) 20171224
SUPERAntiSpyware 20180109
Symantec Mobile Insight 20180109
TheHacker 20180108
TotalDefense 20180109
Trustlook 20180109
VBA32 20180108
VIPRE 20180109
Webroot 20180109
WhiteArmor 20171226
Yandex 20171229
Zillya 20180108
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May write to a file.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Summary
creation_datetime
2017-11-29 19:42:00
template
Normal.dotm
author
vvGwSRQc
page_count
1
last_saved
2017-11-29 19:42:00
word_count
1
revision_number
1
application_name
Microsoft Office Word
character_count
9
code_page
Latin I
Document summary
line_count
1
characters_with_spaces
9
version
1048576
paragraph_count
1
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
3008
type_literal
stream
size
114
name
\x01CompObj
sid
16
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
5
type_literal
stream
size
412
name
\x05SummaryInformation
sid
4
type_literal
stream
size
7029
name
1Table
sid
2
type_literal
stream
size
8862
name
Data
sid
1
type_literal
stream
size
532
name
Macros/PROJECT
sid
15
type_literal
stream
size
149
name
Macros/PROJECTwm
sid
14
type_literal
stream
size
48489
type
macro
name
Macros/VBA/HoBCBVPdD
sid
11
type_literal
stream
size
46532
type
macro
name
Macros/VBA/MWjDkwECDcSUw
sid
10
type_literal
stream
size
30482
type
macro
name
Macros/VBA/STGtjvOqUEB
sid
9
type_literal
stream
size
924
type
macro (only attributes)
name
Macros/VBA/ThisDocument
sid
8
type_literal
stream
size
11820
name
Macros/VBA/_VBA_PROJECT
sid
12
type_literal
stream
size
703
name
Macros/VBA/dir
sid
13
type_literal
stream
size
4096
name
WordDocument
sid
3
Macros and VBA code streams
[+] STGtjvOqUEB.bas Macros/VBA/STGtjvOqUEB 19805 bytes
obfuscated run-file write-file
[+] MWjDkwECDcSUw.bas Macros/VBA/MWjDkwECDcSUw 32116 bytes
obfuscated
[+] HoBCBVPdD.bas Macros/VBA/HoBCBVPdD 33495 bytes
obfuscated
ExifTool file metadata
SharedDoc
No

Author
vvGwSRQc

CodePage
Windows Latin 1 (Western European)

LinksUpToDate
No

HeadingPairs
Title, 1

Template
Normal.dotm

CharCountWithSpaces
9

CreateDate
2017:11:29 18:42:00

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2017:11:29 18:42:00

HyperlinksChanged
No

Characters
9

ScaleCrop
No

RevisionNumber
1

MIMEType
application/msword

Words
1

FileType
DOC

Lines
1

AppVersion
16.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
1

Compressed bundles
File identification
MD5 a829a9d423a078d034379c8c454c701d
SHA1 40c65a45e6bb3fd4ce756ad8fbea1b5e9139e0a7
SHA256 7bdf7722115be910e2b301b3f6b3037bc4b987c588838cd2459aeeeec9f50be7
ssdeep
3072:46S9Aw6KlZhjTIIG2cO3i1CLUuOnNWhZa9ndZUVTEn:JHstIIG2cO36CvON3n0

File size 171.0 KB ( 175104 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: vvGwSRQc, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Nov 28 18:42:00 2017, Last Saved Time/Date: Tue Nov 28 18:42:00 2017, Number of Pages: 1, Number of Words: 1, Number of Characters: 9, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated macros run-file write-file doc

VirusTotal metadata
First submission 2017-11-29 19:05:02 UTC ( 1 month, 3 weeks ago )
Last submission 2017-12-19 22:26:54 UTC ( 1 month ago )
File names Invoice #37994271620.doc
7bdf7722115be910e2b301b3f6b3037bc4b987c588838cd2459aeeeec9f50be7_7bdf7722115be910e2b301b3f6b3037bc4b987c588838cd2459aeeeec9f50be7.bin
Invoice #11504604167.doc
Invoice #093102490889.doc
Invoice #72539978.doc
Invoice #1927656.doc
Informationen # 1608076179.doc
Invoice #923647191884.doc
Invoice #63840094.doc
d92f62b6978d0e0f8461bb2439d44a281cad6f38
Invoice #02358185534.doc
output.112522027.txt
Invoice #291804458731.doc
Invoice #6889534827.doc
Invoice #488211392030.doc
Invoice #8979549.doc
Invoice #849288681.doc
2017-11-29-Emotet-malspam-1st-run-Invoice _565700179.doc
Invoice #10644699.doc
Invoice #4685857.doc
Invoice #9569927.doc
Invoice #2660444.doc
Invoice #57460910.doc
Invoice #11070244.doc
Invoice #71547529.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!