× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 7f348f03207df2d6b106449c67b4515c89405b1ebff769ca9a06b8752540b349
File name: Invoice IN278577 (emailed 2015-05-21).doc
Detection ratio: 41 / 55
Analysis date: 2017-04-09 21:17:25 UTC ( 2 months, 2 weeks ago )
Antivirus Result Update
Ad-Aware Trojan.Msword.NRR 20170409
AegisLab Troj.Msword.Nrr!c 20170409
AhnLab-V3 W97M/Downloader 20170409
ALYac Trojan.Msword.NRR 20170409
Antiy-AVL Trojan/MSOffice.gen 20170409
Avast VBA:Downloader-AP [Trj] 20170409
AVG Downloader.Generic_c.KGZ 20170409
Avira (no cloud) WM/Donoff.49920 20170409
AVware LooksLike.Macro.Malware.g (v) 20170409
Baidu MSWord.Trojan-Downloader.Agent.w 20170406
BitDefender Trojan.Msword.NRR 20170409
CAT-QuickHeal W97M.Dropper.GA 20170407
ClamAV Doc.Macro.ObfuscatedHeuristic-5931994-0 20170409
Comodo UnclassifiedMalware 20170409
Cyren W97M/Donoff 20170409
DrWeb W97M.DownLoader.372 20170409
Emsisoft Trojan.Msword.NRR (B) 20170409
ESET-NOD32 VBA/TrojanDownloader.Agent.RY 20170409
F-Prot New or modified W97M/Donoff 20170409
F-Secure Trojan:W97M/MaliciousMacro.GEN 20170409
Fortinet WM/Agent.RY!tr.dldr 20170409
GData Trojan.Msword.NRR 20170409
Ikarus Trojan-Downloader.VBA.Agent 20170409
Jiangmin WM/Downloader.Agent.kp 20170409
K7AntiVirus Trojan ( 0001140e1 ) 20170409
K7GW Trojan ( 0001140e1 ) 20170409
Kaspersky Trojan-Downloader.MSWord.Agent.kp 20170409
McAfee W97M/Downloader.ahe 20170409
McAfee-GW-Edition W97M/Downloader.ahe 20170409
Microsoft TrojanDownloader:W97M/Donoff 20170409
eScan Trojan.Msword.NRR 20170409
NANO-Antivirus Trojan.Script.Agent.dsgamf 20170409
Panda W97M/Downloader 20170409
Qihoo-360 heur.macro.encodefeature.d 20170409
Rising Heur.Macro.Downloader.e (classic) 20170409
Sophos Troj/DocDl-ON 20170409
Symantec W97M.Downloader 20170409
Tencent Word.Trojan-downloader.Agent.Hwcp 20170409
VIPRE LooksLike.Macro.Malware.g (v) 20170409
ViRobot W97M.S.Downloader.81920.E[h] 20170409
ZoneAlarm by Check Point Trojan-Downloader.MSWord.Agent.kp 20170409
Alibaba 20170407
Arcabit 20170409
Bkav 20170408
CMC 20170409
CrowdStrike Falcon (ML) 20170130
Endgame 20170407
Invincea 20170203
Kingsoft 20170409
Malwarebytes 20170409
nProtect 20170409
Palo Alto Networks (Known Signatures) 20170409
SentinelOne (Static ML) 20170330
SUPERAntiSpyware 20170409
Symantec Mobile Insight 20170406
TheHacker 20170406
TotalDefense 20170409
Trustlook 20170409
VBA32 20170407
Webroot 20170409
WhiteArmor 20170409
Yandex 20170406
Zillya 20170407
Zoner 20170409
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May create additional files.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
last_author
GN
creation_datetime
2015-05-22 07:56:00
template
Normal.dot
author
1
page_count
1
last_saved
2015-05-22 07:56:00
revision_number
2
application_name
Microsoft Office Word
code_page
Cyrillic
Document summary
line_count
1
version
730895
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
28096
type_literal
stream
size
113
name
\x01CompObj
sid
35
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
3
type_literal
stream
size
6623
name
1Table
sid
1
type_literal
stream
size
734
name
Macros/PROJECT
sid
34
type_literal
stream
size
179
name
Macros/PROJECTwm
sid
33
type_literal
stream
size
4634
type
macro
name
Macros/VBA/M11
sid
8
type_literal
stream
size
3820
type
macro
name
Macros/VBA/M3
sid
17
type_literal
stream
size
1189
type
macro (only attributes)
name
Macros/VBA/M3F1
sid
23
type_literal
stream
size
3052
type
macro
name
Macros/VBA/Module1
sid
11
type_literal
stream
size
5900
type
macro
name
Macros/VBA/Module1F3
sid
26
type_literal
stream
size
6262
type
macro
name
Macros/VBA/Module2
sid
14
type_literal
stream
size
3474
type
macro
name
Macros/VBA/Module3
sid
20
type_literal
stream
size
2073
type
macro
name
Macros/VBA/ThisDocument
sid
7
type_literal
stream
size
8059
name
Macros/VBA/_VBA_PROJECT
sid
29
type_literal
stream
size
3896
name
Macros/VBA/__SRP_0
sid
31
type_literal
stream
size
391
name
Macros/VBA/__SRP_1
sid
32
type_literal
stream
size
74
name
Macros/VBA/__SRP_10
sid
24
type_literal
stream
size
66
name
Macros/VBA/__SRP_11
sid
25
type_literal
stream
size
952
name
Macros/VBA/__SRP_2
sid
9
type_literal
stream
size
214
name
Macros/VBA/__SRP_3
sid
10
type_literal
stream
size
197
name
Macros/VBA/__SRP_4
sid
16
type_literal
stream
size
758
name
Macros/VBA/__SRP_5
sid
15
type_literal
stream
size
554
name
Macros/VBA/__SRP_6
sid
12
type_literal
stream
size
167
name
Macros/VBA/__SRP_7
sid
13
type_literal
stream
size
714
name
Macros/VBA/__SRP_a
sid
18
type_literal
stream
size
142
name
Macros/VBA/__SRP_b
sid
19
type_literal
stream
size
574
name
Macros/VBA/__SRP_c
sid
21
type_literal
stream
size
144
name
Macros/VBA/__SRP_d
sid
22
type_literal
stream
size
105
name
Macros/VBA/__SRP_e
sid
28
type_literal
stream
size
2744
name
Macros/VBA/__SRP_f
sid
27
type_literal
stream
size
1000
name
Macros/VBA/dir
sid
30
type_literal
stream
size
4151
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 94 bytes
[+] M11.bas Macros/VBA/M11 887 bytes
create-file create-ole obfuscated open-file write-file
[+] Module1.bas Macros/VBA/Module1 623 bytes
[+] Module2.bas Macros/VBA/Module2 1720 bytes
obfuscated open-file
[+] M3.bas Macros/VBA/M3 893 bytes
[+] Module3.bas Macros/VBA/Module3 824 bytes
[+] Module1F3.bas Macros/VBA/Module1F3 1356 bytes
obfuscated open-file
ExifTool file metadata
SharedDoc
No

