× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 3302f051b3b4076805d57debf4eaf6a61e98d28fac347c7c64add0de8d78ac84
File name: fax_msg843-743-5856.doc
Detection ratio: 34 / 57
Analysis date: 2015-03-16 02:12:39 UTC ( 2 years, 8 months ago ) View latest
Antivirus Result Update
Ad-Aware W97M.Downloader.GP 20150316
AhnLab-V3 W97M/Downloader 20150315
ALYac W97M.Downloader.GP 20150316
Avast MO97:Downloader-LX [Trj] 20150316
AVG W97M/Generic 20150316
Avira (no cloud) WM/Rogue.15321.ai 20150315
AVware LooksLike.Macro.Malware.e (v) 20150316
BitDefender W97M.Downloader.GP 20150316
CAT-QuickHeal W97M.Dropper.CK 20150314
Comodo UnclassifiedMalware 20150316
Cyren W97M/Downloader.BR 20150316
DrWeb W97M.MulDrop.29 20150316
Emsisoft Trojan-Downloader.MSWord.Agent (A) 20150316
ESET-NOD32 VBA/TrojanDownloader.Agent.JL 20150316
F-Prot W97M/Downloader.BR 20150316
F-Secure W97M.Downloader.GP 20150315
Fortinet WM/Agent!tr 20150316
GData W97M.Downloader.GP 20150316
Ikarus Trojan-Downloader.VBA.Agent 20150316
Kaspersky Trojan-Downloader.MSWord.Agent.fd 20150316
McAfee Generic.vk 20150316
McAfee-GW-Edition Generic.vk 20150315
Microsoft TrojanDownloader:O97M/Bartallex.C 20150316
eScan W97M.Downloader.GP 20150316
NANO-Antivirus Trojan.Script.Agent.dpbfec 20150315
Norman DLoader.ATMLX 20150315
nProtect Trojan-Downloader/W32.MSWord.76288 20150313
Panda W97M/Downloader 20150311
Sophos AV Troj/DocDl-GF 20150316
Symantec W97M.Downloader 20150316
Tencent Word.Trojan-downloader.Agent.Gvr 20150316
TrendMicro W2KM_BARTALEX.EU 20150316
TrendMicro-HouseCall W2KM_BARTALEX.EU 20150316
VIPRE LooksLike.Macro.Malware.e (v) 20150316
AegisLab 20150316
Yandex 20150314
Alibaba 20150316
Antiy-AVL 20150315
Baidu-International 20150315
Bkav 20150314
ByteHero 20150316
ClamAV 20150315
CMC 20150313
Jiangmin 20150315
K7AntiVirus 20150315
K7GW 20150315
Kingsoft 20150316
Malwarebytes 20150316
Qihoo-360 20150316
Rising 20150315
SUPERAntiSpyware 20150315
TheHacker 20150316
TotalDefense 20150315
VBA32 20150315
ViRobot 20150315
Zillya 20150315
Zoner 20150313
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
Automatically runs commands or instructions when the file is opened.
May read system environment variables.
May open a file.
May write to a file.
May try to run other files, shell commands or applications.
May enumerate open windows.
Seems to contain deobfuscation code.
Summary
creation_datetime
2015-02-26 11:15:00
revision_number
1
page_count
1
word_count
41
last_saved
2015-03-02 13:55:00
template
Normal.dotm
application_name
Microsoft Office Word
character_count
236
code_page
Cyrillic
Document summary
line_count
1
characters_with_spaces
276
version
983040
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
3712
type_literal
stream
sid
14
name
\x01CompObj
size
114
type_literal
stream
sid
4
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
3
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
1
name
1Table
size
19220
type_literal
stream
sid
13
name
Macros/PROJECT
size
581
type_literal
stream
sid
12
name
Macros/PROJECTwm
size
89
type_literal
stream
sid
8
type
macro
name
Macros/VBA/Module1
size
1019
type_literal
stream
sid
9
type
macro
name
Macros/VBA/Module2
size
913
type_literal
stream
sid
7
type
macro
name
Macros/VBA/ThisDocument
size
29275
type_literal
stream
sid
10
name
Macros/VBA/_VBA_PROJECT
size
4726
type_literal
stream
sid
11
name
Macros/VBA/dir
size
824
type_literal
stream
sid
2
name
WordDocument
size
5172
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 17231 bytes
ipv4-pattern auto-open enum-windows obfuscated open-file write-file
[+] Module1.bas Macros/VBA/Module1 84 bytes
run-file
[+] Module2.bas Macros/VBA/Module2 68 bytes
environ
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

LinksUpToDate
No

HeadingPairs
, 1

Template
Normal.dotm

CharCountWithSpaces
276

CreateDate
2015:02:26 10:15:00

Security
None

CompObjUserType
???????? Microsoft Word 97-2003

ModifyDate
2015:03:02 12:55:00

Characters
236

Pages
1

RevisionNumber
1

MIMEType
application/msword

Words
41

FileType
DOC

Lines
1

AppVersion
15.0

CodePage
Windows Cyrillic

Software
Microsoft Office Word

TotalEditTime
0

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
1

File identification
MD5 07bb7a3c3ec68a0734b67d2f9a47098e
SHA1 b2db6f4baf1db442debcbf7aefb9634a9f6b1ca3
SHA256 3302f051b3b4076805d57debf4eaf6a61e98d28fac347c7c64add0de8d78ac84
ssdeep
768:EwjL57U6ccWM3oXu0CS7OxgyNY1O6AL+ZE8TxgKdRAKzzhFhBj:lq6dMXu0CSD2+Z1xg2zhF

File size 74.5 KB ( 76288 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Feb 25 10:15:00 2015, Last Saved Time/Date: Sun Mar 01 12:55:00 2015, Number of Pages: 1, Number of Words: 41, Number of Characters: 236, Security: 0

TrID Microsoft Word document (35.9%)
Microsoft Excel sheet (33.7%)
Microsoft Word document (old ver.) (21.3%)
Generic OLE2 / Multistream Compound File (8.9%)
Tags
obfuscated open-file auto-open doc run-file macros enum-windows environ attachment write-file ipv4-pattern

VirusTotal metadata
First submission 2015-03-02 14:20:03 UTC ( 2 years, 8 months ago )
Last submission 2016-07-21 07:35:05 UTC ( 1 year, 4 months ago )
File names fax_msg858-735-4336.doc
fax_msg666-648-8585.doc
fax_msg364-688-5437.doc
fax_msg635-558-9859.doc
fax_msg963-958-5495.doc
fax_msg333-945-9345.doc
fax_msg475-568-7839.doc
test.doc
fax_msg353-643-7479.doc
fax_msg735-874-8684.doc
fax_msg468-645-9346.doc
fax_msg883-666-7668.doc
fax_msg864-659-6787 (1).doc
fax_msg843-743-5856.doc
fax_msg336-796-5466.doc
fax_msg498-893-4678.doc
fax_msg446-688-7333.doc
fax_msg988-996-8876.doc
fax_msg983-387-6376.doc
fax_msg359-357-8847.doc
fax_msg896-599-5459.doc
fax_msg683-667-9538.doc
fax_msg789-388-5839.doc
fax_msg433-463-4493.doc
fax_msg855-487-8946.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!