× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 57e7eb6c8a742767101ed847d9697fc17cdbea9dc129b99aefe67276ad346957
File name: Copy_6_of_Purchase_Order_0000035394.DOC
Detection ratio: 4 / 55
Analysis date: 2015-10-30 09:31:36 UTC ( 1 year, 9 months ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan 20151030
AVware LooksLike.Macro.Malware.gen!d3 (v) 20151030
F-Secure Trojan:W97M/MaliciousMacro.GEN 20151030
VIPRE LooksLike.Macro.Malware.gen!d3 (v) 20151030
Ad-Aware 20151030
AegisLab 20151030
Yandex 20151029
AhnLab-V3 20151029
Alibaba 20151030
ALYac 20151030
Antiy-AVL 20151030
Avast 20151030
AVG 20151030
Avira (no cloud) 20151030
Baidu-International 20151030
BitDefender 20151030
Bkav 20151029
ByteHero 20151030
CAT-QuickHeal 20151030
ClamAV 20151030
CMC 20151029
Comodo 20151030
Cyren 20151030
DrWeb 20151030
Emsisoft 20151030
ESET-NOD32 20151030
F-Prot 20151030
Fortinet 20151030
GData 20151030
Ikarus 20151030
Jiangmin 20151030
K7AntiVirus 20151030
K7GW 20151030
Kaspersky 20151030
Malwarebytes 20151030
McAfee 20151030
McAfee-GW-Edition 20151030
Microsoft 20151030
eScan 20151030
NANO-Antivirus 20151030
nProtect 20151029
Panda 20151029
Qihoo-360 20151030
Rising 20151029
Sophos AV 20151030
SUPERAntiSpyware 20151030
Symantec 20151029
Tencent 20151030
TheHacker 20151028
TrendMicro 20151030
TrendMicro-HouseCall 20151030
VBA32 20151030
ViRobot 20151030
Zillya 20151029
Zoner 20151030
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May read system environment variables.
May open a file.
May write to a file.
May create additional files.
May try to run other files, shell commands or applications.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
last_author
1
creation_datetime
2015-10-30 09:39:00
template
Normal
author
1
page_count
1
last_saved
2015-10-30 09:39:00
revision_number
2
application_name
Microsoft Office Word
code_page
Cyrillic
Document summary
company
Home
version
917504
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
3264
type_literal
stream
size
114
name
\x01CompObj
sid
15
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
3
type_literal
stream
size
12430
name
1Table
sid
1
type_literal
stream
size
559
name
Macros/PROJECT
sid
14
type_literal
stream
size
113
name
Macros/PROJECTwm
sid
13
type_literal
stream
size
13314
type
macro
name
Macros/VBA/Module1
sid
8
type_literal
stream
size
9357
type
macro
name
Macros/VBA/Module2
sid
9
type_literal
stream
size
18677
type
macro
name
Macros/VBA/Module3
sid
10
type_literal
stream
size
1520
type
macro
name
Macros/VBA/ThisDocument
sid
7
type_literal
stream
size
12417
name
Macros/VBA/_VBA_PROJECT
sid
11
type_literal
stream
size
861
name
Macros/VBA/dir
sid
12
type_literal
stream
size
4096
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 94 bytes
[+] Module1.bas Macros/VBA/Module1 7141 bytes
open-file
[+] Module2.bas Macros/VBA/Module2 3221 bytes
exe-pattern create-file create-ole environ open-file run-file write-file
[+] Module3.bas Macros/VBA/Module3 10387 bytes
exe-pattern create-ole obfuscated run-file
ExifTool file metadata
SharedDoc
No

Author
1

CodePage
Windows Cyrillic

LinksUpToDate
No

LastModifiedBy
1

HeadingPairs
, 1

Template
Normal

CharCountWithSpaces
0

CreateDate
2015:10:30 08:39:00

CompObjUserType
???????? Microsoft Word 97-2003

ModifyDate
2015:10:30 08:39:00

Company
Home

HyperlinksChanged
No

Characters
0

ScaleCrop
No

RevisionNumber
2

MIMEType
application/msword

Words
0

FileType
DOC

Lines
0

AppVersion
14.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
0

Compressed bundles
File identification
MD5 d3b4f459d089e6afd52d5650c31aa25e
SHA1 692318fa750dee09c83ef29524ac91a9d877fa6f
SHA256 57e7eb6c8a742767101ed847d9697fc17cdbea9dc129b99aefe67276ad346957
ssdeep
1536:9iHV5BMjkk7ExjCWgZV3SBhNvoGIC5V4:o3+vExjC9Ooe

File size 86.0 KB ( 88064 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: 1, Template: Normal, Last Saved By: 1, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Oct 29 08:39:00 2015, Last Saved Time/Date: Thu Oct 29 08:39:00 2015, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated run-file exe-pattern doc create-file open-file macros environ attachment via-tor write-file create-ole

VirusTotal metadata
First submission 2015-10-30 09:30:13 UTC ( 1 year, 9 months ago )
Last submission 2017-01-06 08:15:32 UTC ( 7 months, 2 weeks ago )
File names dbda5adc75c4ad0d1999c55b97d692c3
37f9068dbeae2d1b38dd21f267a9098a
Purchase Order 0000035394.DOC
mau virus so (16).bin
Purchase Order 0000035394b.DOC
Purchase_Order_0000035394.DOC
a7e816dc09aebb396e6dce7e8bac7a04
Purchase Order 0000035394.cod
a38c172e619c3a84df875437d79e7638
Purchase Order 0000035394.DOC
20151102103842_Purchase Order 0000035394.DOC
Purchase Order 0000035394.DOC
15ddad1ee01e18a64c11b0e8bb359134
4b5a25b6e3ca48f8f620bbd30b62dca7
Purchase Order 0000035394.doc
Purchase Order 0000035394.DOC
Copy_6_of_Purchase_Order_0000035394.DOC
57e7eb6c8a742767101ed847d9697fc17cdbea9dc129b99aefe67276ad346957.bin
c4868001b26466b6fb8e507e52fc985d
purchase order 0000035394.doc
Purchase Order 0000035394_1.DOC
d3b4f459d089e6afd52d5650c31aa25e_Purchase Order 0000035394 (2).DOC
d2e12cc7abcdea4b742adbc89b44bd7f
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!