× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 25dadde8c247fe048cc331b40671e5e9f4b1c728161bbd86d030f2904d42dd5c
File name: 25DADDE8C247FE048CC331B40671E5E9F4B1C728161BBD86D030F2904D42DD5C.dat
Detection ratio: 25 / 57
Analysis date: 2015-04-27 08:49:59 UTC ( 3 years, 11 months ago ) View latest
Antivirus Result Update
Ad-Aware W97M.Downloader.LX 20150427
ALYac W97M.Downloader.LX 20150427
Avast MW97:Dropper-AV [Trj] 20150427
AVG Script/PDF.Exploit.C 20150427
AVware LooksLike.Macro.Malware.gen!d5 (v) 20150427
BitDefender W97M.Downloader.LX 20150427
CAT-QuickHeal W97M.Dropper.EY 20150427
Cyren Downloader.MCOZ 20150427
DrWeb W97M.DownLoader.326 20150427
Emsisoft W97M.Downloader.LX (B) 20150427
ESET-NOD32 VBA/TrojanDownloader.Agent.PC 20150427
F-Prot W97M/Downloader.I 20150427
F-Secure W97M.Downloader.LX 20150426
GData W97M.Downloader.LX 20150427
Ikarus Trojan-Downloader.VBA.Agent 20150427
McAfee W97M/Downloader.agm 20150427
McAfee-GW-Edition W97M/Downloader.agm 20150427
Microsoft TrojanDownloader:W97M/Adnel.D 20150427
eScan W97M.Downloader.LX 20150427
Panda W97M/Downloader 20150427
Sophos AV Troj/DocDl-MJ 20150427
Tencent Win32.Trojan-downloader.Agent.Jco 20150427
TrendMicro W2KM_DLOADR.JCZ 20150427
TrendMicro-HouseCall W2KM_DLOADR.JCZ 20150427
VIPRE LooksLike.Macro.Malware.gen!d5 (v) 20150427
AegisLab 20150427
Yandex 20150426
AhnLab-V3 20150426
Alibaba 20150427
Antiy-AVL 20150427
Avira (no cloud) 20150427
Baidu-International 20150426
Bkav 20150425
ByteHero 20150427
ClamAV 20150427
CMC 20150423
Comodo 20150427
Fortinet 20150426
Jiangmin 20150426
K7AntiVirus 20150427
K7GW 20150427
Kaspersky 20150427
Kingsoft 20150427
Malwarebytes 20150426
NANO-Antivirus 20150427
Norman 20150427
nProtect 20150424
Qihoo-360 20150427
Rising 20150426
SUPERAntiSpyware 20150427
Symantec 20150427
TheHacker 20150426
TotalDefense 20150426
VBA32 20150426
ViRobot 20150427
Zillya 20150426
Zoner 20150427
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May perform operations with other files.
May create OLE objects.
May execute code from Dynamically Linked Libraries.
Seems to contain deobfuscation code.
Summary
last_author
GN
creation_datetime
2015-04-24 07:02:00
template
Normal.dot
author
1
page_count
1
last_saved
2015-04-24 07:02:00
revision_number
2
application_name
Microsoft Office Word
code_page
Cyrillic
Document summary
line_count
1
version
730895
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
11264
type_literal
stream
size
113
name
\x01CompObj
sid
19
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
3
type_literal
stream
size
4124
name
1Table
sid
1
type_literal
stream
size
736
name
Macros/PROJECT
sid
18
type_literal
stream
size
182
name
Macros/PROJECTwm
sid
17
type_literal
stream
size
4340
type
macro
name
Macros/VBA/AMOS
sid
14
type_literal
stream
size
6016
type
macro
name
Macros/VBA/CLAY
sid
9
type_literal
stream
size
4978
type
macro
name
Macros/VBA/CORNELIUS
sid
11
type_literal
stream
size
3220
type
macro
name
Macros/VBA/DEXTER
sid
13
type_literal
stream
size
5854
type
macro
name
Macros/VBA/LAMAR
sid
12
type_literal
stream
size
3706
type
macro
name
Macros/VBA/PERCY
sid
8
type_literal
stream
size
6529
type
macro
name
Macros/VBA/ROLANDO
sid
10
type_literal
stream
size
2095
type
macro
name
Macros/VBA/ThisDocument
sid
7
type_literal
stream
size
8176
name
Macros/VBA/_VBA_PROJECT
sid
15
type_literal
stream
size
1063
name
Macros/VBA/dir
sid
16
type_literal
stream
size
4151
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 84 bytes
[+] PERCY.bas Macros/VBA/PERCY 665 bytes
exe-pattern create-ole open-file run-dll
[+] CLAY.bas Macros/VBA/CLAY 1301 bytes
exe-pattern run-dll
[+] ROLANDO.bas Macros/VBA/ROLANDO 1738 bytes
handle-file open-file write-file
[+] CORNELIUS.bas Macros/VBA/CORNELIUS 887 bytes
exe-pattern obfuscated run-dll
[+] LAMAR.bas Macros/VBA/LAMAR 1442 bytes
exe-pattern run-dll
[+] DEXTER.bas Macros/VBA/DEXTER 620 bytes
create-ole
[+] AMOS.bas Macros/VBA/AMOS 746 bytes
exe-pattern run-dll
ExifTool file metadata
SharedDoc
No

Author
1

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
GN

HeadingPairs
, 1

Template
Normal.dot

CharCountWithSpaces
0

CreateDate
2015:04:24 06:02:00

CompObjUserType
???????? Microsoft Office Word

ModifyDate
2015:04:24 06:02:00

Characters
0

CodePage
Windows Cyrillic

RevisionNumber
2

MIMEType
application/msword

Words
0

FileType
DOC

Lines
1

AppVersion
11.9999

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

ScaleCrop
No

CompObjUserTypeLen
31

FileTypeExtension
doc

Paragraphs
1

File identification
MD5 0ea69ef635257be03043a3f70f013475
SHA1 8cc15cafc183a736895507da2560a9c195c1b3d8
SHA256 25dadde8c247fe048cc331b40671e5e9f4b1c728161bbd86d030f2904d42dd5c
ssdeep
768:8ZTYGKO5vlt5hlSmL6m17m6TJ4CHj0E+Blkuq8o:23KONlamLI486u

File size 69.0 KB ( 70656 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: 1, Template: Normal.dot, Last Saved By: GN, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Apr 23 06:02:00 2015, Last Saved Time/Date: Thu Apr 23 06:02:00 2015, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated open-file exe-pattern handle-file doc macros run-dll write-file create-ole

VirusTotal metadata
First submission 2015-04-24 07:21:18 UTC ( 3 years, 12 months ago )
Last submission 2015-04-27 20:45:32 UTC ( 3 years, 11 months ago )
File names 25DADDE8C247FE048CC331B40671E5E9F4B1C728161BBD86D030F2904D42DD5C.dat
6.doc
decoded.virus
pdf00
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!