× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: cb38b25c1097985a17bb1cac5b5781bdea9f8a3f11a852f681903568057d6940
File name: cb38b25c1097985a17bb1cac5b5781bdea9f8a3f11a852f681903568057d6940.bin
Detection ratio: 32 / 61
Analysis date: 2017-11-04 02:08:54 UTC ( 1 month, 1 week ago )
Antivirus Result Update
Ad-Aware W97m.Downloader.FAH 20171104
AegisLab Troj.Script.Agent!c 20171104
Antiy-AVL Trojan/Script.Agent.gen 20171103
Arcabit W97m.Downloader.FAH 20171104
Avast VBA:Downloader-EBS [Trj] 20171104
AVG VBA:Downloader-EBS [Trj] 20171104
Avira (no cloud) HEUR/Macro.Downloader 20171104
Baidu VBA.Trojan-Dropper.Agent.qm 20171103
BitDefender W97m.Downloader.FAH 20171104
ClamAV Doc.Dropper.Agent-5503971-0 20171103
Cyren PP97M/Cerber.gen 20171104
DrWeb W97M.MulDrop.154 20171104
Emsisoft W97m.Downloader.FAH (B) 20171104
ESET-NOD32 VBA/TrojanDropper.Agent.TH 20171104
F-Prot PP97M/Cerber.gen 20171104
F-Secure W97m.Downloader.FAH 20171103
Fortinet WM/Agent.ORK!tr 20171104
GData W97m.Downloader.FAH 20171104
Ikarus Trojan-Downloader.VBA.Agent 20171103
Kaspersky HEUR:Trojan.Script.Agent.gen 20171104
MAX malware (ai score=100) 20171104
McAfee W97M/Downloader.btc 20171031
McAfee-GW-Edition W97M/Downloader.btc 20171104
eScan W97m.Downloader.FAH 20171103
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20171104
Qihoo-360 virus.office.qexvmc.1100 20171104
Sophos AV Troj/DocDl-GMV 20171103
Symantec W97M.Downloader 20171103
TrendMicro W2KM_CERBER.DLDR 20171104
TrendMicro-HouseCall W2KM_CERBER.DLDR 20171104
ViRobot DOC.Z.Agent.208388 20171103
ZoneAlarm by Check Point HEUR:Trojan.Script.Agent.gen 20171104
AhnLab-V3 20171103
Alibaba 20170911
ALYac 20171104
Avast-Mobile 20171103
AVware 20171104
Bkav 20171102
CAT-QuickHeal 20171103
CMC 20171103
Comodo 20171104
CrowdStrike Falcon (ML) 20171016
Cybereason 20171030
Cylance 20171104
eGambit 20171104
Endgame 20171024
Sophos ML 20170914
Jiangmin 20171104
K7AntiVirus 20171103
K7GW 20171104
Kingsoft 20171104
Malwarebytes 20171104
Microsoft 20171103
nProtect 20171104
Palo Alto Networks (Known Signatures) 20171104
Panda 20171103
Rising 20171104
SentinelOne (Static ML) 20171019
SUPERAntiSpyware 20171104
Symantec Mobile Insight 20171103
Tencent 20171104
TheHacker 20171102
TotalDefense 20171103
Trustlook 20171104
VBA32 20171103
VIPRE 20171104
Webroot 20171104
WhiteArmor 20171104
Yandex 20171102
Zillya 20171103
Zoner 20171104
The file being studied follows the Open XML file format! More specifically, it is a Office Open XML Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Macros and VBA code streams
[+] ThisDocument.cls word/vbaProject.bin VBA/ThisDocument 5082 bytes
obfuscated open-file run-file write-file
Content types
bin
rels
png
xml
Package relationships
word/document.xml
docProps/app.xml
docProps/core.xml
Core document properties
dc:creator
Hravat
cp:lastModifiedBy
qaz12pl
cp:revision
93
dcterms:created
2016-12-05T07:29:00Z
dcterms:modified
2016-12-29T19:52:00Z
Application document properties
Template
Normal
TotalTime
146
Pages
1
Words
7
Characters
42
Application
Microsoft Office Word
DocSecurity
0
Lines
1
Paragraphs
1
ScaleCrop
false
vt:lpstr
Title
vt:i4
1
LinksUpToDate
false
CharactersWithSpaces
48
SharedDoc
false
HyperlinksChanged
false
AppVersion
14.0000
Document languages
Language
Prevalence
pl-pl
2
en-us
2
ar-sa
1
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
qaz12pl

HeadingPairs
Title, 1

ZipFileName
[Content_Types].xml

Template
Normal

ZipRequiredVersion
20

ModifyDate
2016:12:29 19:52:00Z

ZipCRC
0x18ecf843

Words
7

ScaleCrop
No

RevisionNumber
93

MIMEType
application/vnd.ms-word.document.macroEnabled

ZipBitFlag
0x0006

CreateDate
2016:12:05 07:29:00Z

Lines
1

AppVersion
14.0

ZipUncompressedSize
2137

ZipCompressedSize
497

Characters
42

CharactersWithSpaces
48

DocSecurity
None

ZipModifyDate
1980:01:01 00:00:00

FileType
DOCM

Application
Microsoft Office Word

TotalEditTime
2.4 hours

ZipCompression
Deflated

Pages
1

Creator
Hravat

FileTypeExtension
docm

Paragraphs
1

The file being studied is a compressed stream! Details about the compressed contents follow.
Contained files
Compression metadata
Contained files
23
Uncompressed size
273972
Highest datetime
1980-01-01 00:00:00
Lowest datetime
1980-01-01 00:00:00
Contained files by extension
xml
16
png
2
bin
1
Contained files by type
XML
19
PNG
2
unknown
1
Microsoft Office
1
Compressed bundles
File identification
MD5 3b8e1a5c3e6fdb5b2ecb6aa780bce018
SHA1 5321956d0f59743721a454d88262f3225a65afbd
SHA256 cb38b25c1097985a17bb1cac5b5781bdea9f8a3f11a852f681903568057d6940
ssdeep
6144:Hqjq9Y1qOylgeRV9jAcWMFvucjGoE31bq:HQtcOyG6TWJ1bq

File size 203.5 KB ( 208388 bytes )
File type Office Open XML Document
Magic literal
Zip archive data, at least v2.0 to extract

TrID Word Microsoft Office Open XML Format document (with Macro) (53.6%)
Word Microsoft Office Open XML Format document (24.2%)
Open Packaging Conventions container (18.0%)
ZIP compressed archive (4.1%)
Tags
obfuscated run-file docx open-file macros write-file

VirusTotal metadata
First submission 2016-12-29 13:02:21 UTC ( 11 months, 2 weeks ago )
Last submission 2017-09-07 17:38:36 UTC ( 3 months ago )
File names Payment_receipt.doc
3b8e1a5c3e6fdb5b2ecb6aa780bce018.doc
cb38b25c1097985a17bb1cac5b5781bdea9f8a3f11a852f681903568057d6940.bin
cb38b25c1097985a17bb1cac5b5781bdea9f8a3f11a852f681903568057d6940.zip
Domain_Abuse_Report.doc
cb38b25c1097985a17bb1cac5b5781bdea9f8a3f11a852f681903568057d6940.docx
domain-abuse-report.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!