× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 8490ebb1fe6ff8acd8c1f43725f3a75cc1232b20926d3c83a7c5f39666735840
File name: order_16358088.doc
Detection ratio: 8 / 55
Analysis date: 2016-04-05 16:17:40 UTC ( 1 year, 3 months ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan.e 20160405
AVware LooksLike.Macro.Malware.k (v) 20160405
ESET-NOD32 Win32/PSW.Fareit.A 20160405
Fortinet WM/Agent!tr 20160404
Ikarus Trojan-Dropper.VBA.Agent 20160405
Qihoo-360 virus.office.obfuscated.1 20160405
Rising PE:Malware.Generic/QRS!1.9E2D [F] 20160405
VIPRE LooksLike.Macro.Malware.k (v) 20160405
Ad-Aware 20160405
AegisLab 20160405
AhnLab-V3 20160405
Alibaba 20160405
ALYac 20160405
Antiy-AVL 20160405
Avast 20160405
AVG 20160405
Baidu 20160405
Baidu-International 20160405
BitDefender 20160405
Bkav 20160405
CAT-QuickHeal 20160405
ClamAV 20160404
CMC 20160404
Comodo 20160404
Cyren 20160405
DrWeb 20160405
Emsisoft 20160405
F-Prot 20160405
F-Secure 20160405
GData 20160405
Jiangmin 20160405
K7AntiVirus 20160405
K7GW 20160404
Kaspersky 20160405
Kingsoft 20160405
Malwarebytes 20160405
McAfee 20160405
McAfee-GW-Edition 20160405
Microsoft 20160405
eScan 20160405
NANO-Antivirus 20160405
nProtect 20160405
Panda 20160405
Sophos AV 20160405
SUPERAntiSpyware 20160405
Symantec 20160331
Tencent 20160405
TheHacker 20160405
TrendMicro 20160405
TrendMicro-HouseCall 20160405
VBA32 20160405
ViRobot 20160405
Yandex 20160405
Zillya 20160405
Zoner 20160405
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
Automatically runs commands or instructions when the file is opened.
May read system environment variables.
May open a file.
May try to run other files, shell commands or applications.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
creation_datetime
2016-04-05 12:34:00
template
Normal.dotm
page_count
1
last_saved
2016-04-05 13:45:00
word_count
6
revision_number
1
application_name
Microsoft Office Word
character_count
36
code_page
Cyrillic
Document summary
line_count
1
characters_with_spaces
41
version
983040
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
7296
type_literal
stream
size
114
name
\x01CompObj
sid
18
type_literal
stream
size
284
name
\x05DocumentSummaryInformation
sid
9
type_literal
stream
size
404
name
\x05SummaryInformation
sid
8
type_literal
stream
size
8600
name
1Table
sid
7
type_literal
stream
size
17156
name
Data
sid
1
type_literal
stream
size
484
name
Macros/PROJECT
sid
17
type_literal
stream
size
65
name
Macros/PROJECTwm
sid
16
type_literal
stream
size
2025
type
macro
name
Macros/VBA/Module1
sid
13
type_literal
stream
size
4322
type
macro
name
Macros/VBA/ThisDocument
sid
12
type_literal
stream
size
3039
name
Macros/VBA/_VBA_PROJECT
sid
14
type_literal
stream
size
565
name
Macros/VBA/dir
sid
15
type_literal
stream
size
115398
name
ObjectPool/_1521383481/\x01Ole10Native
sid
6
type_literal
stream
size
6
name
ObjectPool/_1521383481/\x03ObjInfo
sid
5
type_literal
stream
size
4142
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 1159 bytes
auto-open create-ole environ obfuscated open-file
[+] Module1.bas Macros/VBA/Module1 404 bytes
run-file
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

LinksUpToDate
No

HeadingPairs
, 1

Template
Normal.dotm

CharCountWithSpaces
41

CreateDate
2016:04:05 11:34:00

Security
None

CompObjUserType
???????? Microsoft Word 97-2003

ModifyDate
2016:04:05 12:45:00

Characters
36

Pages
1

RevisionNumber
1

MIMEType
application/msword

Words
6

FileType
DOC

Lines
1

AppVersion
15.0

CodePage
Windows Cyrillic

Software
Microsoft Office Word

TotalEditTime
0

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
1

File identification
MD5 e1a793070f3c607d1664c919a5568a04
SHA1 890bcfc95bc96665ebf0aa2b8df908b6d10de753
SHA256 8490ebb1fe6ff8acd8c1f43725f3a75cc1232b20926d3c83a7c5f39666735840
ssdeep
3072:k6IB9UkUJN2ClrWJ746A2C1yd+mElfNPNqJADuy5eAC6OYqdE:ABako2MrW492C1y8lPDPeAVOYME

File size 160.0 KB ( 163840 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Apr 04 11:34:00 2016, Last Saved Time/Date: Mon Apr 04 12:45:00 2016, Number of Pages: 1, Number of Words: 6, Number of Characters: 36, Security: 0

TrID Microsoft Word document (35.9%)
Microsoft Excel sheet (33.7%)
Microsoft Word document (old ver.) (21.3%)
Generic OLE2 / Multistream Compound File (8.9%)
Tags
obfuscated open-file auto-open doc run-file macros environ attachment create-ole

VirusTotal metadata
First submission 2016-04-05 14:44:44 UTC ( 1 year, 3 months ago )
Last submission 2016-09-26 17:31:51 UTC ( 10 months ago )
File names order_43813235.doc
order_81454452.doc
order_64256602.doc
order_51882456.doc
order_48536264.doc
order_32041004.doc
order_58848042.doc
order_17856582.doc
order_16468478.doc
order_48466747.doc
order_58846011.doc
order_60647710.doc
8490ebb1fe6ff8acd8c1f43725f3a75cc1232b20926d3c83a7c5f39666735840.doc
order_07781542.doc
order_08725206.doc
order_28035785.doc
order_26676814.doc
order_33561216.doc
order_16358088.doc
order_60400083.doc
8490ebb1fe6ff8acd8c1f43725f3a75cc1232b20926d3c83a7c5f39666735840.bin
order_81310477.doc
order_46321057.doc
order_67354020.doc
b9e535adea22d9c2e8da0a60bf45bf39
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!