× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 38de462234607711e55c4dca1f74bec77db5586330b1ccb09696e55257709212
File name: Protected32.doc
Detection ratio: 3 / 59
Analysis date: 2017-12-06 11:02:34 UTC ( 1 year, 3 months ago ) View latest
Antivirus Result Update
Baidu VBA.Trojan-Downloader.Agent.cfb 20171206
Qihoo-360 virus.office.qexvmc.1080 20171206
ZoneAlarm by Check Point HEUR:Trojan-Downloader.Script.Generic 20171206
Ad-Aware 20171206
AegisLab 20171206
AhnLab-V3 20171206
Alibaba 20171206
ALYac 20171205
Antiy-AVL 20171206
Arcabit 20171206
Avast 20171206
Avast-Mobile 20171205
AVG 20171206
Avira (no cloud) 20171206
AVware 20171206
BitDefender 20171206
Bkav 20171205
CAT-QuickHeal 20171205
CMC 20171206
Comodo 20171206
CrowdStrike Falcon (ML) 20171016
Cybereason 20171103
Cylance 20171206
Cyren 20171206
DrWeb 20171206
eGambit 20171206
Emsisoft 20171206
Endgame 20171130
ESET-NOD32 20171206
F-Prot 20171206
F-Secure 20171206
Fortinet 20171206
GData 20171206
Ikarus 20171206
Sophos ML 20170914
Jiangmin 20171206
K7AntiVirus 20171205
K7GW 20171206
Kaspersky 20171206
Kingsoft 20171206
Malwarebytes 20171206
MAX 20171206
McAfee 20171206
McAfee-GW-Edition 20171206
Microsoft 20171206
eScan 20171206
NANO-Antivirus 20171206
nProtect 20171206
Palo Alto Networks (Known Signatures) 20171206
Panda 20171205
Rising 20171206
SentinelOne (Static ML) 20171113
Sophos AV 20171206
SUPERAntiSpyware 20171206
Symantec 20171206
Symantec Mobile Insight 20171206
Tencent 20171206
TheHacker 20171205
TotalDefense 20171206
TrendMicro 20171206
TrendMicro-HouseCall 20171206
Trustlook 20171206
VBA32 20171205
VIPRE 20171206
ViRobot 20171206
Webroot 20171206
WhiteArmor 20171204
Yandex 20171205
Zillya 20171206
Zoner 20171206
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
last_author
user
creation_datetime
2017-12-06 12:32:00
revision_number
14
author
Longer
page_count
1
last_saved
2017-12-06 11:30:00
edit_time
1140
word_count
45
template
Normal
application_name
Microsoft Office Word
character_count
262
code_page
Cyrillic
Document summary
line_count
2
company
Grizli777
characters_with_spaces
306
version
786432
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
36224
type_literal
stream
sid
58
name
\x01CompObj
size
121
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
2
name
1Table
size
6978
type_literal
stream
sid
1
name
Data
size
30378
type_literal
stream
sid
34
name
Macros/AVOROTOT/\x01CompObj
size
97
type_literal
stream
sid
35
name
Macros/AVOROTOT/\x03VBFrame
size
292
type_literal
stream
sid
32
name
Macros/AVOROTOT/f
size
371
type_literal
stream
sid
33
name
Macros/AVOROTOT/o
size
496
type_literal
stream
sid
54
name
Macros/NAYTEPAHAN/\x01CompObj
size
97
type_literal
stream
sid
55
name
Macros/NAYTEPAHAN/\x03VBFrame
size
292
type_literal
stream
sid
52
name
Macros/NAYTEPAHAN/f
size
283
type_literal
stream
sid
53
name
Macros/NAYTEPAHAN/o
size
292
type_literal
stream
sid
57
name
Macros/PROJECT
size
1434
type_literal
stream
sid
56
name
Macros/PROJECTwm
size
626
type_literal
stream
sid
16
type
macro
name
Macros/VBA/AVONIEDEF
size
1043
type_literal
stream
sid
9
type
macro
name
Macros/VBA/AVOROTOT
size
1495
type_literal
stream
sid
21
type
macro
name
Macros/VBA/Maniatisareo
size
871
type_literal
stream
sid
13
type
macro (only attributes)
name
Macros/VBA/NAYTEPAHAN
size
1173
type_literal
stream
sid
8
type
macro
name
Macros/VBA/ThisDocument
size
1161
type_literal
stream
sid
29
name
Macros/VBA/_VBA_PROJECT
size
7087
type_literal
stream
sid
14
type
macro
name
Macros/VBA/akomkin5
size
1786
type_literal
stream
sid
15
type
macro
name
Macros/VBA/appleruth
size
1731
type_literal
stream
sid
28
type
macro
name
Macros/VBA/athena25
size
916
type_literal
stream
sid
17
type
macro
name
Macros/VBA/ayakciremA
size
1110
type_literal
stream
sid
10
type
macro
name
Macros/VBA/ceusebro
size
1843
type_literal
stream
sid
30
name
Macros/VBA/dir
size
1704
type_literal
stream
sid
18
type
macro
name
Macros/VBA/dtptaz97
size
1081
type_literal
stream
sid
11
type
macro (only attributes)
name
Macros/VBA/eonersss
size
1173
type_literal
stream
sid
12
type
macro (only attributes)
name
Macros/VBA/gawgnmoo
size
1172
type_literal
stream
sid
19
type
macro
name
Macros/VBA/goitrude
size
869
type_literal
stream
sid
20
type
macro
name
Macros/VBA/ladyrhonda
size
1340
type_literal
stream
sid
22
type
macro
name
Macros/VBA/noekafmo
size
920
type_literal
stream
sid
23
type
macro
name
Macros/VBA/ofyct0
size
1008
type_literal
stream
sid
24
type
macro
name
Macros/VBA/realhot1
size
1889
type_literal
stream
sid
25
type
macro
name
Macros/VBA/relishrelish
size
977
type_literal
stream
sid
26
type
macro
name
Macros/VBA/scottroxy
size
1426
type_literal
stream
sid
27
type
macro
name
Macros/VBA/travesph
size
867
type_literal
stream
sid
39
name
Macros/ceusebro/\x01CompObj
size
97
type_literal
stream
sid
40
name
Macros/ceusebro/\x03VBFrame
size
291
type_literal
stream
sid
37
name
Macros/ceusebro/f
size
327
type_literal
stream
sid
38
name
Macros/ceusebro/o
size
444
type_literal
stream
sid
44
name
Macros/eonersss/\x01CompObj
size
97
type_literal
stream
sid
45
name
Macros/eonersss/\x03VBFrame
size
299
type_literal
stream
sid
42
name
Macros/eonersss/f
size
239
type_literal
stream
sid
43
name
Macros/eonersss/o
size
224
type_literal
stream
sid
49
name
Macros/gawgnmoo/\x01CompObj
size
97
type_literal
stream
sid
50
name
Macros/gawgnmoo/\x03VBFrame
size
290
type_literal
stream
sid
47
name
Macros/gawgnmoo/f
size
219
type_literal
stream
sid
48
name
Macros/gawgnmoo/o
size
260
type_literal
stream
sid
3
name
WordDocument
size
4096
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 56 bytes
[+] AVOROTOT.frm Macros/VBA/AVOROTOT 121 bytes
create-ole
[+] ceusebro.frm Macros/VBA/ceusebro 314 bytes
[+] akomkin5.bas Macros/VBA/akomkin5 586 bytes
[+] appleruth.bas Macros/VBA/appleruth 562 bytes
[+] AVONIEDEF.bas Macros/VBA/AVONIEDEF 128 bytes
[+] ayakciremA.bas Macros/VBA/ayakciremA 156 bytes
[+] dtptaz97.bas Macros/VBA/dtptaz97 158 bytes
[+] goitrude.bas Macros/VBA/goitrude 63 bytes
[+] ladyrhonda.bas Macros/VBA/ladyrhonda 211 bytes
obfuscated
[+] Maniatisareo.bas Macros/VBA/Maniatisareo 62 bytes
[+] noekafmo.bas Macros/VBA/noekafmo 82 bytes
[+] ofyct0.bas Macros/VBA/ofyct0 119 bytes
[+] realhot1.bas Macros/VBA/realhot1 795 bytes
[+] relishrelish.bas Macros/VBA/relishrelish 91 bytes
[+] scottroxy.bas Macros/VBA/scottroxy 363 bytes
[+] travesph.bas Macros/VBA/travesph 61 bytes
[+] athena25.bas Macros/VBA/athena25 81 bytes
ExifTool file metadata
SharedDoc
No

