× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 6d3694dbebbcdba2899603354f299fba7a7781c6bc092877354cd96e635b4a4b
File name: S-INV-CREATIFX-465219.doc
Detection ratio: 3 / 57
Analysis date: 2015-01-15 09:42:04 UTC ( 2 years, 5 months ago ) View latest
Antivirus Result Update
AVG W97M/Downloader 20150114
Kaspersky Trojan-Downloader.MSWord.Agent.dw 20150115
McAfee W97M/Downloader.abv 20150115
Ad-Aware 20150115
AegisLab 20150115
Yandex 20150114
AhnLab-V3 20150115
Alibaba 20150115
ALYac 20150115
Antiy-AVL 20150115
Avast 20150115
Avira (no cloud) 20150115
AVware 20150115
Baidu-International 20150115
BitDefender 20150115
Bkav 20150114
ByteHero 20150115
CAT-QuickHeal 20150115
ClamAV 20150115
CMC 20150113
Comodo 20150115
Cyren 20150115
DrWeb 20150115
Emsisoft 20150115
ESET-NOD32 20150115
F-Prot 20150115
F-Secure 20150115
Fortinet 20150115
GData 20150115
Ikarus 20150115
Jiangmin 20150114
K7AntiVirus 20150115
K7GW 20150114
Kingsoft 20150115
Malwarebytes 20150115
McAfee-GW-Edition 20150115
Microsoft 20150115
eScan 20150115
NANO-Antivirus 20150115
Norman 20150115
nProtect 20150115
Panda 20150114
Qihoo-360 20150115
Rising 20150114
Sophos 20150115
SUPERAntiSpyware 20150115
Symantec 20150115
Tencent 20150115
TheHacker 20150112
TotalDefense 20150114
TrendMicro 20150115
TrendMicro-HouseCall 20150115
VBA32 20150115
VIPRE 20150115
ViRobot 20150115
Zillya 20150115
Zoner 20150114
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
Automatically runs commands or instructions when the file is opened.
May read system environment variables.
May try to run other files, shell commands or applications.
May execute code from Dynamically Linked Libraries.
May try to download additional files from the Internet.
Seems to contain deobfuscation code.
Summary
last_author
1
creation_datetime
2014-11-24 11:12:00
template
Normal.dot
author
1
page_count
1
last_saved
2014-11-24 11:26:00
edit_time
360
revision_number
7
application_name
Microsoft Office Word
code_page
Cyrillic
Document summary
line_count
1
version
730895
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
9536
type_literal
stream
size
113
name
\x01CompObj
sid
16
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
3
type_literal
stream
size
4096
name
1Table
sid
1
type_literal
stream
size
438
name
Macros/PROJECT
sid
15
type_literal
stream
size
41
name
Macros/PROJECTwm
sid
14
type_literal
stream
size
19256
type
macro
name
Macros/VBA/ThisDocument
sid
7
type_literal
stream
size
3836
name
Macros/VBA/_VBA_PROJECT
sid
10
type_literal
stream
size
1497
name
Macros/VBA/__SRP_0
sid
12
type_literal
stream
size
194
name
Macros/VBA/__SRP_1
sid
13
type_literal
stream
size
2300
name
Macros/VBA/__SRP_2
sid
8
type_literal
stream
size
347
name
Macros/VBA/__SRP_3
sid
9
type_literal
stream
size
515
name
Macros/VBA/dir
sid
11
type_literal
stream
size
4142
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 7150 bytes
auto-open download environ obfuscated run-dll run-file
ExifTool file metadata
SharedDoc
No

Author
1

CodePage
Windows Cyrillic

LinksUpToDate
No

LastModifiedBy
1

HeadingPairs
, 1

Template
Normal.dot

CharCountWithSpaces
0

CreateDate
2014:11:24 10:12:00

CompObjUserType
???????? Microsoft Office Word

ModifyDate
2014:11:24 10:26:00

HyperlinksChanged
No

Characters
0

ScaleCrop
No

RevisionNumber
7

MIMEType
application/msword

Words
0

FileType
DOC

Lines
1

AppVersion
11.9999

Security
None

Software
Microsoft Office Word

TotalEditTime
6.0 minutes

Pages
1

CompObjUserTypeLen
31

FileTypeExtension
doc

Paragraphs
1

File identification
MD5 7071702019e845579cefd35724d87944
SHA1 22eb5c9516c48bae949693890edb15c743365fe6
SHA256 6d3694dbebbcdba2899603354f299fba7a7781c6bc092877354cd96e635b4a4b
ssdeep
384:mgIpWO03oQsGU38MWwBDaMmBqHEXzZVhPIXZ0jnBTj9Dy0UtSjKxTi:dm03oD+HBqHyZHcwBFt1wm

File size 49.5 KB ( 50688 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: 1, Template: Normal.dot, Last Saved By: 1, Revision Number: 7, Name of Creating Application: Microsoft Office Word, Total Editing Time: 06:00, Create Time/Date: Sun Nov 23 10:12:00 2014, Last Saved Time/Date: Sun Nov 23 10:26:00 2014, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0

TrID Microsoft Word document (45.7%)
Microsoft Excel sheet (42.8%)
Generic OLE2 / Multistream Compound File (11.4%)
Tags
obfuscated run-file auto-open doc macros run-dll environ attachment download

VirusTotal metadata
First submission 2015-01-15 07:34:39 UTC ( 2 years, 5 months ago )
Last submission 2016-07-21 10:23:18 UTC ( 11 months, 1 week ago )
File names S-INV-CREATIFX-465219.doc
78787667e799d21a90e26f10f3847b57
55a424400b2c4a08c84edf8612e712d7
VirusShare_7071702019e845579cefd35724d87944
ce3f22d11ab09cd24550c3cff731739d
Live-Mal_macros.doc
da66120288c073596f783481bbe38fa9
7ef18b0eaf204e3868b01497bcdfe365
suspect.doc
0db00cecf2c9e748588983fee8e919a9
e39c6bdd333e439f846baed7eff809e8
b07425523d896a4e387414c598d205c0
b751c5ce26778eb0ce500d79bfae1744
8dd17ba5ccd63211a30c1c16e03bd8e4
229e5c15ff16bb02f8b8e9b602378641
22eb5c9516c48bae949693890edb15c743365fe6
6b0fc4ffbebae94308e6a463c16c7338
00c878c08184d756a8f3f2fc1b889c73
22eb5c9516c48bae949693890edb15c743365fe6
50688-7071702019e845579cefd35724d87944.doc
S-INV-CREATIFX-465219.doc
77000a29f82c631b5a53341b0aab58fe
S-INV-CREATIFX-465219.doc
6757688902fcfb94956be2b433cd11ff
95892e5e20a880c710b0119b3e578a68
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!