× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 6b1fc004ea10583c73fde292f02b7e764c5be5012a950e6c9bd135ca98eb6ecc
File name: CIH Delivery Note 0051037484.doc
Detection ratio: 0 / 57
Analysis date: 2015-04-01 08:57:10 UTC ( 2 years, 1 month ago ) View latest
Antivirus Result Update
Ad-Aware 20150401
AegisLab 20150401
Yandex 20150331
AhnLab-V3 20150331
Alibaba 20150401
ALYac 20150401
Antiy-AVL 20150401
Avast 20150401
AVG 20150401
Avira (no cloud) 20150401
AVware 20150401
Baidu-International 20150331
BitDefender 20150401
Bkav 20150331
ByteHero 20150401
CAT-QuickHeal 20150401
ClamAV 20150401
CMC 20150401
Comodo 20150401
Cyren 20150401
DrWeb 20150401
Emsisoft 20150401
ESET-NOD32 20150401
F-Prot 20150401
F-Secure 20150401
Fortinet 20150401
GData 20150401
Ikarus 20150401
Jiangmin 20150331
K7AntiVirus 20150401
K7GW 20150401
Kaspersky 20150401
Kingsoft 20150401
Malwarebytes 20150401
McAfee 20150401
McAfee-GW-Edition 20150331
Microsoft 20150401
eScan 20150401
NANO-Antivirus 20150401
Norman 20150401
nProtect 20150401
Panda 20150331
Qihoo-360 20150401
Rising 20150331
Sophos 20150331
SUPERAntiSpyware 20150401
Symantec 20150401
Tencent 20150401
TheHacker 20150330
TotalDefense 20150331
TrendMicro 20150401
TrendMicro-HouseCall 20150401
VBA32 20150331
VIPRE 20150401
ViRobot 20150401
Zillya 20150401
Zoner 20150330
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May perform operations with other files.
May create OLE objects.
May execute code from Dynamically Linked Libraries.
Seems to contain deobfuscation code.
Summary
last_author
\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd Windows
creation_datetime
2015-01-19 17:07:00
template
Normal
author
1
page_count
1
last_saved
2015-04-01 07:27:00
edit_time
22440
revision_number
733
application_name
Microsoft Office Word
code_page
Cyrillic
Document summary
version
917504
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
23040
type_literal
stream
size
114
name
\x01CompObj
sid
52
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
3
type_literal
stream
size
8446
name
1Table
sid
1
type_literal
stream
size
948
name
Macros/PROJECT
sid
51
type_literal
stream
size
236
name
Macros/PROJECTwm
sid
50
type_literal
stream
size
97
name
Macros/UserForm1/\x01CompObj
sid
38
type_literal
stream
size
291
name
Macros/UserForm1/\x03VBFrame
sid
39
type_literal
stream
size
131
name
Macros/UserForm1/f
sid
36
type_literal
stream
size
56
name
Macros/UserForm1/o
sid
37
type_literal
stream
size
97
name
Macros/UserForm2/\x01CompObj
sid
43
type_literal
stream
size
291
name
Macros/UserForm2/\x03VBFrame
sid
44
type_literal
stream
size
131
name
Macros/UserForm2/f
sid
41
type_literal
stream
size
56
name
Macros/UserForm2/o
sid
42
type_literal
stream
size
97
name
Macros/UserForm3/\x01CompObj
sid
48
type_literal
stream
size
291
name
Macros/UserForm3/\x03VBFrame
sid
49
type_literal
stream
size
303
name
Macros/UserForm3/f
sid
46
type_literal
stream
size
340
name
Macros/UserForm3/o
sid
47
type_literal
stream
size
4166
type
macro
name
Macros/VBA/A0007
sid
25
type_literal
stream
size
4520
type
macro
name
Macros/VBA/FILE6
sid
19
type_literal
stream
size
1598
type
macro
name
Macros/VBA/IDL3
sid
22
type_literal
stream
size
4486
type
macro
name
Macros/VBA/IDL4
sid
16
type_literal
stream
size
1482
type
macro
name
Macros/VBA/OIDL8
sid
10
type_literal
stream
size
5768
type
macro
name
Macros/VBA/PIDLE0
sid
13
type_literal
stream
size
1578
type
macro
name
Macros/VBA/ThisDocument
sid
7
type_literal
stream
size
1190
type
macro (only attributes)
name
Macros/VBA/UserForm1
sid
28
type_literal
stream
size
1190
type
macro (only attributes)
name
Macros/VBA/UserForm2
sid
29
type_literal
stream
size
1189
type
macro (only attributes)
name
Macros/VBA/UserForm3
sid
30
type_literal
stream
size
6054
name
Macros/VBA/_VBA_PROJECT
sid
31
type_literal
stream
size
5251
name
Macros/VBA/__SRP_0
sid
33
type_literal
stream
size
992
name
Macros/VBA/__SRP_1
sid
34
type_literal
stream
size
538
name
Macros/VBA/__SRP_2
sid
8
type_literal
stream
size
156
name
Macros/VBA/__SRP_3
sid
9
type_literal
stream
size
999
name
Macros/VBA/__SRP_4
sid
14
type_literal
stream
size
672
name
Macros/VBA/__SRP_5
sid
15
type_literal
stream
size
965
name
Macros/VBA/__SRP_6
sid
17
type_literal
stream
size
322
name
Macros/VBA/__SRP_7
sid
18
type_literal
stream
size
1402
name
Macros/VBA/__SRP_8
sid
26
type_literal
stream
size
178
name
Macros/VBA/__SRP_9
sid
27
type_literal
stream
size
321
name
Macros/VBA/__SRP_a
sid
11
type_literal
stream
size
156
name
Macros/VBA/__SRP_b
sid
12
type_literal
stream
size
1617
name
Macros/VBA/__SRP_c
sid
20
type_literal
stream
size
222
name
Macros/VBA/__SRP_d
sid
21
type_literal
stream
size
401
name
Macros/VBA/__SRP_e
sid
23
type_literal
stream
size
184
name
Macros/VBA/__SRP_f
sid
24
type_literal
stream
size
1078
name
Macros/VBA/dir
sid
32
type_literal
stream
size
4096
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 33 bytes
[+] OIDL8.bas Macros/VBA/OIDL8 83 bytes
[+] PIDLE0.bas Macros/VBA/PIDLE0 2560 bytes
exe-pattern obfuscated run-dll
[+] IDL4.bas Macros/VBA/IDL4 1079 bytes
[+] FILE6.bas Macros/VBA/FILE6 1088 bytes
create-ole open-file
[+] IDL3.bas Macros/VBA/IDL3 182 bytes
[+] A0007.bas Macros/VBA/A0007 1892 bytes
handle-file open-file write-file
ExifTool file metadata
SharedDoc
No

