× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 854707acab9c84d12b822a4849ea298e2b2cc7f3d600533b7c13ce9a7c41709e
File name: invoice-1501383360.doc1
Detection ratio: 3 / 56
Analysis date: 2015-04-27 08:07:28 UTC ( 2 years ago ) View latest
Antivirus Result Update
GData Macro.Trojan-Downloader.Agent.EB@gen 20150427
McAfee W97M/Downloader.ago 20150427
McAfee-GW-Edition W97M/Downloader.ago 20150427
Ad-Aware 20150427
AegisLab 20150427
Yandex 20150426
AhnLab-V3 20150426
Alibaba 20150427
ALYac 20150427
Antiy-AVL 20150427
Avast 20150427
AVG 20150427
AVware 20150427
Baidu-International 20150426
BitDefender 20150427
Bkav 20150425
ByteHero 20150427
CAT-QuickHeal 20150427
ClamAV 20150427
CMC 20150423
Comodo 20150427
Cyren 20150427
DrWeb 20150427
Emsisoft 20150427
ESET-NOD32 20150427
F-Prot 20150427
F-Secure 20150426
Fortinet 20150426
Ikarus 20150427
Jiangmin 20150426
K7AntiVirus 20150427
K7GW 20150427
Kaspersky 20150427
Kingsoft 20150427
Malwarebytes 20150426
Microsoft 20150427
eScan 20150427
NANO-Antivirus 20150427
Norman 20150427
nProtect 20150424
Panda 20150424
Qihoo-360 20150427
Rising 20150426
Sophos 20150427
SUPERAntiSpyware 20150427
Symantec 20150427
Tencent 20150427
TheHacker 20150426
TotalDefense 20150426
TrendMicro 20150427
TrendMicro-HouseCall 20150427
VBA32 20150426
VIPRE 20150427
ViRobot 20150427
Zillya 20150426
Zoner 20150427
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May perform operations with other files.
May create OLE objects.
May execute code from Dynamically Linked Libraries.
Seems to contain deobfuscation code.
Summary
last_author
GN
creation_datetime
2015-04-27 07:33:00
revision_number
8
author
1
page_count
1
last_saved
2015-04-27 07:35:00
edit_time
120
template
Normal.dot
application_name
Microsoft Office Word
code_page
Cyrillic
Document summary
line_count
1
version
730895
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
10944
type_literal
stream
sid
19
name
\x01CompObj
size
113
type_literal
stream
sid
4
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
3
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
1
name
1Table
size
4184
type_literal
stream
sid
18
name
Macros/PROJECT
size
730
type_literal
stream
sid
17
name
Macros/PROJECTwm
size
182
type_literal
stream
sid
14
type
macro
name
Macros/VBA/AMOS
size
4372
type_literal
stream
sid
9
type
macro
name
Macros/VBA/CLAY
size
6040
type_literal
stream
sid
11
type
macro
name
Macros/VBA/CORNELIUS
size
4382
type_literal
stream
sid
13
type
macro
name
Macros/VBA/DEXTER
size
3692
type_literal
stream
sid
12
type
macro
name
Macros/VBA/LAMAR
size
6394
type_literal
stream
sid
8
type
macro
name
Macros/VBA/PERCY
size
2891
type_literal
stream
sid
10
type
macro
name
Macros/VBA/ROLANDO
size
7110
type_literal
stream
sid
7
type
macro
name
Macros/VBA/ThisDocument
size
2091
type_literal
stream
sid
15
name
Macros/VBA/_VBA_PROJECT
size
9241
type_literal
stream
sid
16
name
Macros/VBA/dir
size
1064
type_literal
stream
sid
2
name
WordDocument
size
4151
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 82 bytes
[+] PERCY.bas Macros/VBA/PERCY 163 bytes
[+] CLAY.bas Macros/VBA/CLAY 1302 bytes
exe-pattern run-dll
[+] ROLANDO.bas Macros/VBA/ROLANDO 1927 bytes
handle-file open-file write-file
[+] CORNELIUS.bas Macros/VBA/CORNELIUS 564 bytes
exe-pattern obfuscated run-dll
[+] LAMAR.bas Macros/VBA/LAMAR 1592 bytes
exe-pattern run-dll
[+] DEXTER.bas Macros/VBA/DEXTER 940 bytes
create-ole open-file
[+] AMOS.bas Macros/VBA/AMOS 753 bytes
exe-pattern run-dll
ExifTool file metadata
SharedDoc
No

Author
1

CodePage
Windows Cyrillic

LinksUpToDate
No

LastModifiedBy
GN

HeadingPairs
, 1

Template
Normal.dot

CharCountWithSpaces
0

CreateDate
2015:04:27 06:33:00

CompObjUserType
???????? Microsoft Office Word

ModifyDate
2015:04:27 06:35:00

HyperlinksChanged
No

Characters
0

ScaleCrop
No

RevisionNumber
8

MIMEType
application/msword

Words
0

FileType
DOC

Lines
1

AppVersion
11.9999

Security
None

Software
Microsoft Office Word

TotalEditTime
2.0 minutes

Pages
1

CompObjUserTypeLen
31

FileTypeExtension
doc

Paragraphs
1

Compressed bundles
File identification
MD5 5e2fbf3ef0e6d6c624b60f223a157546
SHA1 3effe209a85174fdec0224d7f06bdae4498e401a
SHA256 854707acab9c84d12b822a4849ea298e2b2cc7f3d600533b7c13ce9a7c41709e
ssdeep
768:wU/2KdX5AWkzyPSmHRZvAfwRzg/j4CHdEdDH9qqX7rpA:wU/FJhomHOcg4qK7F

File size 71.0 KB ( 72704 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: 1, Template: Normal.dot, Last Saved By: GN, Revision Number: 8, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Sun Apr 26 06:33:00 2015, Last Saved Time/Date: Sun Apr 26 06:35:00 2015, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated open-file exe-pattern handle-file doc macros run-dll write-file create-ole

VirusTotal metadata
First submission 2015-04-27 08:07:28 UTC ( 2 years ago )
Last submission 2017-02-21 21:49:43 UTC ( 2 months ago )
File names 14.doc
invoice-1501383360.doc1
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!