× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 3665b64b8d6e58c03be3d19afda66fd778ca3c9794eaecf06a9b882f60967102
File name: 4a36dca4c212e3bc9f811aa4a46698b8
Detection ratio: 4 / 55
Analysis date: 2015-11-23 09:06:02 UTC ( 1 year, 11 months ago ) View latest
Antivirus Result Update
Arcabit HEUR(high).VBA.Trojan 20151123
AVware LooksLike.Macro.Malware.gen!x1 (v) 20151123
Sophos AV Troj/DocDl-ACU 20151123
VIPRE LooksLike.Macro.Malware.gen!x1 (v) 20151123
Ad-Aware 20151123
AegisLab 20151123
Yandex 20151122
AhnLab-V3 20151122
Alibaba 20151123
ALYac 20151123
Antiy-AVL 20151123
Avast 20151123
AVG 20151123
Baidu-International 20151122
BitDefender 20151123
Bkav 20151121
ByteHero 20151123
CAT-QuickHeal 20151123
ClamAV 20151123
CMC 20151118
Comodo 20151123
Cyren 20151123
DrWeb 20151123
Emsisoft 20151123
ESET-NOD32 20151123
F-Prot 20151123
F-Secure 20151123
Fortinet 20151123
GData 20151123
Ikarus 20151123
Jiangmin 20151122
K7AntiVirus 20151123
K7GW 20151123
Kaspersky 20151123
Malwarebytes 20151123
McAfee 20151123
McAfee-GW-Edition 20151123
Microsoft 20151123
eScan 20151123
NANO-Antivirus 20151123
nProtect 20151120
Panda 20151122
Qihoo-360 20151123
Rising 20151122
SUPERAntiSpyware 20151123
Symantec 20151122
Tencent 20151123
TheHacker 20151121
TotalDefense 20151123
TrendMicro 20151123
TrendMicro-HouseCall 20151123
VBA32 20151120
ViRobot 20151123
Zillya 20151123
Zoner 20151123
The file being studied follows the Compound Document File format! More specifically, it is a MS Excel Spreadsheet file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May read system environment variables.
May open a file.
May write to a file.
May create additional files.
May try to run other files, shell commands or applications.
May create OLE objects.
May enumerate open windows.
Seems to contain deobfuscation code.
Seems to contain code to deceive researchers and automatic analysis systems.
Summary
last_author
1
creation_datetime
2015-11-23 08:00:21
author
1
last_saved
2015-11-23 08:03:37
application_name
Microsoft Excel
code_page
Cyrillic
Document summary
version
917504
company
Home
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020820-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Excel
sid
0
size
12224
type_literal
stream
size
102
name
\x01CompObj
sid
25
type_literal
stream
size
260
name
\x05DocumentSummaryInformation
sid
24
type_literal
stream
size
200
name
\x05SummaryInformation
sid
23
type_literal
stream
size
14042
name
Workbook
sid
1
type_literal
stream
size
650
name
_VBA_PROJECT_CUR/PROJECT
sid
22
type_literal
stream
size
155
name
_VBA_PROJECT_CUR/PROJECTwm
sid
21
type_literal
stream
size
12705
type
macro
name
_VBA_PROJECT_CUR/VBA/Module1
sid
8
type_literal
stream
size
11828
type
macro
name
_VBA_PROJECT_CUR/VBA/Module2
sid
11
type_literal
stream
size
19017
type
macro
name
_VBA_PROJECT_CUR/VBA/Module3
sid
14
type_literal
stream
size
6521
name
_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
sid
17
type_literal
stream
size
2371
name
_VBA_PROJECT_CUR/VBA/__SRP_0
sid
19
type_literal
stream
size
532
name
_VBA_PROJECT_CUR/VBA/__SRP_1
sid
20
type_literal
stream
size
154
name
_VBA_PROJECT_CUR/VBA/__SRP_2
sid
9
type_literal
stream
size
457
name
_VBA_PROJECT_CUR/VBA/__SRP_3
sid
10
type_literal
stream
size
124
name
_VBA_PROJECT_CUR/VBA/__SRP_4
sid
12
type_literal
stream
size
411
name
_VBA_PROJECT_CUR/VBA/__SRP_5
sid
13
type_literal
stream
size
224
name
_VBA_PROJECT_CUR/VBA/__SRP_6
sid
15
type_literal
stream
size
789
name
_VBA_PROJECT_CUR/VBA/__SRP_7
sid
16
type_literal
stream
size
644
name
_VBA_PROJECT_CUR/VBA/dir
sid
18
type_literal
stream
size
984
type
macro (only attributes)
name
_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421
sid
5
type_literal
stream
size
984
type
macro (only attributes)
name
_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04422
sid
6
type_literal
stream
size
984
type
macro (only attributes)
name
_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04423
sid
7
type_literal
stream
size
1443
type
macro
name
_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430
sid
4
Macros and VBA code streams
[+] Module1.bas _VBA_PROJECT_CUR/VBA/Module1 7178 bytes
create-ole open-file write-file
[+] Module2.bas _VBA_PROJECT_CUR/VBA/Module2 6539 bytes
exe-pattern url-pattern create-file obfuscated
[+] Module3.bas _VBA_PROJECT_CUR/VBA/Module3 10553 bytes
exe-pattern anti-analysis create-ole enum-windows environ obfuscated open-file run-file
ExifTool file metadata
MIMEType
application/vnd.ms-excel