Author
1

CodePage
Windows Cyrillic

LinksUpToDate
No

LastModifiedBy
GN

HeadingPairs
, 1

Template
Normal.dot

CharCountWithSpaces
0

CreateDate
2015:05:22 06:56:00

CompObjUserType
???????? Microsoft Office Word

ModifyDate
2015:05:22 06:56:00

HyperlinksChanged
No

Characters
0

ScaleCrop
No

RevisionNumber
2

MIMEType
application/msword

Words
0

FileType
DOC

Lines
1

AppVersion
11.9999

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

CompObjUserTypeLen
31

FileTypeExtension
doc

Paragraphs
1

Compressed bundles
File identification
MD5 98c3a42b0d958333a4108e04f10d441f
SHA1 a17e7c936899b9124eaabfce41c37626b821ab77
SHA256 7f348f03207df2d6b106449c67b4515c89405b1ebff769ca9a06b8752540b349
ssdeep
768:dsNvDUgiZo0WQXIFM6uR85Mw7h5xAcUTcDg7oTbbM/hQlyADCMGdMUGiYF:dstCcFH17N2IwhQMCX

File size 80.0 KB ( 81920 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: 1, Template: Normal.dot, Last Saved By: GN, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu May 21 06:56:00 2015, Last Saved Time/Date: Thu May 21 06:56:00 2015, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated open-file doc create-file macros attachment write-file create-ole

VirusTotal metadata
First submission 2015-05-22 09:48:05 UTC ( 2 years, 1 month ago )
Last submission 2017-02-21 21:24:48 UTC ( 4 months ago )
File names 53cd6e14e565777459f12ec75b064a9d
Invoice IN278577 (emailed 2015-05-21).dxc.bad
8d4807ae457e6f3c7d6ddfbb5cf12dbd
Invoice IN278577 (emailed 2015-05-21).doc
a31fee3e8191b99986e3faaa975c4521
84474750524-9-4_attach.1.Invoice IN278577 (emailed 2015-05-21).doc
f54aca84a586b0653a69b8e5cf94e6c9
Invoice_IN278577__emailed_2015_05_21_.doc
7ed2de8a943e929b5978cf4641dd6890
ab3db787cb888f03b1cc8560757a34b4
cdda65f34e554665eb167d98f213f9c1
677509.doc
54c6190ed874d2e74d58089b575d7c50
Invoice IN278577 (emailed 2015-05-21).doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!