× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 3ff341262900d33574bab920f9d7f15a21db3f6c4a931e17dbaabd09d3c5fd71
File name: TELEPHONE PURCHASE ORDER FORM.doc
Detection ratio: 4 / 56
Analysis date: 2015-04-30 10:46:32 UTC ( 2 years, 3 months ago ) View latest
Antivirus Result Update
AVware LooksLike.Macro.Malware.gen!d5 (v) 20150430
NANO-Antivirus Trojan.Script.MLW.drbfnn 20150430
Panda W97M/Downloader 20150430
VIPRE LooksLike.Macro.Malware.gen!d5 (v) 20150430
Ad-Aware 20150430
AegisLab 20150430
Yandex 20150430
AhnLab-V3 20150429
Alibaba 20150430
ALYac 20150430
Antiy-AVL 20150430
Avast 20150430
AVG 20150430
Avira (no cloud) 20150430
Baidu-International 20150430
BitDefender 20150430
Bkav 20150425
ByteHero 20150430
CAT-QuickHeal 20150430
ClamAV 20150430
CMC 20150423
Comodo 20150430
Cyren 20150430
DrWeb 20150430
Emsisoft 20150430
ESET-NOD32 20150430
F-Prot 20150430
F-Secure 20150430
Fortinet 20150430
GData 20150430
Ikarus 20150430
Jiangmin 20150429
K7AntiVirus 20150430
K7GW 20150430
Kaspersky 20150430
Kingsoft 20150430
McAfee 20150430
McAfee-GW-Edition 20150430
Microsoft 20150430
eScan 20150430
Norman 20150430
nProtect 20150430
Qihoo-360 20150430
Rising 20150429
Sophos AV 20150430
SUPERAntiSpyware 20150430
Symantec 20150430
Tencent 20150430
TheHacker 20150429
TotalDefense 20150430
TrendMicro 20150430
TrendMicro-HouseCall 20150430
VBA32 20150429
ViRobot 20150430
Zillya 20150429
Zoner 20150430
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May perform operations with other files.
May create OLE objects.
May execute code from Dynamically Linked Libraries.
Seems to contain deobfuscation code.
Summary
last_author
Alex
creation_datetime
2015-04-29 07:05:00
template
Normal.dotm
author
1
page_count
1
last_saved
2015-04-29 07:05:00
revision_number
2
application_name
Microsoft Office Word
code_page
Cyrillic
Document summary
version
983040
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
7680
type_literal
stream
size
114
name
\x01CompObj
sid
17
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
3
type_literal
stream
size
9391
name
1Table
sid
1
type_literal
stream
size
655
name
Macros/PROJECT
sid
16
type_literal
stream
size
152
name
Macros/PROJECTwm
sid
15
type_literal
stream
size
5046
type
macro
name
Macros/VBA/ELDRIDGE
sid
8
type_literal
stream
size
5957
type
macro
name
Macros/VBA/FELTON
sid
9
type_literal
stream
size
3482
type
macro
name
Macros/VBA/MICHALE
sid
10
type_literal
stream
size
7451
type
macro
name
Macros/VBA/TUAN
sid
11
type_literal
stream
size
2085
type
macro
name
Macros/VBA/ThisDocument
sid
7
type_literal
stream
size
8741
type
macro
name
Macros/VBA/ZACKARY
sid
12
type_literal
stream
size
7669
name
Macros/VBA/_VBA_PROJECT
sid
13
type_literal
stream
size
998
name
Macros/VBA/dir
sid
14
type_literal
stream
size
4096
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 79 bytes
[+] ELDRIDGE.bas Macros/VBA/ELDRIDGE 934 bytes
obfuscated
[+] FELTON.bas Macros/VBA/FELTON 1587 bytes
create-ole open-file
[+] MICHALE.bas Macros/VBA/MICHALE 478 bytes
[+] TUAN.bas Macros/VBA/TUAN 2219 bytes
create-ole handle-file open-file write-file
[+] ZACKARY.bas Macros/VBA/ZACKARY 2255 bytes
exe-pattern run-dll
ExifTool file metadata
SharedDoc
No

Author
1

CodePage
Windows Cyrillic

LinksUpToDate
No

LastModifiedBy
Alex

HeadingPairs
, 1

Template
Normal.dotm

CharCountWithSpaces
0

CreateDate
2015:04:29 06:05:00

CompObjUserType
???????? Microsoft Word 97-2003

ModifyDate
2015:04:29 06:05:00

HyperlinksChanged
No

Characters
0

ScaleCrop
No

RevisionNumber
2

MIMEType
application/msword

Words
0

FileType
DOC

Lines
0

AppVersion
15.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
0

File identification
MD5 7486a0b0e1c60d96b8a65d4fb4e7382a
SHA1 2b920bb20e726cf677e30df25a169ce74e00f75b
SHA256 3ff341262900d33574bab920f9d7f15a21db3f6c4a931e17dbaabd09d3c5fd71
ssdeep
384:bAXiSHuT7UeVkNf0q+STCM/liVqWh3GTQ347P+g6ESfW3fzH099yXC7uEFA51qkM:X7UtZVZ0gW9i4ESfy7M9v7A5UkwKcl

File size 69.0 KB ( 70656 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: 1, Template: Normal.dotm, Last Saved By: Alex, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Apr 28 06:05:00 2015, Last Saved Time/Date: Tue Apr 28 06:05:00 2015, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated open-file exe-pattern handle-file doc macros run-dll attachment write-file create-ole

VirusTotal metadata
First submission 2015-04-30 07:35:09 UTC ( 2 years, 3 months ago )
Last submission 2015-05-05 01:45:24 UTC ( 2 years, 3 months ago )
File names d7b67facce322126faff8e57974519ab
f8d92a60a05745be1d239631a1922799
Procters Invoice.doc
64e83ca3365f35ad33ecad6d90679a35
TELEPHONE PURCHASE ORDER FORM.doc
telephone purchase order form.doc
TELEPHONE PURCHASE ORDER FORM(2).doc
3dd04dc167dadd9a072b7d35f0893b9d
2ac42c527bea817579fde9a6ac3c9771
3aaa24f6b7935f285f879a34e6f9a1bd
d2fefd7651550d842a327f65cd79abe5
322bbcacfa348189dab9500f75244fc3
TELEPHONE PURCHA.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!