CompObjUserTypeLen
26

CompObjUserType
???? Microsoft Excel 2003

Company
Home

ModifyDate
2015:11:23 07:03:37

TitleOfParts
1, 2, 3

SharedDoc
No

Author
1

FileType
XLS

AppVersion
14.0

LinksUpToDate
No

ScaleCrop
No

LastModifiedBy
1

HeadingPairs
, 3

FileTypeExtension
xls

HyperlinksChanged
No

CreateDate
2015:11:23 07:00:21

Security
None

CodePage
Windows Cyrillic

Software
Microsoft Excel

File identification
MD5 c57bc09009a925a02fde6a6b58f988b3
SHA1 a7166654dc7f0e511f37ed685c06cc2797cf4cef
SHA256 3665b64b8d6e58c03be3d19afda66fd778ca3c9794eaecf06a9b882f60967102
ssdeep
1536:qU8iZyvcWDdaYhvQPOnxycxH0GDli4q7uDphYHceXVhca+fMHLtyeGxcl8/dgqxk:qU8iZyvcWDdaYhvAOnxycxH0GDli4q7c

File size 82.0 KB ( 83968 bytes )
File type MS Excel Spreadsheet
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: 1, Last Saved By: 1, Name of Creating Application: Microsoft Excel, Create Time/Date: Sun Nov 22 07:00:21 2015, Last Saved Time/Date: Sun Nov 22 07:03:37 2015, Security: 0

TrID Microsoft Excel sheet (78.9%)
Generic OLE2 / Multistream Compound File (21.0%)
Tags
obfuscated open-file enum-windows exe-pattern url-pattern create-file run-file macros environ attachment via-tor write-file xls anti-analysis create-ole

VirusTotal metadata
First submission 2015-11-23 09:06:02 UTC ( 1 year, 11 months ago )
Last submission 2017-06-22 02:36:47 UTC ( 3 months, 4 weeks ago )
File names Employee Documents(1928).xls
Employee Documents(1928).xls
Employee Documents(1928).xls
Employee Documents(1928)b.xls
Employee Documents
3665b64b8d6e58c03be3d19afda66fd778ca3c9794eaecf06a9b882f60967102.xls
Employee Documents(1928).xls
Employee_Documents(1928).xls
9880527902.xls
7b63d59352eb37ad8ccb2b70f2eecad1
virus_sample_011978.xls
EmployeeXDocumentsX1928X.xls
89423e07960a67f2bae07a404f45325f
0ac42f8641e73c73b227eafe11cc2d87
Employee Documents(1928).txt
EmployeeDocuments(1928).xls
4a36dca4c212e3bc9f811aa4a46698b8
5F546D1B.VBN.out
c57bc09009a925a02fde6a6b58f988b3.xls
20151123185910_Employee Documents(1928).xls
Employee Documents(1928).xls
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!