× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 627e3a939d0a99cdb47cc2491e79bb34f067340505a745c1a3d33241005efbbd
File name: Customer statement.doc
Detection ratio: 41 / 55
Analysis date: 2016-12-20 13:59:03 UTC ( 3 months ago )
Antivirus Result Update
Ad-Aware Trojan.Doc.Downloader.IW 20161220
AegisLab Troj.Downloader.Vbs.Agent!c 20161220
AhnLab-V3 W97M/Downloader 20161220
ALYac Trojan.Downloader.W97M.Gen 20161220
Antiy-AVL Trojan[Downloader]/VBS.Agent.bcm 20161220
Arcabit HEUR.VBA.Trojan.d 20161220
Avast VBA:Downloader-AIK [Trj] 20161220
AVG W97M/Generic 20161220
Avira (no cloud) WM/Agent.abn.2 20161220
AVware LooksLike.Macro.Malware.n (v) 20161220
Baidu VBA.Trojan-Downloader.Agent.vr 20161207
BitDefender Trojan.Doc.Downloader.IW 20161220
CAT-QuickHeal W97M.Dropper.SO 20161220
ClamAV Doc.Dropper.Agent-1626459 20161220
Comodo TrojWare.W97M.Agent.~AA 20161220
Cyren W97M/Downloader.DX 20161220
DrWeb W97M.DownLoader.827 20161220
Emsisoft Trojan.Doc.Downloader.IW (B) 20161220
ESET-NOD32 VBA/TrojanDownloader.Agent.API 20161220
F-Prot W97M/Downloader.DX 20161220
F-Secure Trojan:W97M/MaliciousMacro.GEN 20161220
Fortinet WM/TrojanDownloader.210C!tr 20161220
GData Trojan.Doc.Downloader.IW 20161220
Ikarus Trojan-Downloader.VBA.Agent 20161220
Kaspersky Trojan-Downloader.VBS.Agent.bcm 20161220
McAfee W97M/Downloader.avi 20161220
McAfee-GW-Edition W97M/Downloader.h 20161220
Microsoft TrojanDownloader:O97M/Donoff 20161220
eScan Trojan.Doc.Downloader.IW 20161220
NANO-Antivirus Trojan.Script.Donoff.dzvvsf 20161220
nProtect Trojan-Downloader/W97M.Bronco 20161220
Qihoo-360 virus.office.obfuscated.1 20161220
Rising Macro.Agent.dd (classic) 20161220
Sophos Troj/DocDl-AYI 20161220
Symantec W97M.Downloader 20161220
Tencent Win32.Trojan-downloader.Agent.Tdfo 20161220
TrendMicro W2KM_DRIDEX.SMX3 20161220
TrendMicro-HouseCall W2KM_DRIDEX.SMX3 20161220
VIPRE LooksLike.Macro.Malware.n (v) 20161220
ViRobot W97M.S.Downloader.49152.F[h] 20161220
Yandex Exploit.Agent.Gen.AGZ 20161220
Alibaba 20161220
Bkav 20161220
CMC 20161220
CrowdStrike Falcon (ML) 20161024
Invincea 20161216
Jiangmin 20161220
K7AntiVirus 20161220
K7GW 20161220
Kingsoft 20161220
Malwarebytes 20161220
Panda 20161219
SUPERAntiSpyware 20161220
TheHacker 20161219
TotalDefense 20161220
Trustlook 20161220
VBA32 20161220
WhiteArmor 20161212
Zillya 20161220
Zoner 20161220
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May try to run other files, shell commands or applications.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
last_author
User
creation_datetime
2014-09-03 18:55:00
author
Adder
title
Title
page_count
1
last_saved
2016-01-21 10:41:00
edit_time
175380
word_count
67
revision_number
762
application_name
Microsoft Office Word
character_count
387
code_page
Cyrillic
template
Normal.dot
Document summary
byte_count
60416
company
Nsoft
characters_with_spaces
453
line_count
3
version
726502
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
3968
type_literal
stream
sid
20
name
\x01CompObj
size
113
type_literal
stream
sid
4
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
3
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
1
name
1Table
size
7104
type_literal
stream
sid
19
name
Macros/PROJECT
size
548
type_literal
stream
sid
18
name
Macros/PROJECTwm
size
74
type_literal
stream
sid
16
name
Macros/Tower/\x01CompObj
size
97
type_literal
stream
sid
17
name
Macros/Tower/\x03VBFrame
size
282
type_literal
stream
sid
14
name
Macros/Tower/f
size
199
type_literal
stream
sid
15
name
Macros/Tower/o
size
160
type_literal
stream
sid
7
type
macro
name
Macros/VBA/Main
size
4245
type_literal
stream
sid
10
type
macro (only attributes)
name
Macros/VBA/Tower
size
1153
type_literal
stream
sid
11
name
Macros/VBA/_VBA_PROJECT
size
4982
type_literal
stream
sid
8
type
macro
name
Macros/VBA/bronco
size
4251
type_literal
stream
sid
12
name
Macros/VBA/dir
size
987
type_literal
stream
sid
9
type
macro
name
Macros/VBA/venus
size
4201
type_literal
stream
sid
2
name
WordDocument
size
5684
Macros and VBA code streams
[+] Main.cls Macros/VBA/Main 1386 bytes
exe-pattern create-ole obfuscated run-file
[+] bronco.bas Macros/VBA/bronco 1824 bytes
create-ole obfuscated open-file
[+] venus.bas Macros/VBA/venus 1667 bytes
create-ole obfuscated open-file
ExifTool file metadata
SharedDoc
No

