× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 0f368342ddf043210dcae012c06532c494873dcf283f26ae4f7f3e48290f2c4a
File name: Shipping Labels (620486055838).doc
Detection ratio: 8 / 56
Analysis date: 2016-03-17 09:01:59 UTC ( 3 years, 2 months ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan.d 20160317
AVG W97M/Downloader 20160317
Baidu VBA.Trojan-Downloader.Agent.wv 20160317
F-Secure Trojan-Downloader:W97M/Dridex.R 20160317
GData Macro.Trojan-Downloader.Agent.KY 20160317
Qihoo-360 heur.macro.download.1i 20160317
TrendMicro W2KM_HPSPLICAP.SM 20160317
TrendMicro-HouseCall W2KM_HPSPLICAP.SM 20160317
Ad-Aware 20160317
AegisLab 20160317
Yandex 20160316
AhnLab-V3 20160316
Alibaba 20160317
ALYac 20160317
Antiy-AVL 20160317
Avast 20160317
Avira (no cloud) 20160317
AVware 20160317
Baidu-International 20160316
BitDefender 20160317
Bkav 20160316
ByteHero 20160317
CAT-QuickHeal 20160317
ClamAV 20160311
CMC 20160316
Comodo 20160317
Cyren 20160317
DrWeb 20160317
Emsisoft 20160317
ESET-NOD32 20160317
F-Prot 20160317
Fortinet 20160317
Ikarus 20160317
Jiangmin 20160317
K7AntiVirus 20160317
K7GW 20160317
Kaspersky 20160317
Malwarebytes 20160317
McAfee 20160317
McAfee-GW-Edition 20160317
Microsoft 20160316
eScan 20160317
NANO-Antivirus 20160317
nProtect 20160316
Panda 20160316
Rising 20160317
Sophos AV 20160317
SUPERAntiSpyware 20160317
Symantec 20160317
Tencent 20160317
TheHacker 20160315
VBA32 20160316
VIPRE 20160316
ViRobot 20160317
Zillya 20160316
Zoner 20160317
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May create OLE objects.
May enumerate open windows.
May try to download additional files from the Internet.
Seems to contain deobfuscation code.
Summary
last_author
Microsoft Office
creation_datetime
2016-03-17 07:21:00
template
Normal.dotm
author
1
page_count
1
last_saved
2016-03-17 07:21:00
revision_number
2
application_name
Microsoft Office Word
code_page
Cyrillic
Document summary
company
Home
version
1048576
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
6656
type_literal
stream
size
114
name
\x01CompObj
sid
25
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
3
type_literal
stream
size
8456
name
1Table
sid
1
type_literal
stream
size
614
name
Macros/PROJECT
sid
23
type_literal
stream
size
125
name
Macros/PROJECTwm
sid
24
type_literal
stream
size
19607
type
macro
name
Macros/VBA/Module1
sid
14
type_literal
stream
size
15730
name
Macros/VBA/Module2
sid
15
type_literal
stream
size
23244
type
macro
name
Macros/VBA/Module3
sid
16
type_literal
stream
size
1593
type
macro
name
Macros/VBA/ThisDocument
sid
21
type_literal
stream
size
14545
name
Macros/VBA/_VBA_PROJECT
sid
22
type_literal
stream
size
7692
name
Macros/VBA/__SRP_0
sid
17
type_literal
stream
size
762
name
Macros/VBA/__SRP_1
sid
18
type_literal
stream
size
292
name
Macros/VBA/__SRP_2
sid
19
type_literal
stream
size
103
name
Macros/VBA/__SRP_3
sid
20
type_literal
stream
size
891
name
Macros/VBA/dir
sid
12
type_literal
stream
size
1343
type
macro (only attributes)
name
Macros/VBA/tot
sid
13
type_literal
stream
size
97
name
Macros/tot/\x01CompObj
sid
9
type_literal
stream
size
250
name
Macros/tot/\x03VBFrame
sid
10
type_literal
stream
size
94
name
Macros/tot/f
sid
7
type_literal
stream
size
184
name
Macros/tot/o
sid
8
type_literal
stream
size
4096
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 46 bytes
[+] Module1.bas Macros/VBA/Module1 8598 bytes
create-ole enum-windows obfuscated
[+] Module3.bas Macros/VBA/Module3 15057 bytes
exe-pattern create-ole open-file
[+] Module2.bas Macros/VBA/Module2 7589 bytes
exe-pattern url-pattern create-ole download obfuscated open-file
ExifTool file metadata
SharedDoc
No

Author
1

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
Microsoft Office

HeadingPairs
, 1

Template
Normal.dotm

CharCountWithSpaces
0

CreateDate
2016:03:17 06:21:00

CompObjUserType
???????? Microsoft Word 97-2003

ModifyDate
2016:03:17 06:21:00

Company
Home

Characters
0

CodePage
Windows Cyrillic

RevisionNumber
2

MIMEType
application/msword

Words
0

FileType
DOC

Lines
0

AppVersion
16.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
0

File identification
MD5 b42ac15c24cbc3337293c50f414a0366
SHA1 1dca7ae1993eca3c8822704c5f0e1fccbf8bd5da
SHA256 0f368342ddf043210dcae012c06532c494873dcf283f26ae4f7f3e48290f2c4a
ssdeep
3072:uvhhideSolJJ694IH+V11ZdxREld4tjc3FKMSdZg:M6QXcFKPd

File size 113.0 KB ( 115712 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: 1, Template: Normal.dotm, Last Saved By: Microsoft Office, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Mar 16 06:21:00 2016, Last Saved Time/Date: Wed Mar 16 06:21:00 2016, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated open-file enum-windows exe-pattern url-pattern macros doc download create-ole

VirusTotal metadata
First submission 2016-03-17 08:51:07 UTC ( 3 years, 2 months ago )
Last submission 2016-03-17 09:21:19 UTC ( 3 years, 2 months ago )
File names 6c903302705357d42a81b96b7957964d
Shipping Labels (620486055838).doc
Shipping Labels (987612232003).doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!