× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 6ecc8c79c0f1d4579ac9e68aeeb538199b835a8f27d51643b85a386daa5ff33c
File name: doc4502094035.doc
Detection ratio: 36 / 55
Analysis date: 2016-12-20 13:45:39 UTC ( 3 months, 1 week ago )
Antivirus Result Update
Ad-Aware W97M.Downloader.ARM 20161220
AegisLab Macro.Gen!c 20161220
AhnLab-V3 W97M/Downloader 20161220
ALYac Trojan.Downloader.DOC.gen 20161220
Arcabit HEUR.VBA.Trojan.d 20161220
Avast VBA:Downloader-AKE [Trj] 20161220
AVG W97M/Downloader 20161220
Avira (no cloud) HEUR/Macro.Downloader 20161220
AVware Trojan-Downloader.W97M.Adnel.b (v) 20161220
Baidu VBA.Trojan-Downloader.Agent.xf 20161207
BitDefender W97M.Downloader.ARM 20161220
CAT-QuickHeal W97M.Dropper.TA 20161220
Cyren W97M/Downldr 20161220
DrWeb W97M.DownLoader.866 20161220
Emsisoft W97M.Downloader.ARM (B) 20161220
ESET-NOD32 VBA/TrojanDownloader.Agent.APX 20161220
F-Prot New or modified W97M/Downldr 20161220
F-Secure Trojan:W97M/MaliciousMacro.GEN 20161220
Fortinet WM/TrojanDownloader.JTSV!tr 20161220
GData W97M.Downloader.ARM 20161220
Ikarus Win32.Heuristic.Macro 20161220
McAfee W97M/Downloader.awb 20161220
McAfee-GW-Edition W97M/Downloader.awb 20161220
Microsoft TrojanDownloader:O97M/Adnel 20161220
eScan W97M.Downloader.ARM 20161220
NANO-Antivirus Trojan.Script.MLW.ebbuzw 20161220
Panda O97M/Downloader 20161219
Qihoo-360 virus.office.obfuscated.1 20161220
Rising Trojan.DL-Generic/Macro!1.A4C9 (classic) 20161220
Sophos Troj/DocDl-AUA 20161220
Symantec W97M.Downloader 20161220
Tencent Win32.Trojan-downloader.Agent.Pavs 20161220
TrendMicro W2KM_DRIDEX.BYX 20161220
TrendMicro-HouseCall W2KM_DRIDEX.BYX 20161220
VIPRE Trojan-Downloader.W97M.Adnel.b (v) 20161220
ViRobot W97M.S.Downloader.73216.H[h] 20161220
Alibaba 20161220
Antiy-AVL 20161220
Bkav 20161220
ClamAV 20161220
CMC 20161220
Comodo 20161220
CrowdStrike Falcon (ML) 20161024
Invincea 20161216
Jiangmin 20161220
K7AntiVirus 20161220
K7GW 20161220
Kaspersky 20161220
Kingsoft 20161220
Malwarebytes 20161220
nProtect 20161220
SUPERAntiSpyware 20161220
TheHacker 20161219
TotalDefense 20161220
Trustlook 20161220
VBA32 20161220
WhiteArmor 20161212
Yandex 20161220
Zillya 20161220
Zoner 20161220
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May copy a file.
May create additional files.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
last_author
Microsoft Office
creation_datetime
2016-01-25 09:09:00
template
Normal.dot
author
1
page_count
1
last_saved
2016-01-26 20:44:00
edit_time
840
word_count
1
revision_number
42
application_name
Microsoft Office Word
character_count
8
code_page
Cyrillic
Document summary
line_count
1
company
Home
characters_with_spaces
8
version
730895
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
7552
type_literal
stream
size
113
name
\x01CompObj
sid
23
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
3
type_literal
stream
size
4096
name
1Table
sid
1
type_literal
stream
size
538
name
Macros/PROJECT
sid
22
type_literal
stream
size
95
name
Macros/PROJECTwm
sid
21
type_literal
stream
size
97
name
Macros/UserForm1/\x01CompObj
sid
19
type_literal
stream
size
291
name
Macros/UserForm1/\x03VBFrame
sid
20
type_literal
stream
size
314
name
Macros/UserForm1/f
sid
17
type_literal
stream
size
364
name
Macros/UserForm1/o
sid
18
type_literal
stream
size
37291
type
macro
name
Macros/VBA/Module2
sid
10
type_literal
stream
size
1279
type
macro
name
Macros/VBA/ThisDocument
sid
7
type_literal
stream
size
1159
type
macro (only attributes)
name
Macros/VBA/UserForm1
sid
11
type_literal
stream
size
5893
name
Macros/VBA/_VBA_PROJECT
sid
12
type_literal
stream
size
1553
name
Macros/VBA/__SRP_0
sid
14
type_literal
stream
size
110
name
Macros/VBA/__SRP_1
sid
15
type_literal
stream
size
264
name
Macros/VBA/__SRP_2
sid
8
type_literal
stream
size
103
name
Macros/VBA/__SRP_3
sid
9
type_literal
stream
size
852
name
Macros/VBA/dir
sid
13
type_literal
stream
size
4142
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 46 bytes
[+] Module2.bas Macros/VBA/Module2 20995 bytes
copy-file create-file create-ole obfuscated open-file write-file
ExifTool file metadata
SharedDoc
No

