× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 5d077b1341a6472f02aac89488976d4395a91ae4f23657b0344da74f4a560c8d
File name: billing_doc_47544.doc
Detection ratio: 37 / 54
Analysis date: 2016-11-18 14:46:40 UTC ( 2 months ago )
Antivirus Result Update
ALYac Trojan.Downloader.W97M.Gen 20161118
AVG W97M/Dropper.Agent 20161118
Ad-Aware W97M.Downloader.EPK 20161118
AegisLab Troj.Downloader.Msword.Agent!c 20161118
AhnLab-V3 W2KM/Downloader 20161118
Antiy-AVL Trojan[Downloader]/MSWord.Agent.atm 20161118
Arcabit W97M.Downloader.EPK 20161118
Avast VBA:Downloader-DKS [Trj] 20161118
Avira (no cloud) W2000M/CowKeeper.EL 20161118
Baidu VBA.Trojan-Dropper.Agent.pm 20161118
BitDefender W97M.Downloader.EPK 20161118
CAT-QuickHeal W97M.Downloader.NT 20161118
ClamAV Doc.Dropper.Agent-1801463 20161118
Comodo TrojWare.Win32.TrojanDropper.Agent.~RR 20161118
Cyren W97M/Agent 20161118
ESET-NOD32 VBA/TrojanDropper.Agent.RR 20161118
Emsisoft W97M.Downloader.EPK (B) 20161118
F-Prot New or modified W97M/Agent 20161118
F-Secure Trojan:W97M/Nastjencro.A 20161118
Fortinet W97M/Hancitor.A!tr 20161118
GData W97M.Downloader.EPK 20161118
Ikarus Trojan-Downloader.VBA.Agent 20161118
Kaspersky Trojan-Downloader.MSWord.Agent.atm 20161118
McAfee W97M/Dropper.cs 20161118
McAfee-GW-Edition W97M/Dropper.cs 20161117
eScan W97M.Downloader.EPK 20161118
Microsoft TrojanDownloader:O97M/Donoff 20161118
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20161118
Panda W97M/Downloader 20161117
Qihoo-360 virus.office.gen.70 20161118
Rising Downloader.Agent!8.B23 (topis) 20161118
Sophos Troj/DocDl-FGQ 20161118
Symantec Trojan.Mdropper 20161118
Tencent Win32.Trojan.Inject.Auto 20161118
TrendMicro W2KM_HANCITOR.YYSWX 20161118
TrendMicro-HouseCall W2KM_HANCITOR.YYSWX 20161118
ViRobot W97M.S.Downloader.146432.D[h] 20161118
AVware 20161118
Alibaba 20161118
Bkav 20161117
CMC 20161118
CrowdStrike Falcon (ML) 20161024
DrWeb 20161118
Invincea 20161018
Jiangmin 20161118
K7AntiVirus 20161118
K7GW 20161118
Kingsoft 20161118
Malwarebytes 20161118
SUPERAntiSpyware 20161118
TheHacker 20161117
VBA32 20161118
VIPRE 20161118
Yandex 20161117
Zillya 20161117
Zoner 20161118
nProtect 20161118
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May execute code from Dinamically Linked Libraries.
Seems to contain deobfuscation code.
Summary
last_author
Windows
creation_datetime
2016-10-26 13:25:00
author
Christian
title
page_count
1
last_saved
2016-10-26 13:25:00
revision_number
1
application_name
Microsoft Office Word
character_count
2
code_page
Cyrillic
template
Normal.dot
Document summary
byte_count
11000
company
characters_with_spaces
2
line_count
1
version
726502
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
3776
type_literal
stream
sid
24
name
\x01CompObj
size
113
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
2
name
1Table
size
4096
type_literal
stream
sid
1
name
Data
size
23902
type_literal
stream
sid
23
name
Macros/PROJECT
size
525
type_literal
stream
sid
22
name
Macros/PROJECTwm
size
95
type_literal
stream
sid
8
type
macro
name
Macros/VBA/ThisDocument
size
10027
type_literal
stream
sid
11
name
Macros/VBA/_VBA_PROJECT
size
7279
type_literal
stream
sid
9
type
macro
name
Macros/VBA/cowkeeper
size
15955
type_literal
stream
sid
12
name
Macros/VBA/dir
size
841
type_literal
stream
sid
10
type
macro (only attributes)
name
Macros/VBA/discord
size
1158
type_literal
stream
sid
20
name
Macros/discord/\x01CompObj
size
97
type_literal
stream
sid
21
name
Macros/discord/\x03VBFrame
size
291
type_literal
stream
sid
14
name
Macros/discord/f
size
98
type_literal
stream
sid
19
name
Macros/discord/i01/\x01CompObj
size
112
type_literal
stream
sid
17
name
Macros/discord/i01/f
size
7476
type_literal
stream
sid
18
name
Macros/discord/i01/o
size
68
type_literal
stream
sid
15
name
Macros/discord/o
size
0
type_literal
stream
sid
3
name
WordDocument
size
57094
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 4277 bytes
exe-pattern obfuscated
[+] cowkeeper.bas Macros/VBA/cowkeeper 7696 bytes
exe-pattern run-dll
ExifTool file metadata
SharedDoc
No

