× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: cb38b25c1097985a17bb1cac5b5781bdea9f8a3f11a852f681903568057d6940
File name: Payment_receipt.doc
Detection ratio: 26 / 56
Analysis date: 2017-01-26 23:35:56 UTC ( 1 month, 3 weeks ago )
Antivirus Result Update
Ad-Aware W97m.Downloader.FAH 20170126
AegisLab Troj.Script.Agent!c 20170126
ALYac W97m.Downloader.FAH 20170126
Arcabit W97m.Downloader.FAH 20170126
Avast VBA:Downloader-EBS [Trj] 20170127
Avira (no cloud) HEUR/Macro.Downloader 20170127
BitDefender W97m.Downloader.FAH 20170127
ClamAV Doc.Dropper.Agent-5503971-0 20170126
Cyren PP97M/Cerber.gen 20170127
DrWeb W97M.MulDrop.154 20170127
Emsisoft W97m.Downloader.FAH (B) 20170127
ESET-NOD32 VBA/TrojanDropper.Agent.TH 20170126
F-Prot PP97M/Cerber.gen 20170127
F-Secure W97m.Downloader.FAH 20170127
Fortinet WM/Agent.ORK!tr 20170127
GData W97m.Downloader.FAH 20170127
Ikarus Trojan-Downloader.VBA.Agent 20170126
Kaspersky HEUR:Trojan.Script.Agent.gen 20170126
McAfee W97M/Downloader.btc 20170126
McAfee-GW-Edition W97M/Downloader.btc 20170126
eScan W97m.Downloader.FAH 20170126
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20170126
Sophos Troj/DocDl-GMV 20170126
Symantec W97M.Downloader 20170126
TrendMicro W2KM_CERBER.DLDR 20170126
TrendMicro-HouseCall W2KM_CERBER.DLDR 20170126
AhnLab-V3 20170126
Alibaba 20170122
Antiy-AVL 20170126
AVG 20170126
AVware 20170127
Baidu 20170125
Bkav 20170123
CAT-QuickHeal 20170125
CMC 20170126
Comodo 20170126
CrowdStrike Falcon (ML) 20161024
Invincea 20170111
Jiangmin 20170126
K7AntiVirus 20170126
K7GW 20170126
Kingsoft 20170127
Malwarebytes 20170126
Microsoft 20170126
nProtect 20170126
Panda 20170126
Qihoo-360 20170127
Rising 20170126
SUPERAntiSpyware 20170126
Tencent 20170127
TheHacker 20170125
TotalDefense 20170126
Trustlook 20170127
VBA32 20170126
VIPRE 20170126
ViRobot 20170126
WhiteArmor 20170123
Yandex 20170126
Zillya 20170126
Zoner 20170126
The file being studied follows the Open XML file format! More specifically, it is a Office Open XML Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Macros and VBA code streams
[+] ThisDocument.cls word/vbaProject.bin VBA/ThisDocument 5082 bytes
obfuscated open-file run-file write-file
Content types
bin
rels
png
xml
Package relationships
word/document.xml
docProps/app.xml
docProps/core.xml
Core document properties
creator
Hravat
lastModifiedBy
qaz12pl
revision
93
created
2016-12-05T07:29:00Z
modified
2016-12-29T19:52:00Z
Application document properties
Template
Normal
TotalTime
146
Pages
1
Words
7
Characters
42
Application
Microsoft Office Word
DocSecurity
0
Lines
1
Paragraphs
1
ScaleCrop
false
LinksUpToDate
false
CharactersWithSpaces
48
SharedDoc
false
HyperlinksChanged
false
AppVersion
14.0000
Document languages
Language
Prevalence
pl-pl
2
en-us
2
ar-sa
1
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
qaz12pl

HeadingPairs
Title, 1

ZipFileName
[Content_Types].xml

Template
Normal

ZipRequiredVersion
20

ModifyDate
2016:12:29 19:52:00Z

ZipCRC
0x18ecf843

Words
7

ScaleCrop
No

RevisionNumber
93

MIMEType
application/vnd.ms-word.document.macroEnabled

ZipBitFlag
0x0006

CreateDate
2016:12:05 07:29:00Z

Lines
1

AppVersion
14.0

ZipUncompressedSize
2137

ZipCompressedSize
497

Characters
42

CharactersWithSpaces
48

DocSecurity
None

ZipModifyDate
1980:01:01 00:00:00

FileType
DOCM

Application
Microsoft Office Word

TotalEditTime
2.4 hours

ZipCompression
Deflated

Pages
1

Creator
Hravat

FileTypeExtension
docm

Paragraphs
1

The file being studied is a compressed stream! Details about the compressed contents follow.
Contained files
Compression metadata
Contained files
23
Uncompressed size
273972
Highest datetime
1980-01-01 00:00:00
Lowest datetime
1980-01-01 00:00:00
Contained files by extension
xml
16
png
2
bin
1
Contained files by type
XML
19
PNG
2
unknown
1
Microsoft Office
1
File identification
MD5 3b8e1a5c3e6fdb5b2ecb6aa780bce018
SHA1 5321956d0f59743721a454d88262f3225a65afbd
SHA256 cb38b25c1097985a17bb1cac5b5781bdea9f8a3f11a852f681903568057d6940
ssdeep
6144:Hqjq9Y1qOylgeRV9jAcWMFvucjGoE31bq:HQtcOyG6TWJ1bq

File size 203.5 KB ( 208388 bytes )
File type Office Open XML Document
Magic literal
Zip archive data, at least v2.0 to extract

TrID Word Microsoft Office Open XML Format document (with Macro) (65.4%)
Word Microsoft Office Open XML Format document (29.5%)
ZIP compressed archive (5.0%)
Tags
obfuscated run-file docx open-file macros write-file

VirusTotal metadata
First submission 2016-12-29 13:02:21 UTC ( 2 months, 3 weeks ago )
Last submission 2017-01-26 23:35:56 UTC ( 1 month, 3 weeks ago )
File names Payment_receipt.doc
3b8e1a5c3e6fdb5b2ecb6aa780bce018.doc
Domain_Abuse_Report.doc
domain-abuse-report.doc
cb38b25c1097985a17bb1cac5b5781bdea9f8a3f11a852f681903568057d6940.zip
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!