× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: cb38b25c1097985a17bb1cac5b5781bdea9f8a3f11a852f681903568057d6940
File name: cb38b25c1097985a17bb1cac5b5781bdea9f8a3f11a852f681903568057d6940.bin
Detection ratio: 30 / 60
Analysis date: 2017-09-07 17:38:36 UTC ( 1 month, 1 week ago )
Antivirus Result Update
AegisLab Troj.Script.Agent!c 20170907
Antiy-AVL Trojan/Script.Agent.gen 20170907
Arcabit W97m.Downloader.FAH 20170907
Avast VBA:Downloader-EBS [Trj] 20170907
AVG VBA:Downloader-EBS [Trj] 20170907
Avira (no cloud) HEUR/Macro.Downloader 20170907
Baidu VBA.Trojan-Dropper.Agent.qm 20170907
BitDefender W97m.Downloader.FAH 20170907
ClamAV Doc.Dropper.Agent-5503971-0 20170907
Cyren PP97M/Cerber.gen 20170907
DrWeb W97M.MulDrop.154 20170907
Emsisoft W97m.Downloader.FAH (B) 20170907
ESET-NOD32 VBA/TrojanDropper.Agent.TH 20170907
F-Prot PP97M/Cerber.gen 20170907
F-Secure W97m.Downloader.FAH 20170907
Fortinet WM/Agent.ORK!tr 20170907
GData W97m.Downloader.FAH 20170907
Ikarus Trojan-Downloader.VBA.Agent 20170907
Kaspersky HEUR:Trojan.Script.Agent.gen 20170907
MAX malware (ai score=84) 20170907
McAfee W97M/Downloader.btc 20170907
McAfee-GW-Edition W97M/Downloader.btc 20170907
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20170907
Qihoo-360 virus.office.qexvmc.1100 20170907
Sophos AV Troj/DocDl-GMV 20170907
Symantec W97M.Downloader 20170907
TrendMicro W2KM_CERBER.DLDR 20170907
TrendMicro-HouseCall W2KM_CERBER.DLDR 20170907
ViRobot DOC.Z.Agent.208388 20170907
ZoneAlarm by Check Point HEUR:Trojan.Script.Agent.gen 20170907
Ad-Aware 20170907
AhnLab-V3 20170907
Alibaba 20170907
ALYac 20170907
AVware 20170906
Bkav 20170907
CAT-QuickHeal 20170907
CMC 20170902
Comodo 20170907
CrowdStrike Falcon (ML) 20170804
Cylance 20170907
Endgame 20170821
Sophos ML 20170822
Jiangmin 20170907
K7AntiVirus 20170907
K7GW 20170907
Kingsoft 20170907
Malwarebytes 20170907
Microsoft 20170907
eScan 20170907
nProtect 20170907
Palo Alto Networks (Known Signatures) 20170907
Panda 20170906
Rising 20170901
SentinelOne (Static ML) 20170806
SUPERAntiSpyware 20170907
Symantec Mobile Insight 20170907
Tencent 20170907
TheHacker 20170904
TotalDefense 20170907
Trustlook 20170907
VBA32 20170907
VIPRE 20170907
Webroot 20170907
WhiteArmor 20170829
Yandex 20170907
Zillya 20170907
Zoner 20170907
The file being studied follows the Open XML file format! More specifically, it is a Office Open XML Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Macros and VBA code streams
[+] ThisDocument.cls word/vbaProject.bin VBA/ThisDocument 5082 bytes
obfuscated open-file run-file write-file
Content types
bin
rels
png
xml
Package relationships
word/document.xml
docProps/app.xml
docProps/core.xml
Core document properties
dc:creator
Hravat
cp:lastModifiedBy
qaz12pl
cp:revision
93
dcterms:created
2016-12-05T07:29:00Z
dcterms:modified
2016-12-29T19:52:00Z
Application document properties
Template
Normal
TotalTime
146
Pages
1
Words
7
Characters
42
Application
Microsoft Office Word
DocSecurity
0
Lines
1
Paragraphs
1
ScaleCrop
false
vt:lpstr
Title
vt:i4
1
LinksUpToDate
false
CharactersWithSpaces
48
SharedDoc
false
HyperlinksChanged
false
AppVersion
14.0000
Document languages
Language
Prevalence
pl-pl
2
en-us
2
ar-sa
1
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
qaz12pl

HeadingPairs
Title, 1

ZipFileName
[Content_Types].xml

Template
Normal

ZipRequiredVersion
20

ModifyDate
2016:12:29 19:52:00Z

ZipCRC
0x18ecf843

Words
7

ScaleCrop
No

RevisionNumber
93

MIMEType
application/vnd.ms-word.document.macroEnabled

ZipBitFlag
0x0006

CreateDate
2016:12:05 07:29:00Z

Lines
1

AppVersion
14.0

ZipUncompressedSize
2137

ZipCompressedSize
497

Characters
42

CharactersWithSpaces
48

DocSecurity
None

ZipModifyDate
1980:01:01 00:00:00

FileType
DOCM

Application
Microsoft Office Word

TotalEditTime
2.4 hours

ZipCompression
Deflated

Pages
1

Creator
Hravat

FileTypeExtension
docm

Paragraphs
1

The file being studied is a compressed stream! Details about the compressed contents follow.
Contained files
Compression metadata
Contained files
23
Uncompressed size
273972
Highest datetime
1980-01-01 00:00:00
Lowest datetime
1980-01-01 00:00:00
Contained files by extension
xml
16
png
2
bin
1
Contained files by type
XML
19
PNG
2
unknown
1
Microsoft Office
1
Compressed bundles
File identification
MD5 3b8e1a5c3e6fdb5b2ecb6aa780bce018
SHA1 5321956d0f59743721a454d88262f3225a65afbd
SHA256 cb38b25c1097985a17bb1cac5b5781bdea9f8a3f11a852f681903568057d6940
ssdeep
6144:Hqjq9Y1qOylgeRV9jAcWMFvucjGoE31bq:HQtcOyG6TWJ1bq

File size 203.5 KB ( 208388 bytes )
File type Office Open XML Document
Magic literal
Zip archive data, at least v2.0 to extract

TrID Word Microsoft Office Open XML Format document (with Macro) (53.6%)
Word Microsoft Office Open XML Format document (24.2%)
Open Packaging Conventions container (18.0%)
ZIP compressed archive (4.1%)
Tags
obfuscated run-file docx open-file macros write-file

VirusTotal metadata
First submission 2016-12-29 13:02:21 UTC ( 9 months, 3 weeks ago )
Last submission 2017-09-07 17:38:36 UTC ( 1 month, 1 week ago )
File names Payment_receipt.doc
3b8e1a5c3e6fdb5b2ecb6aa780bce018.doc
cb38b25c1097985a17bb1cac5b5781bdea9f8a3f11a852f681903568057d6940.bin
cb38b25c1097985a17bb1cac5b5781bdea9f8a3f11a852f681903568057d6940.zip
Domain_Abuse_Report.doc
cb38b25c1097985a17bb1cac5b5781bdea9f8a3f11a852f681903568057d6940.docx
domain-abuse-report.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!