Author
Adder

CodePage
Windows Cyrillic

LinksUpToDate
No

LastModifiedBy
User

HeadingPairs
, 1

Template
Normal.dot

CharCountWithSpaces
453

CreateDate
2014:09:03 17:55:00

CompObjUserType
???????? Microsoft Office Word

ModifyDate
2016:01:21 09:41:00

TitleOfParts
Title

Company
Nsoft

Title
Title

HyperlinksChanged
No

Characters
387

ScaleCrop
No

RevisionNumber
762

MIMEType
application/msword

Words
67

Bytes
60416

FileType
DOC

Lines
3

AppVersion
11.5606

Security
None

Software
Microsoft Office Word

TotalEditTime
2.0 days

Pages
1

CompObjUserTypeLen
31

FileTypeExtension
doc

Paragraphs
1

File identification
MD5 cbf42ddf814ea4b8b1b9a231bee7210c
SHA1 8b4465afbc659d960519c6fe5bf13ff74d92e15a
SHA256 627e3a939d0a99cdb47cc2491e79bb34f067340505a745c1a3d33241005efbbd
ssdeep
768:apVbuS0p9d+Ot60Qg8/MxgogUdcEQdpi3ES:apVaS0pv96E8/MiogScEQdoE

File size 48.0 KB ( 49152 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1251, Title: Title, Author: Adder, Template: Normal.dot, Last Saved By: User, Revision Number: 762, Name of Creating Application: Microsoft Office Word, Total Editing Time: 2d+00:43:00, Create Time/Date: Tue Sep 02 17:55:00 2014, Last Saved Time/Date: Wed Jan 20 09:41:00 2016, Number of Pages: 1, Number of Words: 67, Number of Characters: 387, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated run-file exe-pattern doc open-file macros attachment create-ole

VirusTotal metadata
First submission 2016-01-21 10:20:02 UTC ( 1 year, 2 months ago )
Last submission 2016-08-23 16:15:38 UTC ( 7 months ago )
File names Invoice_31610_Jul_2013.doc
Invoice_316103_Jul_2013.doc.malware
Invoice_316103_Jul_2013.doc
8b4465afbc659d960519c6fe5bf13ff74d92e15a.doc
Customer statement - AMH.doc
Customer statement.doc
Customer statement.doc-2016-01-21.20-20-01.txt
Invoice_316103_Jul_2013.doc
invoice_316103_Jul_2013.doc
__substg1.0_37010102
Customer statement.doc
Invoice_316103_Jul_2013.doc
cbf42ddf814ea4b8b1b9a231bee7210c.doc
Invoice_316103_Jul_2013.doc
06dfa17e9302273c921c231a6502fc09
CustomerXstatement.doc
Customer statement (3).doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!