Author
1

CodePage
Windows Cyrillic

LinksUpToDate
No

LastModifiedBy
Microsoft Office

HeadingPairs
, 1

Template
Normal.dot

CharCountWithSpaces
8

CreateDate
2016:01:25 08:09:00

CompObjUserType
???????? Microsoft Office Word

ModifyDate
2016:01:26 19:44:00

Company
Home

HyperlinksChanged
No

Characters
8

ScaleCrop
No

RevisionNumber
42

MIMEType
application/msword

Words
1

FileType
DOC

Lines
1

AppVersion
11.9999

Security
None

Software
Microsoft Office Word

TotalEditTime
14.0 minutes

Pages
1

CompObjUserTypeLen
31

FileTypeExtension
doc

Paragraphs
1

File identification
MD5 408c40654a74751186497c35b2748716
SHA1 e6501eb75812bfeaaba62d4d749221eca83bb785
SHA256 6ecc8c79c0f1d4579ac9e68aeeb538199b835a8f27d51643b85a386daa5ff33c
ssdeep
768:ljdGPyj8ZI8n135PGMVr3iCSx0qv+MC5AeeKo1AfcCXSxfNp:xHm5/0/OW+MArJf76N

File size 71.5 KB ( 73216 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: 1, Template: Normal.dot, Last Saved By: Microsoft Office, Revision Number: 42, Name of Creating Application: Microsoft Office Word, Total Editing Time: 14:00, Create Time/Date: Sun Jan 24 08:09:00 2016, Last Saved Time/Date: Mon Jan 25 19:44:00 2016, Number of Pages: 1, Number of Words: 1, Number of Characters: 8, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated open-file doc copy-file create-file macros attachment write-file create-ole

VirusTotal metadata
First submission 2016-01-27 09:07:17 UTC ( 1 year, 2 months ago )
Last submission 2016-03-08 17:16:34 UTC ( 1 year ago )
File names 46f37f900821e8bc5f493e03bd2159d4
3a69ca0cbd8fa25eae25bbf72a23b2ae
0d48b09a4498be9fee9f3b8ce5b3d091
doc4502094035-02.doc
e03cf242edf574e80e6ae8f5230303a3
514ff7bae1392f0e397f752860540587
doc4502094035.doc
6ecc8c79c0f1d4579ac9e68aeeb538199b835a8f27d51643b85a386daa5ff33c.bin
c3bf4ab1de31a03e2319c96964f5eb5f
6d92f34a5dfd9e9b47696850e061d184
20a790a836fd4579c528c6d1b2e8bc11
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!