× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 33ba98b1426bb1e1c0975ec640f0f4a9262a38de4d0e00aadfc903a3e8411161
File name: 204-2374256-3787503-credit-note.doc
Detection ratio: 4 / 57
Analysis date: 2015-04-23 09:24:43 UTC ( 2 years, 6 months ago ) View latest
Antivirus Result Update
GData Macro.Trojan-Downloader.Agent.EB@gen 20150423
McAfee W97M/Downloader.agm 20150423
McAfee-GW-Edition W97M/Downloader.agm 20150422
Norman MacroDrp.D 20150423
Ad-Aware 20150423
AegisLab 20150423
Yandex 20150422
AhnLab-V3 20150423
Alibaba 20150423
ALYac 20150423
Antiy-AVL 20150423
Avast 20150423
AVG 20150423
Avira (no cloud) 20150423
AVware 20150423
Baidu-International 20150421
BitDefender 20150423
Bkav 20150422
ByteHero 20150423
CAT-QuickHeal 20150423
ClamAV 20150423
CMC 20150423
Comodo 20150423
Cyren 20150423
DrWeb 20150423
Emsisoft 20150423
ESET-NOD32 20150423
F-Prot 20150423
F-Secure 20150423
Fortinet 20150423
Ikarus 20150423
Jiangmin 20150422
K7AntiVirus 20150423
K7GW 20150423
Kaspersky 20150423
Kingsoft 20150423
Malwarebytes 20150423
Microsoft 20150423
eScan 20150423
NANO-Antivirus 20150422
nProtect 20150422
Panda 20150423
Qihoo-360 20150423
Rising 20150422
Sophos AV 20150423
SUPERAntiSpyware 20150423
Symantec 20150423
Tencent 20150423
TheHacker 20150422
TotalDefense 20150423
TrendMicro 20150423
TrendMicro-HouseCall 20150423
VBA32 20150423
VIPRE 20150423
ViRobot 20150423
Zillya 20150422
Zoner 20150422
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May perform operations with other files.
May create OLE objects.
May execute code from Dynamically Linked Libraries.
Seems to contain deobfuscation code.
Summary
last_author
GN
creation_datetime
2015-04-23 07:46:00
template
Normal.dot
author
1
page_count
1
last_saved
2015-04-23 07:46:00
revision_number
2
application_name
Microsoft Office Word
code_page
Cyrillic
Document summary
line_count
1
version
730895
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
19136
type_literal
stream
size
113
name
\x01CompObj
sid
19
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
3
type_literal
stream
size
4112
name
1Table
sid
1
type_literal
stream
size
739
name
Macros/PROJECT
sid
18
type_literal
stream
size
182
name
Macros/PROJECTwm
sid
17
type_literal
stream
size
4325
type
macro
name
Macros/VBA/AMOS
sid
14
type_literal
stream
size
3693
type
macro
name
Macros/VBA/CLAY
sid
9
type_literal
stream
size
4682
type
macro
name
Macros/VBA/CORNELIUS
sid
11
type_literal
stream
size
3163
type
macro
name
Macros/VBA/DEXTER
sid
13
type_literal
stream
size
4062
type
macro
name
Macros/VBA/LAMAR
sid
12
type_literal
stream
size
3990
type
macro
name
Macros/VBA/PERCY
sid
8
type_literal
stream
size
6533
type
macro
name
Macros/VBA/ROLANDO
sid
10
type_literal
stream
size
1904
type
macro
name
Macros/VBA/ThisDocument
sid
7
type_literal
stream
size
5781
name
Macros/VBA/_VBA_PROJECT
sid
15
type_literal
stream
size
1068
name
Macros/VBA/dir
sid
16
type_literal
stream
size
4151
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 77 bytes
[+] PERCY.bas Macros/VBA/PERCY 1352 bytes
exe-pattern create-ole open-file run-dll
[+] CLAY.bas Macros/VBA/CLAY 788 bytes
[+] ROLANDO.bas Macros/VBA/ROLANDO 1789 bytes
handle-file open-file write-file
[+] CORNELIUS.bas Macros/VBA/CORNELIUS 904 bytes
obfuscated
[+] LAMAR.bas Macros/VBA/LAMAR 1193 bytes
exe-pattern run-dll
[+] DEXTER.bas Macros/VBA/DEXTER 604 bytes
create-ole
[+] AMOS.bas Macros/VBA/AMOS 845 bytes
ExifTool file metadata
SharedDoc
No

Author
1

CodePage
Windows Cyrillic

LinksUpToDate
No

LastModifiedBy
GN

HeadingPairs
, 1

Template
Normal.dot

CharCountWithSpaces
0

CreateDate
2015:04:23 06:46:00

CompObjUserType
???????? Microsoft Office Word

ModifyDate
2015:04:23 06:46:00

HyperlinksChanged
No

Characters
0

ScaleCrop
No

RevisionNumber
2

MIMEType
application/msword

Words
0

FileType
DOC

Lines
1

AppVersion
11.9999

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

CompObjUserTypeLen
31

FileTypeExtension
doc

Paragraphs
1

Compressed bundles
File identification
MD5 ca5c5b79ce16d888ba2a6747b9d033d3
SHA1 2d0e012141a72408c9be4034a1718b841a79e042
SHA256 33ba98b1426bb1e1c0975ec640f0f4a9262a38de4d0e00aadfc903a3e8411161
ssdeep
768:zSTqTdIL4S+5BMsaX6jv+26zXpGb4CH56UzXL:ueTe4S7saXZ14x

File size 63.0 KB ( 64512 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: 1, Template: Normal.dot, Last Saved By: GN, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Apr 22 06:46:00 2015, Last Saved Time/Date: Wed Apr 22 06:46:00 2015, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated open-file exe-pattern handle-file doc macros run-dll attachment write-file create-ole

VirusTotal metadata
First submission 2015-04-23 07:20:04 UTC ( 2 years, 6 months ago )
Last submission 2017-04-17 23:31:38 UTC ( 6 months ago )
File names 5e09f41ea697b6c2f3d6ab654020560a
1fe241b070973be3d49a9d9104a6a265
ca5c5b79ce16d888ba2a6747b9d033d3.exe
204-2374256-3787503-credit-note.doc
098fc47471ad77d3ea0a9294f777f276
33ba98b1426bb1e1c0975ec640f0f4a9262a38de4d0e00aadfc903a3e8411161.doc
040cb7b106ce77f5def2caaf4a7f2bf1
ca5c5b79ce16d888ba2a6747b9d033d3.doc
4f00d9673b4f1ce0095afbc46da692e2
a965a77ea5a41294f7170006d022eb5e
attachment(4).doc
2d0e012141a72408c9be4034a1718b841a79e042.doc
204-2374256-3787503-credit-note.doc
896407c286e01dae7013441390838428
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!