× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 1cfd5890006c047ef571119325b2642b2b3d349645b7f6a287adf05fd75981ea
File name: invoice_89044096_scan.doc
Detection ratio: 2 / 54
Analysis date: 2015-12-15 10:14:54 UTC ( 3 years, 5 months ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan 20151215
Fortinet WM/Agent!tr 20151215
Ad-Aware 20151215
AegisLab 20151215
Yandex 20151214
AhnLab-V3 20151214
Alibaba 20151208
ALYac 20151215
Antiy-AVL 20151215
Avast 20151215
AVG 20151215
Avira (no cloud) 20151215
AVware 20151215
Baidu-International 20151215
BitDefender 20151215
Bkav 20151214
ByteHero 20151215
CAT-QuickHeal 20151215
ClamAV 20151215
CMC 20151215
Comodo 20151215
Cyren 20151215
DrWeb 20151215
Emsisoft 20151215
ESET-NOD32 20151215
F-Prot 20151215
F-Secure 20151215
GData 20151215
Ikarus 20151215
Jiangmin 20151214
K7AntiVirus 20151215
K7GW 20151215
Kaspersky 20151215
Malwarebytes 20151215
McAfee 20151215
McAfee-GW-Edition 20151215
Microsoft 20151215
eScan 20151215
NANO-Antivirus 20151215
nProtect 20151215
Panda 20151213
Qihoo-360 20151215
Rising 20151215
Sophos AV 20151215
SUPERAntiSpyware 20151215
Symantec 20151214
TheHacker 20151215
TrendMicro 20151215
TrendMicro-HouseCall 20151215
VBA32 20151214
VIPRE 20151215
ViRobot 20151215
Zillya 20151214
Zoner 20151215
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
last_author
Hello
creation_datetime
2014-07-16 10:28:00
revision_number
73
author
Advantech
page_count
1
last_saved
2015-12-15 09:55:00
edit_time
3240
word_count
73
template
Normal.dotm
application_name
Microsoft Office Word
character_count
417
code_page
Cyrillic
Document summary
byte_count
53760
characters_with_spaces
489
line_count
3
version
786432
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
7168
type_literal
stream
sid
21
name
\x01CompObj
size
121
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
2
name
1Table
size
10035
type_literal
stream
sid
1
name
Data
size
14530
type_literal
stream
sid
20
name
Macros/PROJECT
size
367
type_literal
stream
sid
19
name
Macros/PROJECTwm
size
41
type_literal
stream
sid
12
type
macro
name
Macros/VBA/ThisDocument
size
6619
type_literal
stream
sid
15
name
Macros/VBA/_VBA_PROJECT
size
3078
type_literal
stream
sid
17
name
Macros/VBA/__SRP_0
size
1286
type_literal
stream
sid
18
name
Macros/VBA/__SRP_1
size
131
type_literal
stream
sid
13
name
Macros/VBA/__SRP_2
size
340
type_literal
stream
sid
14
name
Macros/VBA/__SRP_3
size
316
type_literal
stream
sid
16
name
Macros/VBA/dir
size
523
type_literal
stream
sid
8
name
MsoDataStore/TK\xc6B\xcfVH0\xc4\xc4\xde5H\xce\xc0V\xc5\xd1\xd8\xc9\xc0Q==/Item
size
205
type_literal
stream
sid
9
name
MsoDataStore/TK\xc6B\xcfVH0\xc4\xc4\xde5H\xce\xc0V\xc5\xd1\xd8\xc9\xc0Q==/Properties
size
341
type_literal
stream
sid
3
name
WordDocument
size
6196
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 2715 bytes
exe-pattern url-pattern create-ole obfuscated open-file write-file
ExifTool file metadata
SharedDoc
No

Author
Advantech

CodePage
Windows Cyrillic

System
Windows

LinksUpToDate
No

LastModifiedBy
Hello

HeadingPairs
, 1

Hyperlinks
http://office365.com/

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
489

Word97
No

LanguageCode
Russian

CompObjUserType
???????? Microsoft Office Word 97-2003

ModifyDate
2015:12:15 08:55:00

Characters
417

HyperlinksChanged
No

RevisionNumber
73

MIMEType
application/msword

Words
73

Lines
3

CreateDate
2014:07:16 09:28:00

Bytes
53760

AppVersion
12.0

Security
None

Software
Microsoft Office Word

FileType
DOC

TotalEditTime
54 minutes

Pages
1

ScaleCrop
No

CompObjUserTypeLen
39

FileTypeExtension
doc

Paragraphs
1

LastPrinted
0000:00:00 00:00:00

DocFlags
Has picture, 1Table, ExtChar

File identification
MD5 7ddef77c68d6a0acc12531a58d3f3743
SHA1 8a5f47c2589a9404617b2f94983b96dc24c7dbc1
SHA256 1cfd5890006c047ef571119325b2642b2b3d349645b7f6a287adf05fd75981ea
ssdeep
768:B6Kl1QhB9fOZGBVAKCBAldD2xz99ql20GIprH6x:B/XQhbftBV7IAldD23vmrH

File size 57.0 KB ( 58368 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: Advantech, Template: Normal.dotm, Last Saved By: Hello, Revision Number: 73, Name of Creating Application: Microsoft Office Word, Total Editing Time: 54:00, Create Time/Date: Tue Jul 15 09:28:00 2014, Last Saved Time/Date: Mon Dec 14 08:55:00 2015, Number of Pages: 1, Number of Words: 73, Number of Characters: 417, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated open-file exe-pattern url-pattern macros attachment doc write-file create-ole

VirusTotal metadata
First submission 2015-12-15 09:52:52 UTC ( 3 years, 5 months ago )
Last submission 2018-04-25 00:22:42 UTC ( 1 year ago )
File names 44340ab67e2c2ffb23209e36f515fbe5
invoice_20074491_scan.doc
invoice_30851178_scan.doc
invoice_21276196_scan.doc
invoice_17719607_scan.doc
invoice_72187633_scan.doc
invoice_99116145_scan.doc
invoice_97397473_scan.doc
invoice_10772884_scan.doc.malware
invoice_82172813_scan.doc
invoice_85020856_scan.doc
invoice_99930554_scan.doc
invoice_59018082_scan.doc
invoice_68897670_scan.doc
invoice_03494105_scan.doc
c2bz7s7kb5k
invoice_42341992_scan.doc
invoice_01832423_scan.doc
invoice_89770023_scan.doc
invoice_14784535_scan.doc
invoice_55072557_scan.doc
invoice_55601195_scan.doc
invoice_87434864_scan.doc
invoice_60022187_scan.doc
VIRUS.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!