Author
Christian

CodePage
Windows Cyrillic

LinksUpToDate
No

LastModifiedBy
Windows

HeadingPairs
, 1

Template
Normal.dot

CharCountWithSpaces
2

CreateDate
2016:10:26 12:25:00

CompObjUserType
???????? Microsoft Office Word

ModifyDate
2016:10:26 12:25:00

HyperlinksChanged
No

Characters
2

ScaleCrop
No

RevisionNumber
1

MIMEType
application/msword

Words
0

Bytes
11000

FileType
DOC

Lines
1

AppVersion
11.5606

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

CompObjUserTypeLen
31

FileTypeExtension
doc

Paragraphs
1

Overlay parents
Compressed bundles
File identification
MD5 b107f3235057bb2b06283030be8f26e4
SHA1 b12d2984830eee5ef668032cc13691706efce4a5
SHA256 5d077b1341a6472f02aac89488976d4395a91ae4f23657b0344da74f4a560c8d
ssdeep
3072:cazJJgkkkkkkkkkXKOvO1Xe+ajS9GNZyFIo9IFBjfDS:V7gkkkkkkkkkXy1O+aj62ySo96jfDS

File size 143.0 KB ( 146432 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Title: , Author: Christian, Template: Normal.dot, Last Saved By: Windows, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Oct 25 12:25:00 2016, Last Saved Time/Date: Tue Oct 25 12:25:00 2016, Number of Pages: 1, Number of Words: 0, Number of Characters: 2, Security: 0

TrID Microsoft Word document (45.7%)
Microsoft Excel sheet (42.8%)
Generic OLE2 / Multistream Compound File (11.4%)
Tags
obfuscated exe-pattern doc macros run-dll attachment

VirusTotal metadata
First submission 2016-10-26 14:32:49 UTC ( 2 months, 3 weeks ago )
Last submission 2016-11-14 19:33:52 UTC ( 2 months ago )
File names billing_doc_529100.doc
billing_doc_346183.doc
billing_doc_51802.doc
billing_doc_83284.doc
billing_doc_18584.doc
billing_doc_54258.doc
billing_doc_25541.doc
billing_doc_22547.doc
billing_doc_63525.doc
billing_doc_919293.doc
billing_doc_47460.doc
billing_doc_21221.doc
billing_doc_16348.doc
billing_doc_78172.doc
billing_doc_67344.doc
billing_doc_72846.doc
billing_doc_54526.doc
1553ea0487cee7213320379cc8e6699e
billing_doc_43180.doc
billing_doc_86361.doc
billing_doc_32878.doc
billing_doc_56868.doc
2016_10_26_19_58_22.000105
billing_doc_75533.doc
billing_doc_10420.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!