× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 31cca419f91f5a281bdb2200377dc6f9908e6013917d149a46bf5eb47cf8228c
File name: 59d56ea70a7794deeb80db2da2aabe23
Detection ratio: 15 / 55
Analysis date: 2016-11-21 05:36:07 UTC ( 2 years, 2 months ago ) View latest
Antivirus Result Update
Ad-Aware Trojan.Doc.Downloader.WF 20161121
AegisLab Troj.Doc.Gen!c 20161121
Arcabit Trojan.Doc.Downloader.WF 20161121
AVware LooksLike.Macro.Malware.k (v) 20161121
BitDefender Trojan.Doc.Downloader.WF 20161121
Emsisoft Trojan.Doc.Downloader.WF (B) 20161121
F-Secure Trojan.Doc.Downloader.WF 20161121
Fortinet WM/Agent.CAA!tr 20161121
GData Trojan.Doc.Downloader.WF 20161121
Ikarus Win32.SuspectCrc 20161120
eScan Trojan.Doc.Downloader.WF 20161121
Symantec W97M.Downloader 20161121
TrendMicro W2KM_HANCITOR.QQGF 20161121
TrendMicro-HouseCall W2KM_HANCITOR.QQGF 20161121
VIPRE LooksLike.Macro.Malware.k (v) 20161121
AhnLab-V3 20161121
Alibaba 20161121
ALYac 20161121
Antiy-AVL 20161121
Avast 20161121
AVG 20161121
Avira (no cloud) 20161120
Baidu 20161121
Bkav 20161121
CAT-QuickHeal 20161121
ClamAV 20161121
CMC 20161120
Comodo 20161121
CrowdStrike Falcon (ML) 20161024
Cyren 20161121
DrWeb 20161121
ESET-NOD32 20161120
F-Prot 20161121
Sophos ML 20161018
Jiangmin 20161121
K7AntiVirus 20161120
K7GW 20161121
Kaspersky 20161120
Kingsoft 20161121
Malwarebytes 20161121
McAfee 20161121
McAfee-GW-Edition 20161121
Microsoft 20161121
NANO-Antivirus 20161120
nProtect 20161121
Panda 20161120
Qihoo-360 20161121
Rising 20161121
Sophos AV 20161121
SUPERAntiSpyware 20161121
Tencent 20161121
TheHacker 20161117
TotalDefense 20161120
VBA32 20161118
ViRobot 20161121
Yandex 20161121
Zillya 20161118
Zoner 20161121
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Summary
last_author
slave
creation_datetime
2016-08-19 06:14:00
revision_number
424
author
slave
page_count
1
last_saved
2016-11-20 02:32:00
edit_time
16860
template
Normal.dotm
application_name
Microsoft Office Word
character_count
1
code_page
Cyrillic
Document summary
line_count
1
company
RePack by SPecialiST
characters_with_spaces
1
version
786432
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
7872
type_literal
stream
sid
18
name
\x01CompObj
size
121
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
2
name
1Table
size
8014
type_literal
stream
sid
1
name
Data
size
38552
type_literal
stream
sid
17
name
Macros/PROJECT
size
491
type_literal
stream
sid
16
name
Macros/PROJECTwm
size
65
type_literal
stream
sid
11
type
macro
name
Macros/VBA/Module1
size
5300
type_literal
stream
sid
8
type
macro
name
Macros/VBA/ThisDocument
size
1525
type_literal
stream
sid
12
name
Macros/VBA/_VBA_PROJECT
size
3143
type_literal
stream
sid
14
name
Macros/VBA/__SRP_0
size
1187
type_literal
stream
sid
15
name
Macros/VBA/__SRP_1
size
102
type_literal
stream
sid
9
name
Macros/VBA/__SRP_2
size
304
type_literal
stream
sid
10
name
Macros/VBA/__SRP_3
size
103
type_literal
stream
sid
13
name
Macros/VBA/dir
size
572
type_literal
stream
sid
3
name
WordDocument
size
4096
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 148 bytes
run-file
[+] Module1.bas Macros/VBA/Module1 2257 bytes
obfuscated
ExifTool file metadata
SharedDoc
No

Author
slave

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

LastModifiedBy
slave

HeadingPairs
, 1

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
1

Word97
No

LanguageCode
Russian

CompObjUserType
???????? Microsoft Office Word 97-2003

ModifyDate
2016:11:20 10:32:00

Company
RePack by SPecialiST

Characters
1

CodePage
Windows Cyrillic

RevisionNumber
424

MIMEType
application/msword

Words
0

CreateDate
2016:08:19 13:14:00

Lines
1

AppVersion
12.0

Security
None

Software
Microsoft Office Word

FileType
DOC

TotalEditTime
4.7 hours

Pages
1

ScaleCrop
No

CompObjUserTypeLen
39

FileTypeExtension
doc

Paragraphs
1

LastPrinted
0000:00:00 00:00:00

DocFlags
Has picture, 1Table, ExtChar

File identification
MD5 26c518de86826a07f12d2d6419df7a43
SHA1 ecb5f4c023fd70cf40706c353d87426b96f37b6e
SHA256 31cca419f91f5a281bdb2200377dc6f9908e6013917d149a46bf5eb47cf8228c
ssdeep
1536:kJc5C7U9KCP6pBQGsHHSXfSLHbxCxInF:kJc51syUQdHyXAbxCx

File size 76.0 KB ( 77824 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: slave, Template: Normal.dotm, Last Saved By: slave, Revision Number: 424, Name of Creating Application: Microsoft Office Word, Total Editing Time: 04:41:00, Create Time/Date: Thu Aug 18 14:14:00 2016, Last Saved Time/Date: Sat Nov 19 10:32:00 2016, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated macros run-file attachment doc

VirusTotal metadata
First submission 2016-11-20 16:04:05 UTC ( 2 years, 2 months ago )
Last submission 2016-12-02 03:14:49 UTC ( 2 years, 2 months ago )
File names ecb5f4c023fd70cf40706c353d87426b96f37b6e.doc
8c514423c04eec3596a140869fd9a691
e61233a1fcdf5f88e3913d56444d83d3c40fd0d4
a9602ac65332d3b0d023c0ccb18cbfe0
a80805feee58b053fce4a447ca62855e
FedEx.doc
1841c3b0240fce6620338c5c81452e15
59d56ea70a7794deeb80db2da2aabe23
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!