× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 67f9ffa67510de96027dcc3b87a304700038460c125ba0bb005abbdb7a5ac07a
File name: pmB3A6-02.doc
Detection ratio: 4 / 53
Analysis date: 2015-11-20 12:53:38 UTC ( 3 years, 6 months ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan.B 20151120
AVware LooksLike.Macro.Malware.g (v) 20151120
CAT-QuickHeal W97M.Dropper.KV 20151119
VIPRE LooksLike.Macro.Malware.g (v) 20151120
AegisLab 20151120
Yandex 20151118
AhnLab-V3 20151119
Alibaba 20151120
ALYac 20151120
Antiy-AVL 20151120
Avast 20151120
AVG 20151120
Avira (no cloud) 20151120
Baidu-International 20151120
BitDefender 20151120
ByteHero 20151120
ClamAV 20151120
CMC 20151118
Comodo 20151120
Cyren 20151120
DrWeb 20151120
Emsisoft 20151120
ESET-NOD32 20151120
F-Prot 20151120
F-Secure 20151120
Fortinet 20151120
GData 20151120
Ikarus 20151120
Jiangmin 20151119
K7AntiVirus 20151120
K7GW 20151120
Kaspersky 20151120
Malwarebytes 20151120
McAfee 20151120
McAfee-GW-Edition 20151120
Microsoft 20151120
eScan 20151120
NANO-Antivirus 20151120
nProtect 20151120
Panda 20151119
Qihoo-360 20151120
Rising 20151117
Sophos AV 20151120
SUPERAntiSpyware 20151120
Symantec 20151119
Tencent 20151120
TheHacker 20151119
TrendMicro 20151120
TrendMicro-HouseCall 20151120
VBA32 20151119
ViRobot 20151120
Zillya 20151119
Zoner 20151120
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May create additional files.
May try to run other files, shell commands or applications.
May create OLE objects.
May execute code from Dynamically Linked Libraries.
Seems to contain deobfuscation code.
Summary
last_author
1
creation_datetime
2015-11-20 09:43:00
template
Normal
author
1
page_count
1
last_saved
2015-11-20 09:43:00
revision_number
2
application_name
Microsoft Office Word
code_page
Cyrillic
Document summary
company
Home
version
917504
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
3328
type_literal
stream
size
114
name
\x01CompObj
sid
15
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
3
type_literal
stream
size
6986
name
1Table
sid
1
type_literal
stream
size
511
name
Macros/PROJECT
sid
14
type_literal
stream
size
113
name
Macros/PROJECTwm
sid
13
type_literal
stream
size
38826
type
macro
name
Macros/VBA/Module1
sid
8
type_literal
stream
size
17057
type
macro
name
Macros/VBA/Module2
sid
9
type_literal
stream
size
11867
type
macro
name
Macros/VBA/Module3
sid
10
type_literal
stream
size
1858
type
macro
name
Macros/VBA/ThisDocument
sid
7
type_literal
stream
size
10555
name
Macros/VBA/_VBA_PROJECT
sid
11
type_literal
stream
size
617
name
Macros/VBA/dir
sid
12
type_literal
stream
size
4096
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 119 bytes
[+] Module1.bas Macros/VBA/Module1 19485 bytes
create-ole open-file run-file
[+] Module2.bas Macros/VBA/Module2 8828 bytes
create-ole obfuscated open-file write-file
[+] Module3.bas Macros/VBA/Module3 5891 bytes
exe-pattern create-file create-ole open-file run-dll run-file write-file
ExifTool file metadata
SharedDoc
No

Author
1

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
1

HeadingPairs
, 1

Template
Normal

CharCountWithSpaces
0

CreateDate
2015:11:20 08:43:00

CompObjUserType
???????? Microsoft Word 97-2003

ModifyDate
2015:11:20 08:43:00

Company
Home

Characters
0

CodePage
Windows Cyrillic

RevisionNumber
2

MIMEType
application/msword

Words
0

FileType
DOC

Lines
0

AppVersion
14.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
0

File identification
MD5 e23b22e8bf2c97dbadd4eaa1e4e6fa21
SHA1 ef257b7e7e6414359f2776f505f19904691f5de5
SHA256 67f9ffa67510de96027dcc3b87a304700038460c125ba0bb005abbdb7a5ac07a
ssdeep
768:SxJgoyoBEMAg5eoZR97RkMll/GI5NeTWcDPRqRIMaijCyNKX/jxxLGXKpF:Xo/ZP7RxFnCPR1ipK7xxLDn

File size 104.0 KB ( 106496 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: 1, Template: Normal, Last Saved By: 1, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Nov 19 08:43:00 2015, Last Saved Time/Date: Thu Nov 19 08:43:00 2015, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated open-file exe-pattern doc create-file run-file macros run-dll attachment write-file create-ole

VirusTotal metadata
First submission 2015-11-20 10:31:08 UTC ( 3 years, 6 months ago )
Last submission 2017-01-10 04:07:15 UTC ( 2 years, 4 months ago )
File names ade518aacb08671c44558de15e2ee3cb
pmB3A6.doc
21f195a84476c6b4a9ee02ab14071519
pmB3A6-02.doc
malware.doc
2b0f4fb9e4784136e75d7b91b4e0bf7a
pmB3A6.doc$
pmB3A6.doc
pmB3A6.doc
e23b22e8bf2c97dbadd4eaa1e4e6fa21.doc
20151124093728_pmB3A6.doc
EF257B7E7E6414359F2776F505F19904691F5DE5.NQF.bin
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!