× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: cb38b25c1097985a17bb1cac5b5781bdea9f8a3f11a852f681903568057d6940
File name: cb38b25c1097985a17bb1cac5b5781bdea9f8a3f11a852f681903568057d6940....
Detection ratio: 29 / 55
Analysis date: 2017-04-17 23:30:41 UTC ( 1 week, 3 days ago )
Antivirus Result Update
AegisLab Troj.Script.Agent!c 20170417
ALYac W97m.Downloader.FAH 20170417
Antiy-AVL Trojan/Script.Agent.gen 20170417
Arcabit W97m.Downloader.FAH 20170417
Avast VBA:Downloader-EBS [Trj] 20170417
Avira (no cloud) HEUR/Macro.Downloader 20170417
Baidu VBA.Trojan-Dropper.Agent.qm 20170417
BitDefender W97m.Downloader.FAH 20170417
ClamAV Doc.Dropper.Agent-5503971-0 20170417
Cyren PP97M/Cerber.gen 20170417
DrWeb W97M.MulDrop.154 20170418
Emsisoft W97m.Downloader.FAH (B) 20170417
ESET-NOD32 VBA/TrojanDropper.Agent.TH 20170417
F-Prot PP97M/Cerber.gen 20170418
F-Secure W97m.Downloader.FAH 20170418
Fortinet WM/Agent.ORK!tr 20170417
GData W97m.Downloader.FAH 20170418
Ikarus Trojan-Downloader.VBA.Agent 20170417
Kaspersky HEUR:Trojan.Script.Agent.gen 20170417
McAfee W97M/Downloader.btc 20170417
McAfee-GW-Edition W97M/Downloader.btc 20170417
eScan W97m.Downloader.FAH 20170417
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20170416
Sophos Troj/DocDl-GMV 20170417
Symantec W97M.Downloader 20170417
TrendMicro W2KM_CERBER.DLDR 20170417
TrendMicro-HouseCall W2KM_CERBER.DLDR 20170417
ViRobot DOC.Z.Agent.25088[h] 20170417
ZoneAlarm by Check Point HEUR:Trojan.Script.Agent.gen 20170417
Ad-Aware 20170417
AhnLab-V3 20170417
Alibaba 20170417
AVG 20170417
AVware 20170417
CAT-QuickHeal 20170417
Comodo 20170417
CrowdStrike Falcon (ML) 20170130
Endgame 20170413
Invincea 20170413
Jiangmin 20170417
K7AntiVirus 20170417
K7GW 20170417
Kingsoft 20170418
Malwarebytes 20170417
Microsoft 20170417
nProtect 20170417
Palo Alto Networks (Known Signatures) 20170418
Panda 20170417
Qihoo-360 20170418
Rising 20170417
SentinelOne (Static ML) 20170330
SUPERAntiSpyware 20170418
Symantec Mobile Insight 20170414
Tencent 20170418
TheHacker 20170416
TotalDefense 20170417
Trustlook 20170418
VBA32 20170417
VIPRE 20170417
WhiteArmor 20170409
Yandex 20170417
Zoner 20170417
The file being studied follows the Open XML file format! More specifically, it is a Office Open XML Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Macros and VBA code streams
[+] ThisDocument.cls word/vbaProject.bin VBA/ThisDocument 5082 bytes
obfuscated open-file run-file write-file
Content types
bin
rels
png
xml
Package relationships
word/document.xml
docProps/app.xml
docProps/core.xml
Core document properties
dc:creator
Hravat
cp:lastModifiedBy
qaz12pl
cp:revision
93
dcterms:created
2016-12-05T07:29:00Z
dcterms:modified
2016-12-29T19:52:00Z
Application document properties
Template
Normal
TotalTime
146
Pages
1
Words
7
Characters
42
Application
Microsoft Office Word
DocSecurity
0
Lines
1
Paragraphs
1
ScaleCrop
false
vt:lpstr
Title
vt:i4
1
LinksUpToDate
false
CharactersWithSpaces
48
SharedDoc
false
HyperlinksChanged
false
AppVersion
14.0000
Document languages
Language
Prevalence
pl-pl
2
en-us
2
ar-sa
1
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
qaz12pl

HeadingPairs
Title, 1

ZipFileName
[Content_Types].xml

Template
Normal

ZipRequiredVersion
20

ModifyDate
2016:12:29 19:52:00Z

ZipCRC
0x18ecf843

Words
7

ScaleCrop
No

RevisionNumber
93

MIMEType
application/vnd.ms-word.document.macroEnabled

ZipBitFlag
0x0006

CreateDate
2016:12:05 07:29:00Z

Lines
1

AppVersion
14.0

ZipUncompressedSize
2137

ZipCompressedSize
497

Characters
42

CharactersWithSpaces
48

DocSecurity
None

ZipModifyDate
1980:01:01 00:00:00

FileType
DOCM

Application
Microsoft Office Word

TotalEditTime
2.4 hours

ZipCompression
Deflated

Pages
1

Creator
Hravat

FileTypeExtension
docm

Paragraphs
1

The file being studied is a compressed stream! Details about the compressed contents follow.
Contained files
Compression metadata
Contained files
23
Uncompressed size
273972
Highest datetime
1980-01-01 00:00:00
Lowest datetime
1980-01-01 00:00:00
Contained files by extension
xml
16
png
2
bin
1
Contained files by type
XML
19
PNG
2
unknown
1
Microsoft Office
1
File identification
MD5 3b8e1a5c3e6fdb5b2ecb6aa780bce018
SHA1 5321956d0f59743721a454d88262f3225a65afbd
SHA256 cb38b25c1097985a17bb1cac5b5781bdea9f8a3f11a852f681903568057d6940
ssdeep
6144:Hqjq9Y1qOylgeRV9jAcWMFvucjGoE31bq:HQtcOyG6TWJ1bq

File size 203.5 KB ( 208388 bytes )
File type Office Open XML Document
Magic literal
Zip archive data, at least v2.0 to extract

TrID Word Microsoft Office Open XML Format document (with Macro) (53.6%)
Word Microsoft Office Open XML Format document (24.2%)
Open Packaging Conventions container (18.0%)
ZIP compressed archive (4.1%)
Tags
obfuscated run-file docx open-file macros write-file

VirusTotal metadata
First submission 2016-12-29 13:02:21 UTC ( 3 months, 4 weeks ago )
Last submission 2017-04-17 23:30:41 UTC ( 1 week, 3 days ago )
File names Payment_receipt.doc
3b8e1a5c3e6fdb5b2ecb6aa780bce018.doc
cb38b25c1097985a17bb1cac5b5781bdea9f8a3f11a852f681903568057d6940.docx
domain-abuse-report.doc
Domain_Abuse_Report.doc
cb38b25c1097985a17bb1cac5b5781bdea9f8a3f11a852f681903568057d6940.zip
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!