× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 37a2a137a91eab96ff0876892e5c498814ed53d118fc30f5534737993324cfd0
File name: invoice_09846839_copy.doc
Detection ratio: 1 / 55
Analysis date: 2015-12-16 14:58:04 UTC ( 3 years, 5 months ago ) View latest
Antivirus Result Update
Sophos AV Troj/DocDl-APR 20151216
Ad-Aware 20151216
AegisLab 20151216
Yandex 20151214
AhnLab-V3 20151216
Alibaba 20151208
ALYac 20151216
Antiy-AVL 20151216
Arcabit 20151216
Avast 20151216
AVG 20151216
Avira (no cloud) 20151216
AVware 20151216
Baidu-International 20151216
BitDefender 20151216
Bkav 20151215
ByteHero 20151216
CAT-QuickHeal 20151216
ClamAV 20151216
CMC 20151216
Comodo 20151216
Cyren 20151216
DrWeb 20151216
Emsisoft 20151216
ESET-NOD32 20151216
F-Prot 20151216
F-Secure 20151216
Fortinet 20151216
GData 20151216
Ikarus 20151216
Jiangmin 20151216
K7AntiVirus 20151216
K7GW 20151216
Kaspersky 20151216
Malwarebytes 20151216
McAfee 20151216
McAfee-GW-Edition 20151216
Microsoft 20151216
eScan 20151216
NANO-Antivirus 20151216
nProtect 20151216
Panda 20151215
Qihoo-360 20151216
Rising 20151216
SUPERAntiSpyware 20151216
Symantec 20151215
Tencent 20151216
TheHacker 20151215
TrendMicro 20151216
TrendMicro-HouseCall 20151216
VBA32 20151216
VIPRE 20151216
ViRobot 20151216
Zillya 20151216
Zoner 20151216
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
last_author
Hello
creation_datetime
2014-09-03 20:55:00
author
Adamant
title
Chapter1
page_count
1
last_saved
2015-12-16 12:13:00
edit_time
167880
word_count
73
revision_number
571
application_name
Microsoft Office Word
character_count
418
code_page
Cyrillic
template
Normal.dotm
Document summary
byte_count
80384
company
Nsoft
characters_with_spaces
490
line_count
3
version
786432
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
4160
type_literal
stream
size
121
name
\x01CompObj
sid
18
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
5
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
4
type_literal
stream
size
11458
name
1Table
sid
2
type_literal
stream
size
14530
name
Data
sid
1
type_literal
stream
size
521
name
Macros/PROJECT
sid
17
type_literal
stream
size
41
name
Macros/PROJECTwm
sid
16
type_literal
stream
size
4163
type
macro
name
Macros/VBA/Main
sid
8
type_literal
stream
size
4485
name
Macros/VBA/_VBA_PROJECT
sid
12
type_literal
stream
size
1750
name
Macros/VBA/__SRP_0
sid
14
type_literal
stream
size
106
name
Macros/VBA/__SRP_1
sid
15
type_literal
stream
size
280
name
Macros/VBA/__SRP_2
sid
9
type_literal
stream
size
177
name
Macros/VBA/__SRP_3
sid
10
type_literal
stream
size
920
name
Macros/VBA/dir
sid
13
type_literal
stream
size
5458
type
macro
name
Macros/VBA/remover
sid
11
type_literal
stream
size
5684
name
WordDocument
sid
3
Macros and VBA code streams
[+] Main.cls Macros/VBA/Main 1355 bytes
exe-pattern create-ole obfuscated
[+] remover.bas Macros/VBA/remover 2476 bytes
exe-pattern url-pattern create-ole obfuscated open-file
ExifTool file metadata
SharedDoc
No

Author
Adamant

CodePage
Windows Cyrillic

System
Windows

LinksUpToDate
No

LastModifiedBy
Hello

HeadingPairs
, 1

Hyperlinks
http://office365.com/

Identification
Word 8.0

Template
Normal.dotm

CharCountWithSpaces
490

Word97
No

LanguageCode
Russian

CompObjUserType
???????? Microsoft Office Word 97-2003

ModifyDate
2015:12:16 11:13:00

TitleOfParts
Chapter1

Company
Nsoft

Title
Chapter1

Characters
418

ScaleCrop
No

HyperlinksChanged
No

RevisionNumber
571

MIMEType
application/msword

Words
73

Bytes
80384

CreateDate
2014:09:03 19:55:00

Lines
3

AppVersion
12.0

Security
None

Software
Microsoft Office Word

FileType
DOC

TotalEditTime
1.9 days

Pages
1

CompObjUserTypeLen
39

FileTypeExtension
doc

Paragraphs
1

LastPrinted
0000:00:00 00:00:00

DocFlags
Has picture, 1Table, ExtChar

File identification
MD5 8f4bd99c810d517fb2d2b89280759862
SHA1 735c32c60262938ed1d5b5c35707fef940a41133
SHA256 37a2a137a91eab96ff0876892e5c498814ed53d118fc30f5534737993324cfd0
ssdeep
768:WLEwvl1QhB9fOZGBVHKCB77qCT3GVdSbIp1u:qXQhbftBVqI6CYiI

File size 63.0 KB ( 64512 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Title: Chapter1, Author: Adamant, Template: Normal.dotm, Last Saved By: Hello, Revision Number: 571, Name of Creating Application: Microsoft Office Word, Total Editing Time: 1d+22:38:00, Create Time/Date: Tue Sep 02 19:55:00 2014, Last Saved Time/Date: Tue Dec 15 11:13:00 2015, Number of Pages: 1, Number of Words: 73, Number of Characters: 418, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated open-file exe-pattern url-pattern macros attachment doc create-ole

VirusTotal metadata
First submission 2015-12-16 14:06:38 UTC ( 3 years, 5 months ago )
Last submission 2018-05-24 13:32:02 UTC ( 12 months ago )
File names invoice_57635288_copy.doc
invoice_86847633_copy.doc
invoice_29085926_copy.doc
invoice_52086516_copy.doc
invoice_19271391_copy.doc
invoice_13458098_copy.doc
8b4c3097ad7050a3100f592c4adcf56c
invoice_16562465_copy.doc
invoice_36751267_copy.doc
invoice_63498310_copy.doc
invoice_69218322_copy.doc
invoice_45945531_copy.doc
invoice_41906906_copy.doc
invoice_68518773_copy.doc
invoice_39459234_copy.doc
fd05264c6b69faa74f8c987caefdda7c
756da055e786bec3b2741b01bafd000b
invoice_86961398_copy.doc
invoice_24965095_copy.doc
invoice_53709032_copy.doc
invoice_82547532_copy.doc
invoice_43851446_copy.doc
invoice_29584984_copy.doc
invoice_70525455_copy.doc
invoice_88063243_copy.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!