Author
1

CodePage
Windows Cyrillic

LinksUpToDate
No

LastModifiedBy
Windows

HeadingPairs
, 1

Template
Normal

CharCountWithSpaces
0

CreateDate
2015:01:19 16:07:00

CompObjUserType
???????? Microsoft Word 97-2003

ModifyDate
2015:04:01 06:27:00

HyperlinksChanged
No

Characters
0

ScaleCrop
No

RevisionNumber
733

MIMEType
application/msword

Words
0

FileType
DOC

Lines
0

AppVersion
14.0

Security
None

Software
Microsoft Office Word

TotalEditTime
6.2 hours

Pages
1

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
0

File identification
MD5 b1fd5d7406663c144a220fb6e20910de
SHA1 d22a3047e476e555332ff1c790fbac4504a218c6
SHA256 6b1fc004ea10583c73fde292f02b7e764c5be5012a950e6c9bd135ca98eb6ecc
ssdeep
1536:WiftqWeipGMHAze+7uxZLIjD10odxWgTG:xFq/pMHAzeMuxZLIjD10cxWgTG

File size 84.0 KB ( 86016 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: 1, Template: Normal, Last Saved By: ������������ Windows, Revision Number: 733, Name of Creating Application: Microsoft Office Word, Total Editing Time: 06:14:00, Create Time/Date: Sun Jan 18 16:07:00 2015, Last Saved Time/Date: Sat Feb 28 06:27:00 2015, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated open-file handle-file exe-pattern doc macros run-dll attachment write-file create-ole

VirusTotal metadata
First submission 2015-04-01 08:03:44 UTC ( 2 years, 1 month ago )
Last submission 2016-11-11 21:30:40 UTC ( 6 months, 2 weeks ago )
File names a0f1477aea1a5b5f3da2af8fe4626f49
CIH Delivery Note 0051037484.doc
20150401_Sales_Order_6100152.doc
175f65010e8e0c80bd42e504c52cb21b
54709e23e58dec59ef73e118f2178d51
CIHXDeliveryXNoteX0051037484.doc
Copy_3_of_CIH_Delivery_Note_0051037484.doc
f2500c9936b6b7a2d46100d1fe5bfa04
CIH Delivery Note 0051037484(2).doc
45857b5051ce88022391115aec355f29
b117e3dd0eb9e2b7f449566bb1e5e236
Sales_Order_6100152.doc
attachment.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!