Author
Longer

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

LastModifiedBy
user

HeadingPairs
Title, 1, , 1

Identification
Word 8.0

Template
Normal

CharCountWithSpaces
306

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Office Word 97-2003 Document

ModifyDate
2017:12:06 10:30:00

TitleOfParts
,

Company
Grizli777

Characters
262

CodePage
Windows Cyrillic

RevisionNumber
14

MIMEType
application/msword

Words
45

CreateDate
2017:12:06 11:32:00

Lines
2

AppVersion
12.0

Security
None

Software
Microsoft Office Word

FileType
DOC

TotalEditTime
19.0 minutes

Pages
1

ScaleCrop
No

CompObjUserTypeLen
39

FileTypeExtension
doc

Paragraphs
1

DocFlags
Has picture, 1Table, ExtChar

Compressed bundles
File identification
MD5 8169b5a07763076c1b55f8d3a6ba2c13
SHA1 204dfa0b4be4cc390dc8355de9981999823bdc97
SHA256 38de462234607711e55c4dca1f74bec77db5586330b1ccb09696e55257709212
ssdeep
1536:hVExCwsNrlK7G9Npbi2Ha0kBtZUB21yAZk0Tqv2VUSfJ3M:hVExCw6HWZHqvAUShc

File size 103.0 KB ( 105475 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1251, Author: Longer, Template: Normal, Last Saved By: user, Revision Number: 14, Name of Creating Application: Microsoft Office Word, Total Editing Time: 19:00, Create Time/Date: Tue Dec 05 11:32:00 2017, Last Saved Time/Date: Tue Dec 05 10:30:00 2017, Number of Pages: 1, Number of Words: 45, Number of Characters: 262, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated macros create-ole attachment doc

VirusTotal metadata
First submission 2017-12-06 11:02:34 UTC ( 1 year, 3 months ago )
Last submission 2018-05-08 05:30:21 UTC ( 10 months, 3 weeks ago )
File names Protected32.doc
__substg1.0_37010102
Protected32.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!