× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 677baff8ea0ae51d26777227eb01b71ee49fce90fdc643e5a9e3d90783e35c55
File name: malware2.doc
Detection ratio: 5 / 54
Analysis date: 2015-11-23 13:16:03 UTC ( 3 years, 6 months ago ) View latest
Antivirus Result Update
Arcabit HEUR(high).VBA.Trojan 20151123
AVware LooksLike.Macro.Malware.g (v) 20151123
Sophos AV Troj/DocDl-ACU 20151123
Tencent Heur.MSWord.Downloader.d 20151123
VIPRE LooksLike.Macro.Malware.g (v) 20151123
Ad-Aware 20151123
AegisLab 20151123
Yandex 20151122
AhnLab-V3 20151122
Alibaba 20151123
ALYac 20151123
Antiy-AVL 20151123
Avast 20151123
AVG 20151123
Avira (no cloud) 20151123
Baidu-International 20151123
BitDefender 20151123
ByteHero 20151123
CAT-QuickHeal 20151123
ClamAV 20151123
CMC 20151118
Comodo 20151123
Cyren 20151123
DrWeb 20151123
Emsisoft 20151123
ESET-NOD32 20151123
F-Prot 20151123
F-Secure 20151123
Fortinet 20151123
GData 20151123
Ikarus 20151123
Jiangmin 20151122
K7AntiVirus 20151123
K7GW 20151123
Kaspersky 20151123
Malwarebytes 20151123
McAfee 20151123
McAfee-GW-Edition 20151123
Microsoft 20151123
eScan 20151123
NANO-Antivirus 20151123
nProtect 20151120
Panda 20151122
Qihoo-360 20151123
Rising 20151122
SUPERAntiSpyware 20151123
Symantec 20151122
TheHacker 20151121
TrendMicro 20151123
TrendMicro-HouseCall 20151123
VBA32 20151120
ViRobot 20151123
Zillya 20151123
Zoner 20151123
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May read system environment variables.
May open a file.
May write to a file.
May create additional files.
May try to run other files, shell commands or applications.
May create OLE objects.
May enumerate open windows.
Seems to contain deobfuscation code.
Seems to contain code to deceive researchers and automatic analysis systems.
Summary
last_author
1
creation_datetime
2015-11-23 13:44:00
template
Normal
author
1
page_count
1
last_saved
2015-11-23 13:44:00
revision_number
2
application_name
Microsoft Office Word
code_page
Cyrillic
Document summary
company
Home
version
917504
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
2880
type_literal
stream
size
114
name
\x01CompObj
sid
15
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
3
type_literal
stream
size
7576
name
1Table
sid
1
type_literal
stream
size
511
name
Macros/PROJECT
sid
14
type_literal
stream
size
113
name
Macros/PROJECTwm
sid
13
type_literal
stream
size
10908
type
macro
name
Macros/VBA/Module1
sid
8
type_literal
stream
size
14251
type
macro
name
Macros/VBA/Module2
sid
9
type_literal
stream
size
18730
type
macro
name
Macros/VBA/Module3
sid
10
type_literal
stream
size
1419
type
macro
name
Macros/VBA/ThisDocument
sid
7
type_literal
stream
size
6169
name
Macros/VBA/_VBA_PROJECT
sid
11
type_literal
stream
size
618
name
Macros/VBA/dir
sid
12
type_literal
stream
size
4096
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 132 bytes
[+] Module1.bas Macros/VBA/Module1 5948 bytes
create-ole open-file write-file
[+] Module2.bas Macros/VBA/Module2 7905 bytes
exe-pattern url-pattern create-file create-ole obfuscated open-file
[+] Module3.bas Macros/VBA/Module3 10551 bytes
exe-pattern anti-analysis create-ole enum-windows environ obfuscated open-file run-file
ExifTool file metadata
SharedDoc
No

Author
1

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
1

HeadingPairs
, 1

Template
Normal

CharCountWithSpaces
0

CreateDate
2015:11:23 12:44:00

CompObjUserType
???????? Microsoft Word 97-2003

ModifyDate
2015:11:23 12:44:00

Company
Home

Characters
0

CodePage
Windows Cyrillic

RevisionNumber
2

MIMEType
application/msword

Words
0

FileType
DOC

Lines
0

AppVersion
14.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
0

File identification
MD5 e6f1003e4572691493ab1845cb983417
SHA1 c5df60da306221a342be741543236cf62d65116e
SHA256 677baff8ea0ae51d26777227eb01b71ee49fce90fdc643e5a9e3d90783e35c55
ssdeep
1536:Lol4+tWkyUo/Ma8OjBDi4nKW3FiFxd11rj:eHtWkyUo/Ma8OjOW1iFp1

File size 76.5 KB ( 78336 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: 1, Template: Normal, Last Saved By: 1, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sun Nov 22 12:44:00 2015, Last Saved Time/Date: Sun Nov 22 12:44:00 2015, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated open-file enum-windows exe-pattern url-pattern create-file run-file macros environ doc write-file anti-analysis create-ole

VirusTotal metadata
First submission 2015-11-23 12:56:15 UTC ( 3 years, 6 months ago )
Last submission 2016-10-27 15:24:45 UTC ( 2 years, 6 months ago )
File names 2cd36b7ec63ed0feeee98b6db16f65d5
malware2.doc
92fd0bed84aa075703d635fbcf16ae49
cfb029a0ab35b0a6280babb7f56eabb8
376cff04c2c6e441531ac3732b21a422
096bba8d4906e1e64f89b999fe6d693a
d4bb30f01f4fda762abf03184f922ff0
988271023-PRCL.doc
dab604a6dec96ca9ad63fe34f76d38b3
9c657993a05f155a30c8098ad9e9b59a
26501db83d5ea3c25f731e9148de50aa
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!