× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 7db49013954e8864a5ad8bb6189ee7ab3917efff426b4e07670a335c68280bdb
File name: S-INV-CREATIFX-465219-3.doc
Detection ratio: 3 / 57
Analysis date: 2015-01-15 09:42:17 UTC ( 2 years, 9 months ago ) View latest
Antivirus Result Update
AVG W97M/Downloader 20150114
Kaspersky Trojan-Downloader.MSWord.Agent.dw 20150115
McAfee W97M/Downloader.abv 20150115
Ad-Aware 20150115
AegisLab 20150115
Yandex 20150114
AhnLab-V3 20150115
Alibaba 20150115
ALYac 20150115
Antiy-AVL 20150115
Avast 20150115
Avira (no cloud) 20150115
AVware 20150115
Baidu-International 20150115
BitDefender 20150115
Bkav 20150114
ByteHero 20150115
CAT-QuickHeal 20150115
ClamAV 20150115
CMC 20150113
Comodo 20150115
Cyren 20150115
DrWeb 20150115
Emsisoft 20150115
ESET-NOD32 20150115
F-Prot 20150115
F-Secure 20150115
Fortinet 20150115
GData 20150115
Ikarus 20150115
Jiangmin 20150114
K7AntiVirus 20150115
K7GW 20150114
Kingsoft 20150115
Malwarebytes 20150115
McAfee-GW-Edition 20150115
Microsoft 20150115
eScan 20150115
NANO-Antivirus 20150115
Norman 20150115
nProtect 20150115
Panda 20150114
Qihoo-360 20150115
Rising 20150114
Sophos AV 20150115
SUPERAntiSpyware 20150115
Symantec 20150115
Tencent 20150115
TheHacker 20150112
TotalDefense 20150114
TrendMicro 20150115
TrendMicro-HouseCall 20150115
VBA32 20150115
VIPRE 20150115
ViRobot 20150115
Zillya 20150115
Zoner 20150114
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
Automatically runs commands or instructions when the file is opened.
May read system environment variables.
May try to run other files, shell commands or applications.
May execute code from Dynamically Linked Libraries.
May try to download additional files from the Internet.
Seems to contain deobfuscation code.
Summary
last_author
1
creation_datetime
2014-11-24 11:12:00
template
Normal.dot
author
1
page_count
1
last_saved
2014-11-24 11:27:00
edit_time
360
revision_number
4
application_name
Microsoft Office Word
code_page
Cyrillic
Document summary
line_count
1
version
730895
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
4928
type_literal
stream
size
113
name
\x01CompObj
sid
12
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
3
type_literal
stream
size
4096
name
1Table
sid
1
type_literal
stream
size
438
name
Macros/PROJECT
sid
11
type_literal
stream
size
41
name
Macros/PROJECTwm
sid
10
type_literal
stream
size
16411
type
macro
name
Macros/VBA/ThisDocument
sid
7
type_literal
stream
size
3663
name
Macros/VBA/_VBA_PROJECT
sid
8
type_literal
stream
size
514
name
Macros/VBA/dir
sid
9
type_literal
stream
size
4142
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 7175 bytes
auto-open download environ obfuscated run-dll run-file
ExifTool file metadata
SharedDoc
No

Author
1

CodePage
Windows Cyrillic

LinksUpToDate
No

LastModifiedBy
1

HeadingPairs
, 1

Template
Normal.dot

CharCountWithSpaces
0

CreateDate
2014:11:24 10:12:00

CompObjUserType
???????? Microsoft Office Word

ModifyDate
2014:11:24 10:27:00

HyperlinksChanged
No

Characters
0

ScaleCrop
No

RevisionNumber
4

MIMEType
application/msword

Words
0

FileType
DOC

Lines
1

AppVersion
11.9999

Security
None

Software
Microsoft Office Word

TotalEditTime
6.0 minutes

Pages
1

CompObjUserTypeLen
31

FileTypeExtension
doc

Paragraphs
1

Compressed bundles
File identification
MD5 b2356ce5a8f311df482d5b2a92e567ff
SHA1 7417f3b9d28457998f0a0a3af2d1a92060cb4c92
SHA256 7db49013954e8864a5ad8bb6189ee7ab3917efff426b4e07670a335c68280bdb
ssdeep
384:NfPRkwBLmYpF59eVqiqaMmBy0BRTHYCZ0jvCNTj9Dy0NtuZv:Zp9LmYpcUIHByuRTv8CNFtWB

File size 41.5 KB ( 42496 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: 1, Template: Normal.dot, Last Saved By: 1, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Total Editing Time: 06:00, Create Time/Date: Sun Nov 23 10:12:00 2014, Last Saved Time/Date: Sun Nov 23 10:27:00 2014, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0

TrID Microsoft Word document (45.7%)
Microsoft Excel sheet (42.8%)
Generic OLE2 / Multistream Compound File (11.4%)
Tags
obfuscated run-file auto-open doc macros run-dll environ attachment download

VirusTotal metadata
First submission 2015-01-15 07:36:45 UTC ( 2 years, 9 months ago )
Last submission 2017-07-25 18:49:11 UTC ( 2 months, 3 weeks ago )
File names S-INV-CREATIFX-465219.doc
file-7919119_doc
b2356ce5a8f311df482d5b2a92e567ff.doc
S-INV-CREATIFX-465219.doc
11fe636069087edaa8a5e7b8cc493494
contents
10b4e34f1306ddd38016587edc993d0b
292bdf8fcb3f95fd31267310cc9499d6
d77a1eb1299c718e00ba572b58263e71
d869b9a977a75850eb39119a3d2a1c9a
VirusShare_b2356ce5a8f311df482d5b2a92e567ff
b877ef94600c8c8e5b767293d50bc5ec
suspect.doc
8680428a387ed21b88f3e315854ea853
b37a8077c18124fb37d5c70cb28a6f4c
S-INV-CREATIFX-465219-3.doc
7417f3b9d28457998f0a0a3af2d1a92060cb4c92
f3b83512532fe1d9cfc18b558527d598
605f11a6fe35cdd368a77599a99502f5
e92ee13c8502f9545620598990ef1e7b
2aee67702963d661f743120b573821d0
440eff436e206a7b21b2698e5e466b2c
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!